├── .gitignore
├── .gitlab-ci.yml
├── LICENSE
├── PKGBUILD
├── README.md
├── TODO
├── brace.install
├── brace.spec
├── brace
├── DEBIAN
│ ├── control
│ ├── postinst
│ └── postrm
├── etc
│ ├── apt
│ │ └── apt.conf.d
│ │ │ └── 90-brace
│ ├── chromium
│ │ └── policies
│ │ │ └── managed
│ │ │ └── brace.json
│ ├── chrony.brace.conf
│ ├── dconf
│ │ ├── db
│ │ │ └── local.d
│ │ │ │ ├── 00-brace-cinnamon
│ │ │ │ ├── 00-brace-extra
│ │ │ │ ├── 00-brace-gnome
│ │ │ │ ├── 00-brace-mate
│ │ │ │ └── 00-brace-pantheon
│ │ └── profile
│ │ │ ├── user
│ │ │ └── user-full
│ ├── default
│ │ └── grub.d
│ │ │ └── brace.cfg
│ ├── opt
│ │ └── chrome
│ │ │ └── policies
│ │ │ └── managed
│ │ │ └── brace.json
│ ├── profile.d
│ │ ├── brace-env-overrides.sh
│ │ └── brace-helpers.sh
│ └── tlp.d
│ │ └── 00-brace.conf
└── usr
│ ├── bin
│ └── brace-supplemental-changes
│ ├── lib
│ ├── NetworkManager
│ │ └── conf.d
│ │ │ └── 30-nm-privacy.conf
│ ├── firefox-esr
│ │ ├── browser
│ │ │ └── defaults
│ │ │ │ └── preferences
│ │ │ │ ├── userjs-arkenfox.js
│ │ │ │ ├── userjs-brace-perf.js
│ │ │ │ └── userjs-brace.js
│ │ └── distribution
│ │ │ └── policies.json
│ ├── firefox
│ │ ├── browser
│ │ │ └── defaults
│ │ │ │ └── preferences
│ │ │ │ ├── userjs-arkenfox.js
│ │ │ │ ├── userjs-brace-perf.js
│ │ │ │ └── userjs-brace.js
│ │ └── distribution
│ │ │ └── policies.json
│ ├── modprobe.d
│ │ ├── brace.conf
│ │ └── wireless-perf.conf
│ ├── sysctl.d
│ │ └── 60-restrict.conf
│ ├── systemd
│ │ ├── resolved.conf.d
│ │ │ └── brace.conf
│ │ ├── system
│ │ │ ├── ModemManager.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── NetworkManager.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── biboumi.service.d
│ │ │ │ ├── 98-user.conf
│ │ │ │ └── 99-brace.conf
│ │ │ ├── chronyd.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── ejabberd.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── firewalld.service.d
│ │ │ │ └── 99-brace.conf.disabled
│ │ │ ├── httpd.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── irqbalance.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── minetest@.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── murmur.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── php-fpm.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── radiusd.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── redis.service.d
│ │ │ │ └── 99-brace.conf.disabled
│ │ │ ├── rngd.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ ├── tor.service.d
│ │ │ │ └── 99-brace.conf
│ │ │ └── wpa_supplicant.service.d
│ │ │ │ └── 99-brace.conf
│ │ └── user
│ │ │ ├── restic-backup@.service
│ │ │ └── restic-backup@.timer
│ ├── thunderbird
│ │ └── defaults
│ │ │ └── pref
│ │ │ ├── userjs-arkenfox.js
│ │ │ ├── userjs-brace-perf.js
│ │ │ └── userjs-brace.js
│ ├── tmpfiles.d
│ │ ├── 99-brace-proc.conf
│ │ └── 99-brace-sys.conf
│ └── udev
│ │ └── rules.d
│ │ ├── 10-trim.rules
│ │ └── 50-usb-realtek-net-exceprt.rules
│ └── sbin
│ ├── brace-audit
│ ├── brace-fedora-enable-auto-updates
│ ├── brace-fedora-enable-fapolicyd
│ ├── brace-fedora-enable-rpmfusion
│ ├── brace-fedora-update-system
│ ├── brace-installer
│ └── brace-rpm-verify
├── permissions.facl
└── unused
├── 99-brace.conf.template
├── brace-sebool.sh
├── chromium-brace-3p.json
├── chromium-brace-notes.txt
├── debian-firmware.sh
├── powersave.conf
├── tmp.mount.conf
├── uBlock0@raymondhill.net.json
└── zram-generator.conf
/.gitignore:
--------------------------------------------------------------------------------
1 | pkg
2 | src
3 | *.pkg.tar.xz
4 | noarch
5 | *.rpm
6 | build
7 | .build*
8 |
--------------------------------------------------------------------------------
/.gitlab-ci.yml:
--------------------------------------------------------------------------------
1 | image: fedora:latest
2 |
3 | before_script:
4 | - dnf update -y
5 | - dnf install -y acl gawk which fakeroot rpm-build dpkg dpkg-dev pacman
6 | - umask 0022
7 | - setfacl --restore=permissions.facl
8 |
9 | build_rpm:
10 | stage: build
11 | script:
12 | - rpmbuild -ba brace.spec
13 | artifacts:
14 | paths:
15 | - build/noarch/brace*.rpm
16 |
17 | build_deb:
18 | stage: build
19 | script:
20 | - dpkg-deb --root-owner-group --build brace && dpkg-name brace.deb
21 | artifacts:
22 | paths:
23 | - brace*.deb
24 |
25 | build_arch:
26 | stage: build
27 | script:
28 | - awk -i inplace '!/exit \$E_ROOT/' $(which makepkg)
29 | - awk -i inplace '!/lint_package/' $(which makepkg)
30 | - makepkg
31 | artifacts:
32 | paths:
33 | - brace*.pkg.tar.*
34 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU AFFERO GENERAL PUBLIC LICENSE
2 | Version 3, 19 November 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU Affero General Public License is a free, copyleft license for
11 | software and other kinds of works, specifically designed to ensure
12 | cooperation with the community in the case of network server software.
13 |
14 | The licenses for most software and other practical works are designed
15 | to take away your freedom to share and change the works. By contrast,
16 | our General Public Licenses are intended to guarantee your freedom to
17 | share and change all versions of a program--to make sure it remains free
18 | software for all its users.
19 |
20 | When we speak of free software, we are referring to freedom, not
21 | price. Our General Public Licenses are designed to make sure that you
22 | have the freedom to distribute copies of free software (and charge for
23 | them if you wish), that you receive source code or can get it if you
24 | want it, that you can change the software or use pieces of it in new
25 | free programs, and that you know you can do these things.
26 |
27 | Developers that use our General Public Licenses protect your rights
28 | with two steps: (1) assert copyright on the software, and (2) offer
29 | you this License which gives you legal permission to copy, distribute
30 | and/or modify the software.
31 |
32 | A secondary benefit of defending all users' freedom is that
33 | improvements made in alternate versions of the program, if they
34 | receive widespread use, become available for other developers to
35 | incorporate. Many developers of free software are heartened and
36 | encouraged by the resulting cooperation. However, in the case of
37 | software used on network servers, this result may fail to come about.
38 | The GNU General Public License permits making a modified version and
39 | letting the public access it on a server without ever releasing its
40 | source code to the public.
41 |
42 | The GNU Affero General Public License is designed specifically to
43 | ensure that, in such cases, the modified source code becomes available
44 | to the community. It requires the operator of a network server to
45 | provide the source code of the modified version running there to the
46 | users of that server. Therefore, public use of a modified version, on
47 | a publicly accessible server, gives the public access to the source
48 | code of the modified version.
49 |
50 | An older license, called the Affero General Public License and
51 | published by Affero, was designed to accomplish similar goals. This is
52 | a different license, not a version of the Affero GPL, but Affero has
53 | released a new version of the Affero GPL which permits relicensing under
54 | this license.
55 |
56 | The precise terms and conditions for copying, distribution and
57 | modification follow.
58 |
59 | TERMS AND CONDITIONS
60 |
61 | 0. Definitions.
62 |
63 | "This License" refers to version 3 of the GNU Affero General Public License.
64 |
65 | "Copyright" also means copyright-like laws that apply to other kinds of
66 | works, such as semiconductor masks.
67 |
68 | "The Program" refers to any copyrightable work licensed under this
69 | License. Each licensee is addressed as "you". "Licensees" and
70 | "recipients" may be individuals or organizations.
71 |
72 | To "modify" a work means to copy from or adapt all or part of the work
73 | in a fashion requiring copyright permission, other than the making of an
74 | exact copy. The resulting work is called a "modified version" of the
75 | earlier work or a work "based on" the earlier work.
76 |
77 | A "covered work" means either the unmodified Program or a work based
78 | on the Program.
79 |
80 | To "propagate" a work means to do anything with it that, without
81 | permission, would make you directly or secondarily liable for
82 | infringement under applicable copyright law, except executing it on a
83 | computer or modifying a private copy. Propagation includes copying,
84 | distribution (with or without modification), making available to the
85 | public, and in some countries other activities as well.
86 |
87 | To "convey" a work means any kind of propagation that enables other
88 | parties to make or receive copies. Mere interaction with a user through
89 | a computer network, with no transfer of a copy, is not conveying.
90 |
91 | An interactive user interface displays "Appropriate Legal Notices"
92 | to the extent that it includes a convenient and prominently visible
93 | feature that (1) displays an appropriate copyright notice, and (2)
94 | tells the user that there is no warranty for the work (except to the
95 | extent that warranties are provided), that licensees may convey the
96 | work under this License, and how to view a copy of this License. If
97 | the interface presents a list of user commands or options, such as a
98 | menu, a prominent item in the list meets this criterion.
99 |
100 | 1. Source Code.
101 |
102 | The "source code" for a work means the preferred form of the work
103 | for making modifications to it. "Object code" means any non-source
104 | form of a work.
105 |
106 | A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 |
111 | The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form. A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 |
122 | The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities. However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work. For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 |
135 | The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 |
139 | The Corresponding Source for a work in source code form is that
140 | same work.
141 |
142 | 2. Basic Permissions.
143 |
144 | All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met. This License explicitly affirms your unlimited
147 | permission to run the unmodified Program. The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work. This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 |
152 | You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force. You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright. Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 |
163 | Conveying under any other circumstances is permitted solely under
164 | the conditions stated below. Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 |
167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 |
169 | No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 |
175 | When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 |
183 | 4. Conveying Verbatim Copies.
184 |
185 | You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 |
193 | You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 |
196 | 5. Conveying Modified Source Versions.
197 |
198 | You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 |
202 | a) The work must carry prominent notices stating that you modified
203 | it, and giving a relevant date.
204 |
205 | b) The work must carry prominent notices stating that it is
206 | released under this License and any conditions added under section
207 | 7. This requirement modifies the requirement in section 4 to
208 | "keep intact all notices".
209 |
210 | c) You must license the entire work, as a whole, under this
211 | License to anyone who comes into possession of a copy. This
212 | License will therefore apply, along with any applicable section 7
213 | additional terms, to the whole of the work, and all its parts,
214 | regardless of how they are packaged. This License gives no
215 | permission to license the work in any other way, but it does not
216 | invalidate such permission if you have separately received it.
217 |
218 | d) If the work has interactive user interfaces, each must display
219 | Appropriate Legal Notices; however, if the Program has interactive
220 | interfaces that do not display Appropriate Legal Notices, your
221 | work need not make them do so.
222 |
223 | A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit. Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 |
233 | 6. Conveying Non-Source Forms.
234 |
235 | You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 |
240 | a) Convey the object code in, or embodied in, a physical product
241 | (including a physical distribution medium), accompanied by the
242 | Corresponding Source fixed on a durable physical medium
243 | customarily used for software interchange.
244 |
245 | b) Convey the object code in, or embodied in, a physical product
246 | (including a physical distribution medium), accompanied by a
247 | written offer, valid for at least three years and valid for as
248 | long as you offer spare parts or customer support for that product
249 | model, to give anyone who possesses the object code either (1) a
250 | copy of the Corresponding Source for all the software in the
251 | product that is covered by this License, on a durable physical
252 | medium customarily used for software interchange, for a price no
253 | more than your reasonable cost of physically performing this
254 | conveying of source, or (2) access to copy the
255 | Corresponding Source from a network server at no charge.
256 |
257 | c) Convey individual copies of the object code with a copy of the
258 | written offer to provide the Corresponding Source. This
259 | alternative is allowed only occasionally and noncommercially, and
260 | only if you received the object code with such an offer, in accord
261 | with subsection 6b.
262 |
263 | d) Convey the object code by offering access from a designated
264 | place (gratis or for a charge), and offer equivalent access to the
265 | Corresponding Source in the same way through the same place at no
266 | further charge. You need not require recipients to copy the
267 | Corresponding Source along with the object code. If the place to
268 | copy the object code is a network server, the Corresponding Source
269 | may be on a different server (operated by you or a third party)
270 | that supports equivalent copying facilities, provided you maintain
271 | clear directions next to the object code saying where to find the
272 | Corresponding Source. Regardless of what server hosts the
273 | Corresponding Source, you remain obligated to ensure that it is
274 | available for as long as needed to satisfy these requirements.
275 |
276 | e) Convey the object code using peer-to-peer transmission, provided
277 | you inform other peers where the object code and Corresponding
278 | Source of the work are being offered to the general public at no
279 | charge under subsection 6d.
280 |
281 | A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 |
285 | A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling. In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage. For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product. A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 |
298 | "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source. The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 |
306 | If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information. But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 |
317 | The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed. Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 |
325 | Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 |
331 | 7. Additional Terms.
332 |
333 | "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law. If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 |
342 | When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it. (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.) You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 |
349 | Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 |
353 | a) Disclaiming warranty or limiting liability differently from the
354 | terms of sections 15 and 16 of this License; or
355 |
356 | b) Requiring preservation of specified reasonable legal notices or
357 | author attributions in that material or in the Appropriate Legal
358 | Notices displayed by works containing it; or
359 |
360 | c) Prohibiting misrepresentation of the origin of that material, or
361 | requiring that modified versions of such material be marked in
362 | reasonable ways as different from the original version; or
363 |
364 | d) Limiting the use for publicity purposes of names of licensors or
365 | authors of the material; or
366 |
367 | e) Declining to grant rights under trademark law for use of some
368 | trade names, trademarks, or service marks; or
369 |
370 | f) Requiring indemnification of licensors and authors of that
371 | material by anyone who conveys the material (or modified versions of
372 | it) with contractual assumptions of liability to the recipient, for
373 | any liability that these contractual assumptions directly impose on
374 | those licensors and authors.
375 |
376 | All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10. If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term. If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 |
386 | If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 |
391 | Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 |
395 | 8. Termination.
396 |
397 | You may not propagate or modify a covered work except as expressly
398 | provided under this License. Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 |
403 | However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 |
410 | Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 |
417 | Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License. If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 |
423 | 9. Acceptance Not Required for Having Copies.
424 |
425 | You are not required to accept this License in order to receive or
426 | run a copy of the Program. Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance. However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work. These actions infringe copyright if you do
431 | not accept this License. Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 |
434 | 10. Automatic Licensing of Downstream Recipients.
435 |
436 | Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License. You are not responsible
439 | for enforcing compliance by third parties with this License.
440 |
441 | An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations. If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 |
451 | You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License. For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 |
459 | 11. Patents.
460 |
461 | A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based. The
463 | work thus licensed is called the contributor's "contributor version".
464 |
465 | A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version. For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 |
475 | Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 |
480 | In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement). To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 |
487 | If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients. "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 |
501 | If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 |
509 | A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License. You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 |
524 | Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 |
528 | 12. No Surrender of Others' Freedom.
529 |
530 | If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License. If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all. For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 |
540 | 13. Remote Network Interaction; Use with the GNU General Public License.
541 |
542 | Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software. This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 |
553 | Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work. The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 |
561 | 14. Revised Versions of this License.
562 |
563 | The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time. Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 |
568 | Each version is given a distinguishing version number. If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation. If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 |
577 | If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 |
582 | Later license versions may give you additional or different
583 | permissions. However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 |
587 | 15. Disclaimer of Warranty.
588 |
589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 |
598 | 16. Limitation of Liability.
599 |
600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 |
610 | 17. Interpretation of Sections 15 and 16.
611 |
612 | If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 |
619 | END OF TERMS AND CONDITIONS
620 |
621 | How to Apply These Terms to Your New Programs
622 |
623 | If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 |
627 | To do so, attach the following notices to the program. It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 |
632 |
633 | Copyright (C)
634 |
635 | This program is free software: you can redistribute it and/or modify
636 | it under the terms of the GNU Affero General Public License as published by
637 | the Free Software Foundation, either version 3 of the License, or
638 | (at your option) any later version.
639 |
640 | This program is distributed in the hope that it will be useful,
641 | but WITHOUT ANY WARRANTY; without even the implied warranty of
642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
643 | GNU Affero General Public License for more details.
644 |
645 | You should have received a copy of the GNU Affero General Public License
646 | along with this program. If not, see .
647 |
648 | Also add information on how to contact you by electronic and paper mail.
649 |
650 | If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source. For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code. There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 |
658 | You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | .
662 |
--------------------------------------------------------------------------------
/PKGBUILD:
--------------------------------------------------------------------------------
1 | # Maintainer: Tad
2 | pkgname=brace
3 | pkgver=20250505
4 | pkgrel=1
5 | pkgdesc="Increases privacy/security through various configs."
6 | arch=('any')
7 | license=('GPL3')
8 | install=brace.install
9 |
10 | build() {
11 | cp -r ../brace/ "$srcdir"/;
12 | cp ../README.md "$srcdir"/;
13 | }
14 |
15 | package() {
16 | install -Dm644 brace/etc/chrony.brace.conf "$pkgdir"/etc/chrony.brace.conf;
17 | install -Dm644 brace/etc/dconf/db/local.d/00-brace-cinnamon "$pkgdir"/etc/dconf/db/local.d/00-brace-cinnamon;
18 | install -Dm644 brace/etc/dconf/db/local.d/00-brace-extra "$pkgdir"/etc/dconf/db/local.d/00-brace-extra;
19 | install -Dm644 brace/etc/dconf/db/local.d/00-brace-gnome "$pkgdir"/etc/dconf/db/local.d/00-brace-gnome;
20 | install -Dm644 brace/etc/dconf/db/local.d/00-brace-mate "$pkgdir"/etc/dconf/db/local.d/00-brace-mate;
21 | install -Dm644 brace/etc/dconf/db/local.d/00-brace-pantheon "$pkgdir"/etc/dconf/db/local.d/00-brace-pantheon;
22 | install -Dm644 brace/etc/dconf/profile/user "$pkgdir"/etc/dconf/profile/user;
23 | install -Dm755 brace/etc/default/grub.d/brace.cfg "$pkgdir"/etc/default/grub.d/brace.cfg;
24 | install -Dm644 brace/etc/profile.d/brace-env-overrides.sh "$pkgdir"/etc/profile.d/brace-env-overrides.sh;
25 | install -Dm644 brace/etc/profile.d/brace-helpers.sh "$pkgdir"/etc/profile.d/brace-helpers.sh;
26 | install -Dm644 brace/etc/tlp.d/00-brace.conf "$pkgdir"/etc/tlp.d/00-brace.conf;
27 | mkdir -p "$pkgdir"/usr/lib/firefox/browser/defaults/preferences;
28 | install -Dm644 brace/usr/lib/firefox/browser/defaults/preferences/userjs-*.js "$pkgdir"/usr/lib/firefox/browser/defaults/preferences/;
29 | install -Dm644 brace/usr/lib/firefox/distribution/policies.json "$pkgdir"/usr/lib/firefox/distribution/policies.json;
30 | mkdir -p "$pkgdir"/usr/lib/thunderbird/defaults/pref;
31 | install -Dm644 brace/usr/lib/firefox/browser/defaults/preferences/userjs-*.js "$pkgdir"/usr/lib/thunderbird/defaults/pref/;
32 | install -Dm644 brace/etc/chromium/policies/managed/brace.json "$pkgdir"/etc/chromium/policies/managed/brace.json;
33 | install -Dm644 brace/etc/chromium/policies/managed/brace.json "$pkgdir"/etc/opt/chrome/policies/managed/brace.json;
34 | install -Dm644 brace/usr/lib/modprobe.d/brace.conf "$pkgdir"/usr/lib/modprobe.d/brace.conf;
35 | install -Dm644 brace/usr/lib/modprobe.d/wireless-perf.conf "$pkgdir"/usr/lib/modprobe.d/wireless-perf.conf;
36 | install -Dm644 brace/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf "$pkgdir"/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf;
37 | install -Dm644 brace/usr/lib/sysctl.d/60-restrict.conf "$pkgdir"/usr/lib/sysctl.d/60-restrict.conf;
38 | install -Dm644 brace/usr/lib/systemd/resolved.conf.d/brace.conf "$pkgdir"/usr/lib/systemd/resolved.conf.d/brace.conf;
39 | install -Dm644 brace/usr/lib/systemd/system/chronyd.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/chronyd.service.d/99-brace.conf;
40 | install -Dm644 brace/usr/lib/systemd/system/ejabberd.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/ejabberd.service.d/99-brace.conf;
41 | install -Dm644 brace/usr/lib/systemd/system/httpd.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/httpd.service.d/99-brace.conf;
42 | install -Dm644 brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf;
43 | install -Dm644 brace/usr/lib/systemd/system/minetest@.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/minetest@.service.d/99-brace.conf;
44 | install -Dm644 brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf;
45 | install -Dm644 brace/usr/lib/systemd/system/murmur.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/murmur.service.d/99-brace.conf;
46 | install -Dm644 brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf;
47 | install -Dm644 brace/usr/lib/systemd/system/php-fpm.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/php-fpm.service.d/99-brace.conf;
48 | install -Dm644 brace/usr/lib/systemd/system/radiusd.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/radiusd.service.d/99-brace.conf;
49 | install -Dm644 brace/usr/lib/systemd/system/rngd.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/rngd.service.d/99-brace.conf;
50 | install -Dm644 brace/usr/lib/systemd/system/tor.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/tor.service.d/99-brace.conf;
51 | install -Dm644 brace/usr/lib/systemd/system/wpa_supplicant.service.d/99-brace.conf "$pkgdir"/usr/lib/systemd/system/wpa_supplicant.service.d/99-brace.conf;
52 | install -Dm644 brace/usr/lib/tmpfiles.d/99-brace-proc.conf "$pkgdir"/usr/lib/tmpfiles.d/99-brace-proc.conf;
53 | install -Dm644 brace/usr/lib/tmpfiles.d/99-brace-sys.conf "$pkgdir"/usr/lib/tmpfiles.d/99-brace-sys.conf;
54 | install -Dm644 brace/usr/lib/udev/rules.d/10-trim.rules "$pkgdir"/usr/lib/udev/rules.d/10-trim.rules;
55 | install -Dm644 brace/usr/lib/udev/rules.d/50-usb-realtek-net-exceprt.rules "$pkgdir"/usr/lib/udev/rules.d/50-usb-realtek-net-exceprt.rules;
56 | install -Dm644 brace/usr/lib/systemd/user/restic-backup@.service "$pkgdir"/usr/lib/systemd/user/restic-backup@.service;
57 | install -Dm644 brace/usr/lib/systemd/user/restic-backup@.timer "$pkgdir"/usr/lib/systemd/user/restic-backup@.timer;
58 | install -Dm755 brace/usr/bin/brace-supplemental-changes "$pkgdir"/usr/bin/brace-supplemental-changes;
59 | install -Dm755 brace/usr/sbin/brace-installer "$pkgdir"/usr/bin/brace-installer;
60 | install -Dm755 brace/usr/sbin/brace-rpm-verify "$pkgdir"/usr/bin/brace-rpm-verify;
61 | mkdir -p "$pkgdir"/usr/share/doc/brace;
62 | install -Dm644 README.md "$pkgdir"/usr/share/doc/brace/README.md;
63 | }
64 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | brace
2 | =====
3 |
4 | Overview
5 | --------
6 | Brace is a toolkit compatible with multiple existing Linux distributions that allows for a rapid installation of handpicked applications, along with corresponding configurations that have been fine-tuned for reasonable privacy and security.
7 |
8 | Compatibility
9 | -------------
10 | - Arch Linux
11 | - CentOS 9/Stream
12 | - Debian 12
13 | - Fedora 39/40/41 (preferred)
14 | - openSUSE Tumbleweed
15 |
16 | License
17 | -------
18 | AGPL-3.0-or-later where applicable
19 |
20 | Prebuilts
21 | ---------
22 | - Fedora via Divested-RPM: https://divested.dev/index.php?page=software#divested-release
23 | - Fedora via CI: https://gitlab.com/divested/brace/-/jobs/artifacts/master/browse?job=build_rpm
24 | - Arch via CI: https://gitlab.com/divested/brace/-/jobs/artifacts/master/browse?job=build_arch
25 | - Debian via CI: https://gitlab.com/divested/brace/-/jobs/artifacts/master/browse?job=build_deb
26 |
27 | Building
28 | --------
29 | - git clone [THIS REPO]
30 | - Arch Linux: makepkg
31 | - CentOS: rpmbuild -ba brace.spec
32 | - Debian: dpkg-deb --root-owner-group --build brace
33 | - Fedora: rpmbuild -ba brace.spec
34 |
35 | Contents
36 | --------
37 | - /etc/apt/apt.conf.d/90-brace = apt: enable seccomp filter during package install
38 | - /etc/dconf/db/local.d/00-brace-* = GNOME/Cinnamon/MATE: change default settings
39 | - /etc/dconf/profile/user = Fixup dconf overrides on select distros
40 | - /etc/profile.d/brace-env-overrides.sh = profile: sets some environment overrides (eg. umask)
41 | - /etc/profile.d/brace-helpers.sh = profile: adds helper aliases (eg. cleaning functions)
42 | - /etc/tlp.d/00-brace.conf = TLP: allow for better power savings on AC too
43 | - /usr/lib64/firefox/browser/defaults/preferences/userjs-*.js = Firefox: change default settings
44 | - /usr/lib64/firefox/distribution/policies.json
45 | - /usr/lib64/thunderbird/defaults/pref/userjs-*.js
46 | - /etc/chromium/policies/managed/brace.json = Chromium: change default settings
47 | - /etc/opt/chrome/policies/managed/brace.json
48 | - /usr/lib/modprobe.d/brace.conf = kernel: disable/block unsafe modules
49 | - /usr/lib/modprobe.d/wireless-perf.conf = kernel: increase Wi-Fi performance for b43 and iwlwifi
50 | - /usr/lib/NetworkManager/conf.d/30-nm-privacy.conf = NetworkManager: enables MAC randomization and IPv6 privacy extensions and disables connectivity checks
51 | - /usr/lib/sysctl.d/60-restrict.conf = sysctl: set more restrictive defaults (dmesg, ptrace)
52 | - /usr/lib/systemd/system/*.service.d/99-brace.conf = systemd service unit sandboxing
53 | - /usr/lib/systemd/user/restic-backup@.* = systemd user unit for restic backups
54 | - /usr/lib/tmpfiles.d/99-brace-proc.conf = /proc: harden permissions
55 | - /usr/lib/tmpfiles.d/99-brace-sys.conf = /sys: harden permissions
56 | - /usr/bin/brace-supplemental-changes = change extra default settings
57 | - /usr/sbin/brace-enable-auto-updates = Fedora: automatic system updates using dnf-plugin-system-upgrade
58 | - /usr/sbin/brace-enable-rpmfusion = Fedora: enable RPM Fusion 'free' repos
59 | - /usr/sbin/brace-update-system = Fedora: helper to update to the next release
60 | - /usr/sbin/brace-installer = unified recommended package installer
61 | - /usr/sbin/brace-rpm-verify = RPM: verifies installed packages for corruption
62 |
63 | Known Issues
64 | ------------
65 | - A reboot is required on openSUSE after install for dconf changes to take effect.
66 | - Compatibility is best with Fedora, and that is the primary test-bed.
67 | - Restrictions on /sys/bus/scsi in 99-brace-sys.conf can break disc drive access by some programs.
68 |
69 | Credits
70 | -------
71 | - userjs-arkenfox.js
72 | - @thorin-oakenpants + @earthlng + @claustromaniac
73 | - MIT: https://github.com/arkenfox/user.js/blob/af516315971b7c94075db1e317bee5b12dc3b781/LICENSE.txt
74 | - https://github.com/arkenfox/user.js
75 | - 99-brace-proc.conf and 99-brace-sys.conf
76 | - Topi Miettinen (@topimiettinen)
77 | - GPL-2.0+: https://salsa.debian.org/corsac/hardening-runtime/-/blob/1a315536726cf41b64af6dc65c7cf9b250b5dda1/debian/copyright
78 | - https://salsa.debian.org/corsac/hardening-runtime/-/commit/1a315536726cf41b64af6dc65c7cf9b250b5dda1
79 | - brace-rpm-verify
80 | - @doktor5000
81 | - CC BY-SA 3.0: https://stackoverflow.com/help/licensing
82 | - https://unix.stackexchange.com/a/217024
83 | - firewalld IPv6 drop zone fix
84 | - Mark
85 | - CC BY-SA 3.0: https://stackoverflow.com/help/licensing
86 | - https://serverfault.com/a/775153
87 | - restic-backup.service
88 | - Link Dupont
89 | - CC BY-SA 3.0: https://fedoramagazine.org/terms-and-conditions/
90 | - https://fedoramagazine.org/automate-backups-with-restic-and-systemd/
91 | - chrony.brace.conf
92 | - GrapheneOS
93 | - MIT: https://github.com/GrapheneOS/infrastructure/blob/main/LICENSE
94 | - https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf
95 | - modprobe.d/brace.conf additional module blocking
96 | - @madaidan
97 | - List likely uncopyrightable
98 | - https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
99 |
100 | Donate
101 | -------
102 | - https://divested.dev/donate
103 |
--------------------------------------------------------------------------------
/TODO:
--------------------------------------------------------------------------------
1 | packages:
2 | gnome-software -> gnome-packagekit (deprecated but lightweight)
3 | gnucash -> homebank (easier to use)
4 | gnome-photos/shotwell -> gthumb
5 | xournalpp
6 | remove gnome-software/packagekit?
7 | f37 hardware decode rpmfusion
8 | dnf swap mesa-va-drivers mesa-va-drivers-freeworld --allowerasing
9 | dnf swap mesa-vdpau-drivers mesa-vdpau-drivers-freeworld --allowerasing
10 |
11 | bugs:
12 | fix profile.d files on Debian
13 | fix brace-helpers.sh on openSUSE
14 | CentOS 7: chmod(/proc/mtrr) failed: Permission denied
15 | CentOS 7: chmod(/sys/fs/bpf) failed: Operation not permitted
16 |
17 | improvements:
18 | automatically verify rpmfusion .rpm
19 | https://github.com/Kicksecure/security-misc/blob/dcaafa6c8bf380dd990942e9c10e280943b442a6/etc/bluetooth/30_security-misc.conf#L30
20 | https://github.com/Kicksecure/security-misc/blob/dcaafa6c8bf380dd990942e9c10e280943b442a6/etc/dracut.conf.d/30-security-misc.conf#L1
21 |
--------------------------------------------------------------------------------
/brace.install:
--------------------------------------------------------------------------------
1 | post_install() {
2 | if [ -f /usr/bin/dconf ]; then dconf update; fi;
3 | echo "Please pepper your /etc/fstab like so:";
4 | echo "- / can have discard,noatime";
5 | echo "- /boot can have discard,noatime,nodev,nosuid,noexec";
6 | echo "- /boot/efi can have discard,noatime,nodev,nosuid,noexec";
7 | echo "- /home can have discard,noatime,nodev,nosuid";
8 | }
9 |
10 | post_remove() {
11 | if [ -f /usr/bin/dconf ]; then dconf update; fi;
12 | }
13 |
--------------------------------------------------------------------------------
/brace.spec:
--------------------------------------------------------------------------------
1 | Name: brace
2 | Version: 20250505
3 | Release: 1
4 | Summary: Increases privacy/security through various configs.
5 | License: AGPLv3+
6 | BuildArch: noarch
7 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
8 | %define _binary_payload w3T.xzdio
9 | %define _sourcedir %(echo $PWD)
10 | %define _rpmdir %(echo $PWD/build)
11 |
12 | %description
13 | Please see the included README
14 |
15 | %post
16 | if [ -f /usr/bin/dconf ]; then dconf update; fi;
17 | echo "Please pepper your /etc/fstab like so:";
18 | echo "- / can have discard,noatime";
19 | echo "- /boot can have discard,noatime,nodev,nosuid,noexec";
20 | echo "- /boot/efi can have discard,noatime,nodev,nosuid,noexec";
21 | echo "- /home can have discard,noatime,nodev,nosuid";
22 |
23 | %postun
24 | if [ -f /usr/bin/dconf ]; then dconf update; fi;
25 |
26 | %install
27 | install -Dm644 %{_sourcedir}/brace/etc/chrony.brace.conf %{buildroot}/etc/chrony.brace.conf;
28 | install -Dm644 %{_sourcedir}/brace/etc/dconf/db/local.d/00-brace-cinnamon %{buildroot}/etc/dconf/db/local.d/00-brace-cinnamon;
29 | install -Dm644 %{_sourcedir}/brace/etc/dconf/db/local.d/00-brace-extra %{buildroot}/etc/dconf/db/local.d/00-brace-extra;
30 | install -Dm644 %{_sourcedir}/brace/etc/dconf/db/local.d/00-brace-gnome %{buildroot}/etc/dconf/db/local.d/00-brace-gnome;
31 | install -Dm644 %{_sourcedir}/brace/etc/dconf/db/local.d/00-brace-mate %{buildroot}/etc/dconf/db/local.d/00-brace-mate;
32 | install -Dm644 %{_sourcedir}/brace/etc/dconf/db/local.d/00-brace-pantheon %{buildroot}/etc/dconf/db/local.d/00-brace-pantheon;
33 | install -Dm644 %{_sourcedir}/brace/etc/dconf/profile/user-full %{buildroot}/etc/dconf/profile/user;
34 | install -Dm644 %{_sourcedir}/brace/etc/profile.d/brace-env-overrides.sh %{buildroot}/etc/profile.d/brace-env-overrides.sh;
35 | install -Dm644 %{_sourcedir}/brace/etc/profile.d/brace-helpers.sh %{buildroot}/etc/profile.d/brace-helpers.sh;
36 | install -Dm644 %{_sourcedir}/brace/etc/tlp.d/00-brace.conf %{buildroot}/etc/tlp.d/00-brace.conf;
37 | mkdir -p %{buildroot}/usr/lib64/firefox/browser/defaults/preferences;
38 | install -Dm644 %{_sourcedir}/brace/usr/lib/firefox/browser/defaults/preferences/userjs-*.js %{buildroot}/usr/lib64/firefox/browser/defaults/preferences/;
39 | install -Dm644 %{_sourcedir}/brace/usr/lib/firefox/distribution/policies.json %{buildroot}/usr/lib64/firefox/distribution/policies.json;
40 | mkdir -p %{buildroot}/usr/lib64/thunderbird/defaults/pref;
41 | install -Dm644 %{_sourcedir}/brace/usr/lib/firefox/browser/defaults/preferences/userjs-*.js %{buildroot}/usr/lib64/thunderbird/defaults/pref/;
42 | install -Dm644 %{_sourcedir}/brace/etc/chromium/policies/managed/brace.json %{buildroot}/etc/chromium/policies/managed/brace.json;
43 | install -Dm644 %{_sourcedir}/brace/etc/chromium/policies/managed/brace.json %{buildroot}/etc/opt/chrome/policies/managed/brace.json;
44 | install -Dm644 %{_sourcedir}/brace/usr/lib/modprobe.d/brace.conf %{buildroot}/usr/lib/modprobe.d/brace.conf;
45 | install -Dm644 %{_sourcedir}/brace/usr/lib/modprobe.d/wireless-perf.conf %{buildroot}/usr/lib/modprobe.d/wireless-perf.conf;
46 | install -Dm644 %{_sourcedir}/brace/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf %{buildroot}/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf;
47 | install -Dm644 %{_sourcedir}/brace/usr/lib/sysctl.d/60-restrict.conf %{buildroot}/usr/lib/sysctl.d/60-restrict.conf;
48 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/resolved.conf.d/brace.conf %{buildroot}/usr/lib/systemd/resolved.conf.d/brace.conf;
49 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/chronyd.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/chronyd.service.d/99-brace.conf;
50 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/ejabberd.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/ejabberd.service.d/99-brace.conf;
51 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/httpd.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/httpd.service.d/99-brace.conf;
52 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf;
53 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/minetest@.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/minetest@.service.d/99-brace.conf;
54 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf;
55 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/murmur.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/murmur.service.d/99-brace.conf;
56 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf;
57 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/php-fpm.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/php-fpm.service.d/99-brace.conf;
58 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/radiusd.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/radiusd.service.d/99-brace.conf;
59 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/rngd.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/rngd.service.d/99-brace.conf;
60 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/tor.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/tor.service.d/99-brace.conf;
61 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/system/wpa_supplicant.service.d/99-brace.conf %{buildroot}/usr/lib/systemd/system/wpa_supplicant.service.d/99-brace.conf;
62 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/user/restic-backup@.service %{buildroot}/usr/lib/systemd/user/restic-backup@.service;
63 | install -Dm644 %{_sourcedir}/brace/usr/lib/systemd/user/restic-backup@.timer %{buildroot}/usr/lib/systemd/user/restic-backup@.timer;
64 | install -Dm644 %{_sourcedir}/brace/usr/lib/tmpfiles.d/99-brace-proc.conf %{buildroot}/usr/lib/tmpfiles.d/99-brace-proc.conf;
65 | install -Dm644 %{_sourcedir}/brace/usr/lib/tmpfiles.d/99-brace-sys.conf %{buildroot}/usr/lib/tmpfiles.d/99-brace-sys.conf;
66 | install -Dm644 %{_sourcedir}/brace/usr/lib/udev/rules.d/10-trim.rules %{buildroot}/usr/lib/udev/rules.d/10-trim.rules;
67 | install -Dm644 %{_sourcedir}/brace/usr/lib/udev/rules.d/50-usb-realtek-net-exceprt.rules %{buildroot}/usr/lib/udev/rules.d/50-usb-realtek-net-exceprt.rules;
68 | install -Dm755 %{_sourcedir}/brace/usr/bin/brace-supplemental-changes %{buildroot}/usr/bin/brace-supplemental-changes;
69 | install -Dm755 %{_sourcedir}/brace/usr/sbin/brace-audit %{buildroot}/usr/sbin/brace-audit;
70 | install -Dm755 %{_sourcedir}/brace/usr/sbin/brace-fedora-enable-auto-updates %{buildroot}/usr/sbin/brace-enable-auto-updates;
71 | install -Dm755 %{_sourcedir}/brace/usr/sbin/brace-fedora-enable-fapolicyd %{buildroot}/usr/sbin/brace-enable-fapolicyd;
72 | install -Dm755 %{_sourcedir}/brace/usr/sbin/brace-fedora-enable-rpmfusion %{buildroot}/usr/sbin/brace-enable-rpmfusion;
73 | install -Dm755 %{_sourcedir}/brace/usr/sbin/brace-fedora-update-system %{buildroot}/usr/sbin/brace-update-system;
74 | install -Dm755 %{_sourcedir}/brace/usr/sbin/brace-installer %{buildroot}/usr/sbin/brace-installer;
75 | install -Dm755 %{_sourcedir}/brace/usr/sbin/brace-rpm-verify %{buildroot}/usr/sbin/brace-rpm-verify;
76 | mkdir -p %{buildroot}/usr/share/doc/brace;
77 | install -Dm644 %{_sourcedir}/README.md %{buildroot}/usr/share/doc/brace/README.md;
78 |
79 | %files
80 | /etc/chrony.brace.conf
81 | /etc/dconf/db/local.d/00-brace-cinnamon
82 | /etc/dconf/db/local.d/00-brace-extra
83 | /etc/dconf/db/local.d/00-brace-gnome
84 | /etc/dconf/db/local.d/00-brace-mate
85 | /etc/dconf/db/local.d/00-brace-pantheon
86 | /etc/dconf/profile/user
87 | /etc/profile.d/brace-env-overrides.sh
88 | /etc/profile.d/brace-helpers.sh
89 | /etc/tlp.d/00-brace.conf
90 | /usr/lib64/firefox/browser/defaults/preferences/userjs-*.js
91 | /usr/lib64/firefox/distribution/policies.json
92 | /usr/lib64/thunderbird/defaults/pref/userjs-*.js
93 | /etc/chromium/policies/managed/brace.json
94 | /etc/opt/chrome/policies/managed/brace.json
95 | /usr/lib/modprobe.d/brace.conf
96 | /usr/lib/modprobe.d/wireless-perf.conf
97 | /usr/lib/NetworkManager/conf.d/30-nm-privacy.conf
98 | /usr/lib/sysctl.d/60-restrict.conf
99 | /usr/lib/systemd/resolved.conf.d/brace.conf
100 | /usr/lib/systemd/system/chronyd.service.d/99-brace.conf
101 | /usr/lib/systemd/system/ejabberd.service.d/99-brace.conf
102 | /usr/lib/systemd/system/httpd.service.d/99-brace.conf
103 | /usr/lib/systemd/system/irqbalance.service.d/99-brace.conf
104 | /usr/lib/systemd/system/minetest@.service.d/99-brace.conf
105 | /usr/lib/systemd/system/ModemManager.service.d/99-brace.conf
106 | /usr/lib/systemd/system/murmur.service.d/99-brace.conf
107 | /usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf
108 | /usr/lib/systemd/system/php-fpm.service.d/99-brace.conf
109 | /usr/lib/systemd/system/radiusd.service.d/99-brace.conf
110 | /usr/lib/systemd/system/rngd.service.d/99-brace.conf
111 | /usr/lib/systemd/system/tor.service.d/99-brace.conf
112 | /usr/lib/systemd/system/wpa_supplicant.service.d/99-brace.conf
113 | /usr/lib/systemd/user/restic-backup@.service
114 | /usr/lib/systemd/user/restic-backup@.timer
115 | /usr/lib/tmpfiles.d/99-brace-proc.conf
116 | /usr/lib/tmpfiles.d/99-brace-sys.conf
117 | /usr/lib/udev/rules.d/10-trim.rules
118 | /usr/lib/udev/rules.d/50-usb-realtek-net-exceprt.rules
119 | /usr/bin/brace-supplemental-changes
120 | /usr/sbin/brace-audit
121 | /usr/sbin/brace-enable-auto-updates
122 | /usr/sbin/brace-enable-fapolicyd
123 | /usr/sbin/brace-enable-rpmfusion
124 | /usr/sbin/brace-update-system
125 | /usr/sbin/brace-installer
126 | /usr/sbin/brace-rpm-verify
127 | /usr/share/doc/brace/README.md
128 |
--------------------------------------------------------------------------------
/brace/DEBIAN/control:
--------------------------------------------------------------------------------
1 | Package: brace
2 | Version: 20250505-1
3 | Section: custom
4 | Priority: optional
5 | Architecture: all
6 | Essential: no
7 | Maintainer: Tad
8 | Description: Increases privacy/security through various configs.
9 |
--------------------------------------------------------------------------------
/brace/DEBIAN/postinst:
--------------------------------------------------------------------------------
1 | if [ -f /usr/bin/dconf ]; then dconf update; fi;
2 | echo "Please pepper your /etc/fstab like so:";
3 | echo "- / can have discard,noatime";
4 | echo "- /boot can have discard,noatime,nodev,nosuid,noexec";
5 | echo "- /boot/efi can have discard,noatime,nodev,nosuid,noexec";
6 | echo "- /home can have discard,noatime,nodev,nosuid";
7 |
--------------------------------------------------------------------------------
/brace/DEBIAN/postrm:
--------------------------------------------------------------------------------
1 | if [ -f /usr/bin/dconf ]; then dconf update; fi;
2 |
--------------------------------------------------------------------------------
/brace/etc/apt/apt.conf.d/90-brace:
--------------------------------------------------------------------------------
1 | #https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.en.html#apt-sandboxing
2 | #Likely non-functional?
3 | #APT::Sandbox::Seccomp "true";
4 |
--------------------------------------------------------------------------------
/brace/etc/chromium/policies/managed/brace.json:
--------------------------------------------------------------------------------
1 | {
2 | "ArcEnabled": false,
3 | "ArcAppInstallEventLoggingEnabled": false,
4 | "ArcBackupRestoreServiceEnabled": false,
5 | "ArcGoogleLocationServicesEnabled": false,
6 | "AppRecommendationZeroStateEnabled": false,
7 | "DefaultCookiesSetting": 1,
8 | "DefaultFileSystemReadGuardSetting": 2,
9 | "DefaultFileSystemWriteGuardSetting": 2,
10 | "DefaultImagesSetting": 1,
11 | "DefaultInsecureContentSetting": 3,
12 | "DefaultJavaScriptJitSetting": 2,
13 | "DefaultJavaScriptSetting": 1,
14 | "DefaultPluginsSetting": 3,
15 | "DefaultNotificationsSetting": 3,
16 | "DefaultGeolocationSetting": 2,
17 | "DefaultSensorsSetting": 2,
18 | "DefaultWebBluetoothGuardSetting": 2,
19 | "DefaultWebUsbGuardSetting": 2,
20 | "DefaultSerialGuardSetting": 2,
21 | "SystemTimezone": "GMT",
22 | "SystemTimezoneAutomaticDetection": 1,
23 | "DefaultSearchProviderEnabled": true,
24 | "DefaultSearchProviderName": "DuckDuckGo",
25 | "DefaultSearchProviderKeyword": "ddg",
26 | "DefaultSearchProviderURL": "https://duckduckgo.com/?q={searchTerms}",
27 | "DefaultSearchProviderSuggestURL": "https://ac.duckduckgo.com/ac/?q={searchTerms}&type=list",
28 | "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico",
29 | "DeviceAutoUpdateP2PEnabled": false,
30 | "DeviceUpdateHttpDownloadsEnabled": false,
31 | "RebootAfterUpdate": true,
32 | "ExtensionInstallBlocklist": [ "*" ],
33 | "ExtensionInstallAllowlist": [
34 | "cjpalhdlnbpafiamejdnhcphjbkeiagm",
35 | "ddkjiahejlhfcafbddmgiahcphecmpfh"
36 | ],
37 | "ExtensionInstallForcelist": [
38 | "ddkjiahejlhfcafbddmgiahcphecmpfh;https://clients2.google.com/service/update2/crx"
39 | ],
40 | "ExtensionAllowInsecureUpdates": false,
41 | "VoiceInteractionContextEnabled": false,
42 | "VoiceInteractionHotwordEnabled": false,
43 | "VoiceInteractionQuickAnswersEnabled": false,
44 | "EnableMediaRouter": false,
45 | "AllowCrossOriginAuthPrompt": false,
46 | "SuggestedContentEnabled": false,
47 | "PasswordManagerEnabled": true,
48 | "PasswordLeakDetectionEnabled": false,
49 | "PrintingEnabled": true,
50 | "CloudPrintProxyEnabled": false,
51 | "CloudPrintSubmitEnabled": false,
52 | "DeviceLoginScreenPrivacyScreenEnabled": true,
53 | "SafeBrowsingEnabled": true,
54 | "SafeBrowsingExtendedReportingEnabled": false,
55 | "SafeBrowsingSurveysEnabled": false,
56 | "SafeBrowsingProxiedRealTimeChecksAllowed": true,
57 | "SafeBrowsingProtectionLevel": 1,
58 | "DeviceGuestModeEnabled": true,
59 | "ShowHomeButton": true,
60 | "HomepageIsNewTabPage": true,
61 | "NewTabPageLocation": "about:blank",
62 | "EnableDeviceGranularReporting": false,
63 | "ReportDeviceVersionInfo": false,
64 | "ReportDeviceBootMode": false,
65 | "ReportDeviceUsers": false,
66 | "ReportDeviceActivityTimes": false,
67 | "ReportDeviceNetworkInterfaces": false,
68 | "ReportDeviceNetworkConfiguration": false,
69 | "ReportDeviceHardwareStatus": false,
70 | "ReportDeviceSessionStatus": false,
71 | "ReportDeviceGraphicsStatus": false,
72 | "ReportDeviceCrashReportInfo": false,
73 | "ReportDeviceOsUpdateStatus": false,
74 | "ReportDeviceBoardStatus": false,
75 | "ReportDeviceCpuInfo": false,
76 | "ReportDeviceTimezoneInfo": false,
77 | "ReportDeviceMemoryInfo": false,
78 | "ReportDeviceBacklightInfo": false,
79 | "ReportDevicePowerStatus": false,
80 | "ReportDeviceSecurityStatus": false,
81 | "ReportDeviceStorageStatus": false,
82 | "ReportDeviceAppInfo": false,
83 | "ReportDeviceBluetoothInfo": false,
84 | "ReportDeviceFanInfo": false,
85 | "ReportDeviceVpdInfo": false,
86 | "ReportDeviceSystemInfo": false,
87 | "ReportDeviceLoginLogout": false,
88 | "ReportUploadFrequency": false,
89 | "ReportArcStatusEnabled": false,
90 | "HeartbeatEnabled": false,
91 | "LogUploadEnabled": false,
92 | "DeviceMetricsReportingEnabled": false,
93 | "DeviceWilcoDtcAllowed": false,
94 | "AbusiveExperienceInterventionEnforce": true,
95 | "AccessibilityImageLabelsEnabled": false,
96 | "AdsSettingForIntrusiveAdsSites": 2,
97 | "AllowDeletingBrowserHistory": true,
98 | "AllowDinosaurEasterEgg": true,
99 | "AllowOutdatedPlugins": false,
100 | "AllowScreenLock": true,
101 | "AudioCaptureAllowed": true,
102 | "AudioOutputAllowed": true,
103 | "AutofillAddressEnabled": false,
104 | "AutofillCreditCardEnabled": false,
105 | "AutoplayAllowed": false,
106 | "BackgroundModeEnabled": false,
107 | "BlockThirdPartyCookies": true,
108 | "BrowserAddPersonEnabled": true,
109 | "BrowserGuestModeEnabled": true,
110 | "BrowserNetworkTimeQueriesEnabled": false,
111 | "BrowserSignin": 0,
112 | "ChromeCleanupEnabled": true,
113 | "ChromeCleanupReportingEnabled": false,
114 | "ChromeOsLockOnIdleSuspend": true,
115 | "ChromeVariations": 1,
116 | "ClickToCallEnabled": false,
117 | "CommandLineFlagSecurityWarningsEnabled": true,
118 | "ComponentUpdatesEnabled": true,
119 | "ContextualSearchEnabled": false,
120 | "ContextualSuggestionsEnabled": false,
121 | "DNSInterceptionChecksEnabled": true,
122 | "DnsOverHttpsMode": "secure",
123 | "DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query",
124 | "DataCompressionProxyEnabled": false,
125 | "DataLeakPreventionReportingEnabled": false,
126 | "DeveloperToolsAvailability": 1,
127 | "DeviceChromeVariations": 1,
128 | "DeviceDebugPacketCaptureAllowed": false,
129 | "DevicePowerwashAllowed": true,
130 | "DeviceSystemWideTracingEnabled": false,
131 | "Disable3DAPIs": true,
132 | "DownloadRestrictions": 0,
133 | "EasyUnlockAllowed": false,
134 | "EnableSyncConsent": true,
135 | "EncryptedClientHelloEnabled": true,
136 | "ExtensionInstallEventLoggingEnabled": false,
137 | "FullscreenAllowed": true,
138 | "HardwareAccelerationModeEnabled": true,
139 | "HideWebStoreIcon": true,
140 | "HttpsOnlyMode": "force_enabled",
141 | "PostQuantumKeyAgreementEnabled": true,
142 | "IncognitoModeAvailability": 0,
143 | "InsecureFormsWarningsEnabled": true,
144 | "InstantTetheringAllowed": false,
145 | "LensCameraAssistedSearchEnabled": false,
146 | "LensRegionSearchEnabled": false,
147 | "MediaRecommendationsEnabled": false,
148 | "MetricsReportingEnabled": false,
149 | "NTPContentSuggestionsEnabled": false,
150 | "NearbyShareAllowed": false,
151 | "NativeWindowOcclusionEnabled": true,
152 | "NetworkPredictionOptions": 2,
153 | "PhoneHubAllowed": false,
154 | "PaymentMethodQueryEnabled": false,
155 | "PromotionalTabsEnabled": false,
156 | "RemoteDebuggingAllowed": false,
157 | "RelaunchNotification": 2,
158 | "RendererCodeIntegrityEnabled": true,
159 | "ReportCrostiniUsageEnabled": false,
160 | "SafeSitesFilterBehavior": 0,
161 | "SearchSuggestEnabled": false,
162 | "SharedClipboardEnabled": false,
163 | "ShowFullUrlsInAddressBar": true,
164 | "SitePerProcess": true,
165 | "SitePerProcessAndroid": true,
166 | "SmartLockSigninAllowed": false,
167 | "SmsMessagesAllowed": false,
168 | "SpellCheckServiceEnabled": false,
169 | "SyncDisabled": true,
170 | "TLS13HardeningForLocalAnchorsEnabled": true,
171 | "TabFreezingEnabled": true,
172 | "TabLifecyclesEnabled": true,
173 | "ThirdPartyBlockingEnabled": true,
174 | "TranslateEnabled": false,
175 | "UrlKeyedAnonymizedDataCollectionEnabled": false,
176 | "UserAgentClientHintsEnabled": false,
177 | "VideoCaptureAllowed": true,
178 | "WebRtcEventLogCollectionAllowed": false,
179 | "WebRtcIPHandling": "disable_non_proxied_udp",
180 | "WifiSyncAndroidAllowed": false,
181 | "WindowOcclusionEnabled": true
182 | }
183 |
--------------------------------------------------------------------------------
/brace/etc/chrony.brace.conf:
--------------------------------------------------------------------------------
1 | # References:
2 | # - https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf
3 | # - https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
4 | # - https://fedoramagazine.org/secure-ntp-with-nts/
5 |
6 | #Anycast
7 | server time.cloudflare.com iburst nts
8 |
9 | #Sweden
10 | server nts.netnod.se iburst nts
11 |
12 | #Netherlands
13 | server ntppool1.time.nl iburst nts
14 | #server ntppool2.time.nl iburst nts
15 | server ptbtime1.ptb.de iburst nts
16 | #server ptbtime2.ptb.de iburst nts
17 | #server ptbtime3.ptb.de iburst nts
18 |
19 | #South America
20 | server brazil.time.system76.com iburst nts
21 |
22 | #France
23 | server paris.time.system76.com iburst nts
24 |
25 | #US West
26 | server oregon.time.system76.com iburst nts
27 |
28 | #US Central
29 | server ohio.time.system76.com iburst nts
30 |
31 | #US East
32 | server virginia.time.system76.com iburst nts
33 |
34 | minsources 2
35 | authselectmode require
36 |
37 | #Class 46 is expedited forwarding
38 | dscp 46
39 |
40 | driftfile /var/lib/chrony/drift
41 | ntsdumpdir /var/lib/chrony
42 | logdir /var/log/chrony
43 |
44 | leapsectz right/UTC
45 | makestep 1.0 3
46 |
47 | rtconutc
48 | rtcsync
49 |
50 | cmdport 0
51 |
--------------------------------------------------------------------------------
/brace/etc/dconf/db/local.d/00-brace-cinnamon:
--------------------------------------------------------------------------------
1 | [org/cinnamon/desktop/applications/terminal]
2 | exec='gnome-terminal'
3 |
4 | [org/cinnamon]
5 | desktop-effects=false
6 | enable-app-monitoring=false
7 | workspace-osd-duration=200
8 | workspace-expo-view-as-grid=true
9 |
10 | [org/cinnamon/desktop/background]
11 | primary-color='#1b5e20'
12 |
13 | [org/cinnamon/desktop/interface]
14 | clock-use-24h=false
15 | clock-show-seconds=true
16 | clock-show-date=false
17 | enable-animations=false
18 |
19 | [org/cinnamon/desktop/keybindings]
20 | looking-glass-keybinding=['l']
21 |
22 | [org/cinnamon/desktop/keybindings/media-keys]
23 | screensaver=['l', 'XF86ScreenSaver']
24 |
25 | [org/cinnamon/desktop/media-handling]
26 | automount-open=false
27 | automount=false
28 | autorun-never=true
29 |
30 | [org/cinnamon/desktop/notifications]
31 | remove-old=true
32 |
33 | [org/cinnamon/desktop/privacy]
34 | recent-files-max-age=-1
35 | remove-old-temp-files=true
36 | old-files-age=uint32 1
37 | remove-old-trash-files=true
38 | remember-recent-files=false
39 |
40 | [org/cinnamon/desktop/screensaver]
41 | lock-delay=uint32 30
42 | lock-enabled=true
43 | user-switch-enabled=true
44 | show-notifications=false
45 |
46 | [org/cinnamon/desktop/session]
47 | idle-delay=uint32 600
48 |
49 | [org/cinnamon/desktop/thumbnail-cache]
50 | maximum-age=7
51 |
52 | [org/cinnamon/desktop/thumbnailers]
53 | disable-all=true
54 |
55 | [org/cinnamon/desktop/wm/preferences]
56 | button-layout=':minimize,maximize,close'
57 | num-workspaces=8
58 |
59 | [org/cinnamon/muffin]
60 | attach-modal-dialogs=false
61 | unredirect-fullscreen-windows=true
62 | workspace-cycle=true
63 |
64 | [org/cinnamon/settings-daemon/peripherals/keyboard]
65 | numlock-state='on'
66 |
67 | [org/cinnamon/settings-daemon/peripherals/touchpad]
68 | natural-scroll=false
69 | disable-while-typing=false
70 | tap-to-click=false
71 |
72 | [org/cinnamon/settings-daemon/plugins/power]
73 | button-power='interactive'
74 | idle-brightness=10
75 | sleep-inactive-battery-timeout=0
76 | lid-close-ac-action='suspend'
77 | lid-close-battery-action='suspend'
78 | sleep-inactive-ac-timeout=0
79 | sleep-display-ac=600
80 | sleep-display-battery=600
81 | lock-on-suspend=true
82 |
83 | [org/cinnamon/settings-daemon/plugins/xsettings]
84 | antialiasing='grayscale'
85 | hinting='slight'
86 |
87 | [org/nemo/desktop]
88 | desktop-layout='false::false'
89 |
90 | [org/nemo/preferences]
91 | click-double-parent-folder=false
92 | close-device-view-on-device-eject=true
93 | context-menus-show-all-actions=true
94 | default-folder-viewer='compact-view'
95 | show-advanced-permissions=true
96 | show-full-path-titles=true
97 | show-home-icon-toolbar=true
98 | show-image-thumbnails='never'
99 | show-location-entry=true
100 | show-new-folder-icon-toolbar=true
101 | show-open-in-terminal-toolbar=true
102 | show-reload-icon-toolbar=true
103 | start-with-dual-pane=true
104 |
105 | [org/x/editor/plugins]
106 | active-plugins=['docinfo', 'findinfiles', 'git', 'sort', 'spell', 'filebrowser', 'colorpicker', 'time', 'terminal']
107 |
108 | [org/x/editor/preferences/editor]
109 | highlight-current-line=true
110 | display-right-margin=false
111 | bracket-matching=true
112 | scheme='solarized-dark'
113 | display-line-numbers=true
114 | background-pattern='grid'
115 | use-default-font=true
116 |
117 | [org/x/editor/preferences/ui]
118 | minimap-visible=false
119 | toolbar-visible=false
120 |
121 | [org/x/player]
122 | repeat=true
123 |
124 | [org/x/reader]
125 | override-restrictions=true
126 |
127 | [org/x/viewer/ui]
128 | statusbar=false
129 | sidebar=false
130 | image-gallery=false
131 |
--------------------------------------------------------------------------------
/brace/etc/dconf/db/local.d/00-brace-extra:
--------------------------------------------------------------------------------
1 | [apps/seahorse]
2 | server-auto-retrieve=false
3 | server-auto-publish=false
4 |
5 | [apps/telepathy-logger]
6 | enabled=false
7 |
8 | [ca/desrt/dconf-editor]
9 | show-warning=false
10 | behaviour='always-confirm-implicit'
11 |
12 | [desktop/gnome/crypto/pgp]
13 | encrypt-to-self=true
14 | ascii-armor=true
15 |
16 | [org/freedesktop/ibus/engine/typing-booster]
17 | offtherecord=true
18 |
19 | [org/freedesktop/tracker/miner/files]
20 | index-removable-devices=false
21 | removable-days-threshold=2
22 | enable-monitors=false
23 | crawling-interval=-2
24 |
25 | [org/gnome/builder]
26 | night-mode=true
27 |
28 | [org/gnome/builder/editor]
29 | show-map=false
30 | highlight-current-line=true
31 | auto-hide-map=true
32 | highlight-matching-brackets=true
33 | style-scheme-name='solarized-dark'
34 | wrap-text=true
35 |
36 | [org/gnome/calculator]
37 | refresh-interval=0
38 |
39 | [org/gnome/evolution/mail]
40 | composer-request-receipt=true
41 | prompt-on-unwanted-html=true
42 | composer-send-html=false
43 | composer-show-bcc=true
44 | composer-show-from-override=true
45 | composer-show-reply-to=true
46 | image-loading-policy='never'
47 | search-gravatar-for-photo=false
48 |
49 | [org/gnome/evolution/mail/plugin/prefer-plain]
50 | mode='prefer_plain'
51 |
52 | [org/gnome/feedreader]
53 | content-grabber=false
54 | download-images=false
55 | drop-articles-after='1 Month'
56 | feedlist-sort-by='ALPHABETICAL'
57 | mediaplayer=false
58 |
59 | [org/gnome/feedreader/tweaks]
60 | allow-javascript=false
61 | do-not-track=true
62 | ignore-tls-errors=false
63 | smooth-scrolling=false
64 |
65 | [org/gnome/Geary]
66 | compose-as-html=false
67 |
68 | [org/gnome/liferea]
69 | disable-javascript=true
70 | do-not-track=true
71 |
72 | [org/gnome/Lollypop]
73 | save-state=true
74 | network-access=false
75 | artist-artwork=false
76 | auto-update=false
77 | disable-scrobbling=true
78 | power-management='suspend'
79 | sidebar-content='artists'
80 |
81 | [org/gnome/maps]
82 | checkin-facebook-privacy='ALL_FRIENDS'
83 | checkin-foursquare-privacy='followers'
84 |
85 | [org/gnome/MultiWriter]
86 | blank-drive=true
87 |
88 | [org/gnome/nm-applet]
89 | suppress-wireless-networks-available=true
90 |
91 | [org/gnome/recipes]
92 | user='anonymous'
93 |
94 | [org/gnome/system/location]
95 | max-accuracy-level='city'
96 | enabled=false
97 |
98 | [org/virt-manager/virt-manager]
99 | xmleditor-enabled=true
100 |
101 | [org/virt-manager/virt-manager/console]
102 | auto-redirect=false
103 | resize-guest=1
104 | scaling=1
105 |
106 | [system/proxy]
107 | mode='none'
108 |
--------------------------------------------------------------------------------
/brace/etc/dconf/db/local.d/00-brace-gnome:
--------------------------------------------------------------------------------
1 | [org/gnome/desktop/applications/terminal]
2 | exec='gnome-terminal'
3 |
4 | [org/gnome/desktop/background]
5 | show-desktop-icons=false
6 | primary-color='#1b5e20'
7 |
8 | [org/gnome/desktop/interface]
9 | show-battery-percentage=true
10 | enable-animations=false
11 | clock-format='12h'
12 | clock-show-seconds=true
13 | clock-show-date=true
14 | clock-show-weekday=true
15 |
16 | [org/gnome/desktop/media-handling]
17 | automount-open=false
18 | automount=false
19 | autorun-never=true
20 |
21 | [org/gnome/desktop/notifications]
22 | show-in-lock-screen=false
23 |
24 | [org/gnome/desktop/peripherals/mouse]
25 | natural-scroll=false
26 | accel-profile='flat'
27 |
28 | [org/gnome/desktop/peripherals/touchpad]
29 | natural-scroll=false
30 | disable-while-typing=false
31 | tap-to-click=false
32 |
33 | [org/gnome/desktop/privacy]
34 | remember-app-usage=false
35 | remove-old-temp-files=true
36 | old-files-age=uint32 1
37 | remove-old-trash-files=true
38 | remember-recent-files=false
39 | report-technical-problems=false
40 | hide-identity=true
41 | show-full-name-in-top-bar=false
42 | send-software-usage-stats=false
43 | disable-camera=true
44 | disable-microphone=true
45 |
46 | [org/gnome/desktop/remote-access]
47 | require-encryption=true
48 |
49 | [org/gnome/desktop/remote-desktop]
50 | auth-method='prompt'
51 | encryption=['tls-anon']
52 | view-only=true
53 |
54 | [org/gnome/desktop/screensaver]
55 | lock-delay=uint32 30
56 | show-full-name-in-top-bar=false
57 | lock-enabled=true
58 | user-switch-enabled=true
59 |
60 | [org/gnome/desktop/search-providers]
61 | disable-external=true
62 | disabled=['gnome-calculator.desktop', 'org.gnome.Calculator.desktop', 'org.gnome.Software.desktop', 'org.gnome.Epiphany.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Lollypop.desktop', 'firefox.desktop']
63 |
64 | [org/gnome/desktop/session]
65 | idle-delay=uint32 600
66 |
67 | [org/gnome/desktop/sound]
68 | allow-volume-above-100-percent=false
69 |
70 | [org/gnome/desktop/thumbnail-cache]
71 | maximum-age=7
72 |
73 | [org/gnome/desktop/thumbnailers]
74 | disable-all=true
75 |
76 | [org/gnome/desktop/wm/keybindings]
77 | toggle-fullscreen=['F11']
78 | panel-run-dialog=['d']
79 |
80 | [org/gnome/desktop/wm/preferences]
81 | button-layout='appmenu:minimize,maximize,close'
82 | num-workspaces=8
83 |
84 | [org/gnome/eog/ui]
85 | statusbar=false
86 | sidebar=false
87 | image-gallery=false
88 |
89 | [org/gnome/eog/view]
90 | extrapolate=false
91 | interpolate=false
92 |
93 | [org/gnome/evince]
94 | override-restrictions=true
95 |
96 | [org/gnome/file-roller/general]
97 | encrypt-header=true
98 |
99 | [org/gnome/gedit/plugins]
100 | active-plugins=['docinfo', 'findinfiles', 'git', 'sort', 'spell', 'filebrowser', 'colorpicker', 'time', 'terminal']
101 |
102 | [org/gnome/gedit/preferences/editor]
103 | highlight-current-line=true
104 | display-right-margin=false
105 | display-overview-map=true
106 | bracket-matching=true
107 | scheme='solarized-dark'
108 | display-line-numbers=true
109 | background-pattern='grid'
110 | use-default-font=true
111 |
112 | [org/gnome/gnome-flashback/desktop]
113 | show-icons=false
114 |
115 | [org/gnome/gnome-flashback/desktop/background]
116 | fade=false
117 |
118 | [org/gnome/gnome-panel/general]
119 | prefer-symbolic-icons=true
120 |
121 | [org/gnome/gnome-panel/run-dialog]
122 | show-program-list=true
123 |
124 | [org/gnome/gnome-screenshot]
125 | include-icc-profile=false
126 |
127 | [org/gnome/metacity]
128 | compositing-manager=false
129 |
130 | [org/gnome/mutter]
131 | dynamic-workspaces=false
132 | workspaces-only-on-primary=false
133 | attach-modal-dialogs=false
134 | experimental-features=@as []
135 |
136 | [org/gnome/nautilus/icon-view]
137 | default-zoom-level='standard'
138 |
139 | [org/gnome/nautilus/list-view]
140 | default-zoom-level='small'
141 |
142 | [org/gnome/nautilus/preferences]
143 | executable-text-activation='ask'
144 | default-folder-viewer='icon-view'
145 | always-use-location-entry=true
146 | show-delete-permanently=true
147 | show-create-link=true
148 | fts-enabled=false
149 |
150 | [org/gnome/settings-daemon/peripherals/keyboard]
151 | numlock-state='on'
152 |
153 | [org/gnome/settings-daemon/plugins/color]
154 | night-light-schedule-automatic=false
155 |
156 | [org/gnome/settings-daemon/plugins/media-keys]
157 | custom-keybindings=['/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/']
158 | home=['e']
159 |
160 | [org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0]
161 | binding='t'
162 | command='gnome-terminal'
163 | name='Launch terminal'
164 |
165 | [org/gnome/settings-daemon/plugins/power]
166 | idle-dim=true
167 | sleep-inactive-ac-timeout=2700
168 | idle-brightness=10
169 | sleep-inactive-battery-timeout=1200
170 |
171 | [org/gnome/settings-daemon/plugins/xsettings]
172 | antialiasing='grayscale'
173 | hinting='slight'
174 |
175 | [org/gnome/shell]
176 | favorite-apps=['org.gnome.Nautilus.desktop', 'firefox.desktop', 'firefox-esr.desktop', 'evolution.desktop', 'org.gnome.Evolution.desktop', 'libreoffice-startcenter.desktop', 'yelp.desktop']
177 | disable-user-extensions=true
178 |
179 | [org/gnome/shell/overrides]
180 | dynamic-workspaces=false
181 | workspaces-only-on-primary=false
182 | attach-modal-dialogs=false
183 |
184 | [org/gnome/Totem]
185 | repeat=true
186 |
187 | [org/gnome/terminal/legacy]
188 | default-show-menubar=false
189 | theme-variant='dark'
190 |
191 | [org/gnome/terminal/legacy/profiles:]
192 | default='b1dcc9dd-5262-4d8d-a863-c897e6d979b9'
193 |
194 | [org/gnome/terminal/legacy/profiles:/:b1dcc9dd-5262-4d8d-a863-c897e6d979b9]
195 | foreground-color='#c5c8c6'
196 | palette=['#1d1f21', '#cc342b', '#198844', '#fba922', '#3971ed', '#a36ac7', '#3971ed', '#c5c8c6', '#969896', '#cc342b', '#198844', '#fba922', '#3971ed', '#a36ac7', '#3971ed', '#ffffff']
197 | cursor-shape='underline'
198 | use-system-font=true
199 | use-theme-colors=true
200 | use-transparent-background=true
201 | background-transparency-percent=10
202 | bold-is-bright=true
203 | bold-color-same-as-fg=true
204 | bold-color='#c5c8c6'
205 | background-color='#1d1f21'
206 |
--------------------------------------------------------------------------------
/brace/etc/dconf/db/local.d/00-brace-mate:
--------------------------------------------------------------------------------
1 | [org/mate/atril]
2 | override-restrictions=true
3 |
4 | [org/mate/caja/icon-view]
5 | default-zoom-level='standard'
6 |
7 | [org/mate/caja/preferences]
8 | show-image-thumbnails='never'
9 | preview-sound='never'
10 | show-icon-text='never'
11 | enable-delete='true'
12 | always-use-location-entry=true
13 | show-advanced-permissions=true
14 |
15 | [org/mate/desktop/background]
16 | background-fade=false
17 | show-desktop-icons=false
18 | primary-color='rgb(27,94,32)'
19 |
20 | [org/mate/desktop/font-rendering]
21 | antialiasing='grayscale'
22 | hinting='slight'
23 |
24 | [org/mate/desktop/interface]
25 | enable-animations=false
26 | gtk-enable-animations=false
27 |
28 | [org/mate/desktop/media-handling]
29 | automount-open=false
30 | automount=false
31 | autorun-never=true
32 |
33 | [org/mate/desktop/peripherals/mouse]
34 | middle-button-enabled=false
35 |
36 | [org/mate/desktop/peripherals/touchpad]
37 | horizontal-two-finger-scrolling=true
38 | natural-scroll=false
39 | disable-while-typing=false
40 |
41 | [org/mate/desktop/session]
42 | idle-delay=uint32 600
43 |
44 | [org/mate/desktop/thumbnail-cache]
45 | maximum-age=7
46 |
47 | [org/mate/desktop/thumbnailers]
48 | disable-all=true
49 |
50 | [org/mate/engrampa/general]
51 | encrypt-header=true
52 |
53 | [org/mate/eom/ui]
54 | statusbar=false
55 | sidebar=false
56 | image-collection=false
57 |
58 | [org/mate/marco/general]
59 | compositing-manager=false
60 | allow-tiling=true
61 | allow-top-tiling=true
62 | num-workspaces=6
63 |
64 | [org/mate/marco/global-keybindings]
65 | run-command-terminal='t'
66 | panel-main-menu='s'
67 | panel-run-dialog='d'
68 |
69 | [org/mate/marco/window-keybindings]
70 | maximize='Up'
71 | tile-to-side-w='Left'
72 | tile-to-side-e='Right'
73 | toggle-fullscreen='F11'
74 | move-to-monitor-e='Right'
75 | move-to-monitor-w='Left'
76 |
77 | [org/mate/panel/general]
78 | show-program-list=true
79 |
80 | [org/mate/panel/objects/clock/prefs]
81 | show-temperature=false
82 | format='12-hour'
83 | custom-format=''
84 | show-seconds=true
85 | show-weather=false
86 |
87 | [org/mate/panel/objects/workspace-switcher/prefs]
88 | wrap-workspaces=true
89 |
90 | [org/mate/pluma]
91 | active-plugins=['docinfo', 'findinfiles', 'git', 'sort', 'spell', 'filebrowser', 'colorpicker', 'time', 'terminal']
92 | color-scheme='solarized-dark'
93 | display-line-numbers=true
94 | highlight-current-line=true
95 | toolbar-visible=false
96 | statusbar-visible=true
97 | display-right-margin=false
98 | bracket-matching=true
99 |
100 | [org/mate/power-manager]
101 | idle-dim-ac=false
102 | idle-dim=false
103 | button-power='interactive'
104 | button-lid-ac='suspend'
105 | button-suspend='suspend'
106 | button-lid-battery='suspend'
107 |
108 | [org/mate/notification-daemon]
109 | popup-location='top_right'
110 | theme='coco'
111 |
112 | [org/mate/screensaver]
113 | mode='blank-only'
114 |
115 | [org/mate/settings-daemon/plugins/media-keys]
116 | screensaver='l'
117 | home='e'
118 | search='q'
119 |
120 | [org/mate/terminal/profiles/default]
121 | default-show-menubar=false
122 | foreground-color='#C5C5C8C8C6C6'
123 | bold-color='#C5C5C8C8C6C6'
124 | background-color='#1D1D1F1F2121'
125 | use-theme-colors=false
126 | background-type='transparent'
127 | background-darkness=0.90
128 | palette='#1D1D1F1F2121:#CCCC34342B2B:#191988884444:#FBFBA9A92222:#39397171EDED:#A3A36A6AC7C7:#39397171EDED:#C5C5C8C8C6C6:#969698989696:#CCCC34342B2B:#191988884444:#FBFBA9A92222:#39397171EDED:#A3A36A6AC7C7:#39397171EDED:#FFFFFFFFFFFF'
129 |
--------------------------------------------------------------------------------
/brace/etc/dconf/db/local.d/00-brace-pantheon:
--------------------------------------------------------------------------------
1 | [io/elementary/code/services]
2 | set-private=true
3 |
4 | [io/elementary/desktop/agent-geoclue2]
5 | location-enabled=false
6 |
7 | [io/elementary/desktop/wingpanel/power]
8 | show-percentage=true
9 |
--------------------------------------------------------------------------------
/brace/etc/dconf/profile/user:
--------------------------------------------------------------------------------
1 | user-db:user
2 | system-db:local
3 |
--------------------------------------------------------------------------------
/brace/etc/dconf/profile/user-full:
--------------------------------------------------------------------------------
1 | user-db:user
2 | system-db:local
3 | system-db:site
4 | system-db:distro
5 |
--------------------------------------------------------------------------------
/brace/etc/default/grub.d/brace.cfg:
--------------------------------------------------------------------------------
1 | #Memory Hardening
2 | #GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} mem_encrypt=on"; #Enables SME on supported AMD platforms #XXX: can break boot, usually doesn't work but TSME in UEFI may
3 | #GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} efi=disable_early_pci_dma"; #Prevents DMA during early bringup #XXX: can break boot
4 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} init_on_alloc=1"; #Zero pages on allocation
5 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} init_on_free=1"; #Zero pages on free
6 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} page_alloc.shuffle=1"; #Randomize free lists
7 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} pti=on kpti=on"; #Enable page table isolation
8 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} randomize_kstack_offset=1"; #Randomize kernel stacks
9 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} slab_nomerge"; #Don't merge same-size slabs
10 | #GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} slub_debug=FZ"; #Enables SLUB sanity checks and red-zoning, #XXX: extreme performance impact and enables unhashed memory addresses
11 |
12 | #IOMMU Enablement
13 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} iommu=force"; #Ensure it is enabled in more cases
14 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} iommu.passthrough=0"; #Always use the IOMMU for DMA
15 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} iommu.strict=1"; #Do not defer invalidation of hardware TLBs
16 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} intel_iommu=on amd_iommu=force_isolation"; #Ensure the IOMMU driver is enabled
17 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} amd_iommu=force_isolation"; #Ensure the IOMMU driver is enabled #XXX can break boot with recent amd gpus
18 |
19 | #CPU Flaw Mitigations
20 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} spec_store_bypass_disable=on ssbd=force-on"; #Enables SSB mitigations, including all userspace processes
21 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} spectre_v2=on spectre_bhi=on"; #Enable spectre_v2 mitigations, including all userspace processes
22 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} tsx=off"; #Disable TSX
23 |
24 | #Misc Hardening
25 | #GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} debugfs=off"; #Disable debugfs entirely #XXX: may be of use
26 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} lockdown=confidentiality"; #Restrict userspace access to certain kernel features/attributes
27 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} mce=0"; #Panic on uncorrectable errors #XXX: deprecated in 5.18
28 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} module.sig_enforce=1"; #Block modules with invalid signatures #XXX: superceded by lockdown
29 | #GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} oops=panic"; #Panic system on oops #XXX: can turn minor issues into annoyances
30 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} vsyscall=none"; #Disable unnecessary legacy functionality
31 | #GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} ia32_emulation=false"; #Disable support for 32-bit execution
32 |
33 | #Nice to haves
34 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} fsck.mode=force"; #FSCK mounts every boot, systemd default is once per 30 boots
35 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} i8042.reset=1"; #Workaround buggy laptop keyboard/touchpads
36 | GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} libata.allow_tpm=1"; #OPAL support
37 |
--------------------------------------------------------------------------------
/brace/etc/opt/chrome/policies/managed/brace.json:
--------------------------------------------------------------------------------
1 | /etc/chromium/policies/managed/brace.json
--------------------------------------------------------------------------------
/brace/etc/profile.d/brace-env-overrides.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #Copyright (c) 2020 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | #misc
18 | export CRYFS_NO_UPDATE_CHECK=true;
19 |
20 | # zero video RAM to prevent leakage
21 | # see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
22 | export R600_DEBUG=zerovram;
23 | export AMD_DEBUG=zerovram;
24 | export RADV_DEBUG=zerovram;
25 |
26 | # enable gstreamer va-api plugin on unsupported drivers
27 | export GST_VAAPI_ALL_DRIVERS=1;
28 |
29 | # disable thread local malloc cache
30 | export GLIBC_TUNABLES='glibc.malloc.tcache_count=0'
31 |
32 | # disable JavaScript JIT
33 | # https://trac.webkit.org/wiki/EnvironmentVariables
34 | export JavaScriptCoreUseJIT=0;
35 | export JSC_useFTLJIT=0;
36 | # https://gitlab.gnome.org/GNOME/gjs/-/blob/master/doc/Environment.md
37 | export GJS_DISABLE_JIT=1;
38 |
39 | # set restrictive umask
40 | if [ "$(/usr/bin/id -ru)" -ge 1000 ] && [ "$(/usr/bin/id -u)" -ge 1000 ] && [ "$(/usr/bin/id -gn)" = "$(/usr/bin/id -un)" ]; then
41 | umask 0077;
42 | else
43 | umask 0022;
44 | fi;
45 |
--------------------------------------------------------------------------------
/brace/etc/profile.d/brace-helpers.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #Copyright (c) 2018-2020 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | # cleaning
18 | alias bleachLast='bleachbit --preset --clean';
19 | alias clearTracker='/usr/bin/tracker reset --hard';
20 | alias clearDriveFreeSpace='scrub --no-hwrand -p random -X cfs-$RANDOM';
21 | alias clearDriveDiscard='sudo fstrim -av';
22 | alias clearall='clearUserMisc && clearLogins && clearVarLog && clearVarLogMisc && clearJournal && clearMemory && clearDriveDiscard';
23 |
24 | clearUserMisc() {
25 | #rm -fv ~/.*_history;
26 | #rm -rfv ~/.esmtp_queue;
27 | rm -fv ~/.lesshst;
28 |
29 | rm -fv ~/.android/adbkey*;
30 | rm -rfv ~/.cache/libvirt/qemu/log;
31 | rm -rfv ~/.cache/thumbnails;
32 | rm -fv ~/.clamtk/history/*.log;
33 | rm -fv ~/.config/inkscape/extension-errors.log;
34 | rm -rfv ~/.config/obs-studio/logs;
35 | rm -rfv ~/.config/obs-studio/profiler_data;
36 | rm -fv ~/.config/supertuxkart/stdout.log*;
37 | #rm -fv ~/.config/wireshark/recent*;
38 | #rm -rfv ~/.jack-server/logs;
39 | rm -rfv ~/.local/share/gvfs-metadata;
40 | rm -fv ~/.local/share/ibus-typing-booster/*debug.log;
41 | rm -fv ~/.local/share/recently-used.xbel;
42 | rm -fv ~/.minetest/debug.txt;
43 |
44 | #rm -fv ~/.wget-hsts
45 | #rm -fv ~/.gnutls/known_hosts;
46 | #rm -fv ~/.ssh/known_hosts;
47 | }
48 |
49 | clearUsersMisc() {
50 | #contains list of all accessed/modified files on all connected drives (local or remote)
51 | sudo wipe -irqc /home/*/.local/share/gvfs-metadata;
52 | }
53 |
54 | clearLogins() {
55 | echo "" | sudo tee /var/log/btmp;
56 | echo "" | sudo tee /var/log/wtmp;
57 | }
58 |
59 | clearVarLog() {
60 | sudo find /var/log -type f -regex ".*\.gz$" -print -delete;
61 | sudo find /var/log -type f -regex ".*\.log.[0-9]+$" -print -delete;
62 | sudo find /var/log -type f -regex ".*\.log-[0-9]+$" -print -delete;
63 | }
64 |
65 | clearVarLogMisc() {
66 | # libvirt
67 | sudo rm -fv /var/log/libvirt/qemu/*.log*;
68 | # misc
69 | sudo rm -fv /var/log/grubby;
70 | # package manangers
71 | sudo rm -fv /var/log/dnf*.log;
72 | sudo rm -fv /var/log/hawkey.log;
73 | sudo rm -fv /var/log/yum*.log;
74 | sudo rm -fv /var/log/pacman.log;
75 | # scanners
76 | sudo rm -fv /var/log/lynis*;
77 | sudo rm -fv /var/log/rkhunter.log*;
78 | sudo rm -fv /var/log/freshclam.log;
79 | sudo rm -fv /var/log/clamav/*.log;
80 | # security
81 | sudo rm -fv /var/log/audit/audit.log;
82 | sudo rm -fv /var/log/usbguard/usbguard-audit.log;
83 | # systemd
84 | sudo rm -fv /var/log/boot.log;
85 | }
86 |
87 | clearJournal() {
88 | sudo journalctl --rotate;
89 | sudo journalctl --vacuum-files=1 --vacuum-size=1K --vacuum-time=1s;
90 | sudo journalctl --flush;
91 | }
92 |
93 | clearMemory() {
94 | free -m;
95 | sudo sync; #sudo isn't necessary for this, but ensures the next command is likely to run without delay
96 | echo 3 | sudo tee /proc/sys/vm/drop_caches;
97 | free -m;
98 | }
99 |
100 | optimizeImages() {
101 | find "$1" -type f -name "*.jp*g" -print0 | xargs -0 -n1 -P 16 jpegoptim --strip-all;
102 | find "$1" -type f -name "*.png" -print0 | xargs -0 -n1 -P 16 optipng -strip all;
103 | }
104 |
105 | loosePermsRecursive() {
106 | echo "Recursively setting loose permissions in $PWD";
107 | echo "You've 5 seconds to Ctrl+C";
108 | sleep 5;
109 | find . -type d -print0 | xargs -0 chmod -v 0755;
110 | find . -type f -print0 | xargs -0 chmod -v 0644;
111 | }
112 |
113 | strictPermsRecursive() {
114 | echo "Recursively setting restrictive permissions in $PWD";
115 | echo "You've 5 seconds to Ctrl+C";
116 | sleep 5;
117 | find . -type d -print0 | xargs -0 chmod -v 0700;
118 | find . -type f -print0 | xargs -0 chmod -v 0600;
119 | }
120 |
121 |
122 | # malware scanning
123 | alias malwaretest='wget https://eicar.org/download/eicar.com.txt && cat eicar.com.txt';
124 | alias clamscanhere='clamscan --recursive --detect-pua=yes --infected --allmatch --cross-fs=no --follow-dir-symlinks=0 --follow-file-symlinks=0 .';
125 | alias rootkitscan='sudo rkhunter --update && sudo rkhunter -c --enable all --disable none --rwo';
126 | alias rootkitscanalt='sudo unhide reverse procall sys';
127 |
128 | # misc
129 | alias dconf-reset-brace='cat /etc/dconf/db/local.d/00-brace* | dconf load /'; #This is not recommended to be used
130 | alias ssh-tor='torsocks --isolate ssh';
131 | alias dnf-update-security-testing="sudo dnf update --refresh --security --enablerepo=*updates-testing";
132 | alias dnf-update-kernel="sudo dnf update --enablerepo=*updates-testing kernel*"; #sometimes testing kernels aren't flagged as security updates
133 |
--------------------------------------------------------------------------------
/brace/etc/tlp.d/00-brace.conf:
--------------------------------------------------------------------------------
1 | # Enable controller and port power management
2 | AHCI_RUNTIME_PM_ON_AC=auto
3 | AHCI_RUNTIME_PM_ON_BAT=auto
4 |
5 | # Disable timeout to prevent spin-down
6 | AHCI_RUNTIME_PM_TIMEOUT=-1
7 |
8 | # Enable PCI power management
9 | RUNTIME_PM_ON_AC=auto
10 | RUNTIME_PM_ON_BAT=auto
11 |
12 | # Enable PCIe ASPM
13 | PCIE_ASPM_ON_AC=powersave
14 | PCIE_ASPM_ON_BAT=powersupersave
15 |
16 | # Enable Wi-Fi power management
17 | WIFI_PWR_ON_AC=on
18 | WIFI_PWR_ON_BAT=on
19 |
20 | # Don't break USB NICs
21 | USB_DENYLIST+="0bda:8152 0bda:8153 0bda:8155 0bda:8156"
22 |
23 | # Radio devices to disable on connect.
24 | DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi"
25 |
26 | # Radio devices to enable on disconnect.
27 | DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi"
28 |
--------------------------------------------------------------------------------
/brace/usr/bin/brace-supplemental-changes:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Copyright (c) 2017-2022 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | if [ "$(/usr/bin/id -u)" -eq "0" ]; then
18 | if [ -f "/usr/lib/systemd/system/zram-swap.service" ]; then
19 | echo "Enabling zram-swap";
20 | systemctl enable zram-swap.service --now; #XXX: replaced by systemd-zram-generator
21 | fi;
22 |
23 | if [ -f "/usr/lib/systemd/system/fstrim.timer" ]; then
24 | echo "Enabling weekly fstrim";
25 | systemctl enable fstrim.timer --now;
26 | fi;
27 |
28 | #Repository Changes
29 | if [ -d "/etc/yum.repos.d" ]; then
30 | echo "Set all DNF repositories to HTTPS and disable countme?";
31 | select ys in "Yes" "Skip"; do
32 | case $ys in
33 | Yes )
34 | sed -i 's/metalink?repo=/metalink\?protocol\=https\&repo\=/' /etc/yum.repos.d/*.repo;
35 | sed -i 's/countme=1/countme=0/' /etc/yum.repos.d/*.repo;
36 | echo "Remember: This will need to be done again if any of them are updated!"
37 | break;;
38 | Skip )
39 | break;;
40 | esac
41 | done
42 | fi
43 |
44 | #Stealth Firewall
45 | if [ -x /usr/bin/firewall-cmd ]; then
46 | echo "Do you want a default drop firewall?";
47 | select ys in "Yes" "Skip"; do
48 | case $ys in
49 | Yes )
50 | firewall-cmd --set-default-zone=drop;
51 | #firewall-cmd --add-protocol=icmp --permanent;
52 | firewall-cmd --add-protocol=ipv6-icmp --permanent;
53 | firewall-cmd --add-service=dhcpv6-client --permanent;
54 | break;;
55 | Skip )
56 | #firewall-cmd --set-default-zone=public;
57 | break;;
58 | esac
59 | done
60 | fi
61 |
62 | #Kernel Command Line
63 | if [ -x /usr/sbin/grubby ]; then
64 | echo "Do you want a stricter kernel (via boot command-line arguments)?";
65 | select ys in "Yes" "Skip"; do
66 | case $ys in
67 | Yes )
68 | #Keep this in sync with grub defaults
69 |
70 | #Memory Hardening
71 | #grubby --update-kernel=ALL --args="mem_encrypt=on"; #Enables SME on supported AMD platforms #XXX: can break boot, usually doesn't work but TSME in UEFI may
72 | #grubby --update-kernel=ALL --args="efi=disable_early_pci_dma"; #Prevents DMA during early bringup #XXX: can break boot
73 | grubby --update-kernel=ALL --args="init_on_alloc=1"; #Zero pages on allocation
74 | grubby --update-kernel=ALL --args="init_on_free=1"; #Zero pages on free
75 | grubby --update-kernel=ALL --args="page_alloc.shuffle=1"; #Randomize free lists
76 | grubby --update-kernel=ALL --args="pti=on kpti=on"; #Enable page table isolation
77 | grubby --update-kernel=ALL --args="randomize_kstack_offset=1"; #Randomize kernel stacks
78 | grubby --update-kernel=ALL --args="slab_nomerge"; #Don't merge same-size slabs
79 | #grubby --update-kernel=ALL --args="slub_debug=FZ"; #Enables SLUB sanity checks and red-zoning, #XXX: extreme performance impact and enables unhashed memory addresses
80 |
81 | #IOMMU Enablement
82 | grubby --update-kernel=ALL --args="iommu=force"; #Ensure it is enabled in more cases
83 | grubby --update-kernel=ALL --args="iommu.passthrough=0"; #Always use the IOMMU for DMA
84 | grubby --update-kernel=ALL --args="iommu.strict=1"; #Do not defer invalidation of hardware TLBs
85 | grubby --update-kernel=ALL --args="intel_iommu=on"; #Ensure the IOMMU driver is enabled
86 | grubby --update-kernel=ALL --args="amd_iommu=force_isolation"; #Ensure the IOMMU driver is enabled #XXX can break boot with recent amd gpus
87 |
88 | #CPU Flaw Mitigations
89 | grubby --update-kernel=ALL --args="spec_store_bypass_disable=on ssbd=force-on"; #Enables SSB mitigations, including all userspace processes
90 | grubby --update-kernel=ALL --args="spectre_v2=on spectre_bhi=on"; #Enable spectre_v2 mitigations, including all userspace processes
91 | grubby --update-kernel=ALL --args="tsx=off"; #Disable TSX
92 |
93 | #Misc Hardening
94 | #grubby --update-kernel=ALL --args="debugfs=off"; #Disable debugfs entirely #XXX: may be of use
95 | grubby --update-kernel=ALL --args="lockdown=confidentiality"; #Restrict userspace access to certain kernel features/attributes
96 | grubby --update-kernel=ALL --args="mce=0"; #Panic on uncorrectable errors #XXX: deprecated in 5.18
97 | grubby --update-kernel=ALL --args="module.sig_enforce=1"; #Block modules with invalid signatures #XXX: superceded by lockdown
98 | #grubby --update-kernel=ALL --args="oops=panic"; #Panic system on oops #XXX: can turn minor issues into annoyances
99 | grubby --update-kernel=ALL --args="vsyscall=none"; #Disable unnecessary legacy functionality
100 | #grubby --update-kernel=ALL --args="ia32_emulation=false"; #Disable support for 32-bit execution
101 |
102 | #Nice to haves
103 | grubby --update-kernel=ALL --args="fsck.mode=force"; #FSCK mounts every boot, systemd default is once per 30 boots
104 | grubby --update-kernel=ALL --args="i8042.reset=1"; #Workaround buggy laptop keyboard/touchpads
105 | grubby --update-kernel=ALL --args="libata.allow_tpm=1"; #OPAL support
106 | break;;
107 | Skip )
108 | break;;
109 | esac
110 | done
111 | fi;
112 |
113 | #Stronger Crypto
114 | if [ -x /usr/bin/update-crypto-policies ]; then
115 | echo "Do you want stricter crypto policies?";
116 | select yn in "Yes" "No"; do
117 | case $yn in
118 | Yes )
119 | update-crypto-policies --set NEXT;
120 | break;;
121 | No )
122 | update-crypto-policies --set DEFAULT; #:TEST-PQ
123 | break;;
124 | esac
125 | done
126 | fi;
127 |
128 | #Hostname
129 | if [ -x /usr/bin/hostnamectl ]; then
130 | echo "Do you want a random hostname?";
131 | select yls in "Yes" "localhost" "Skip"; do
132 | case $yls in
133 | Yes )
134 | randhost=$(head /dev/urandom | tr -dc a-z | head -c8);
135 | if [ -x /usr/bin/pwgen ]; then
136 | randhost=$(pwgen -A0 8 1);
137 | fi;
138 | hostnamectl set-hostname "$randhost";
139 | #echo "127.0.0.1 $randhost" >> /etc/hosts;
140 | break;;
141 | localhost )
142 | hostnamectl set-hostname "localhost";
143 | break;;
144 | Skip )
145 | break;;
146 | esac
147 | done
148 | fi;
149 |
150 | #Services
151 | if [ -x /usr/bin/systemctl ]; then
152 | echo "Do you want to disable many unnecessary services? (helps on low perf systems)";
153 | select ys in "Yes" "Skip"; do
154 | case $ys in
155 | Yes )
156 | systemctl disable gssproxy.service --now; #Auth
157 | systemctl disable pcscd.service pcscd.socket --now; #Smartcards
158 | systemctl disable abrtd.service abrt-journal-core.service abrt-oops.service abrt-pstoreoops.service abrt-vmcore.service abrt-xorg.service --now; #ABRT
159 | systemctl disable atd.service --now; #At/Batch
160 | systemctl disable mcelog.service --now; #mcelog
161 | systemctl disable avahi-daemon.service avahi-daemon.socket --now; #Avahi
162 | systemctl disable ModemManager.service --now; #ModemManager
163 | systemctl disable iscsid.service iscsid.socket iscsi-init.service iscsi.service iscsiuio.service iscsiuio.socket --now; #iSCSI
164 | systemctl disable livesys.service livesys-late.service --now; #Anaconda leftovers
165 | systemctl disable multipathd.service multipathd.socket --now; #Multipath
166 | systemctl disable smartd.service --now; #smartd
167 | systemctl disable vboxservice.service --now; #VirtualBox
168 | systemctl disable vmtoolsd.service --now; #VMWare
169 | systemctl disable passim.service --now; #LAN P2P file sharing used by fwupd
170 | break;;
171 | Skip )
172 | break;;
173 | esac
174 | done
175 | fi;
176 | else
177 | #Looks
178 | if [ -d "/usr/share/fonts/adobe-source-code-pro" ]; then
179 | gsettings set org.gnome.builder.editor font-name 'Source Code Pro 10';
180 | gsettings set org.gnome.desktop.interface monospace-font-name 'Source Code Pro 10';
181 | gsettings set org.mate.desktop.interface monospace-font-name 'Source Code Pro 10';
182 | fi;
183 | if [ -f "/usr/share/fonts/mozilla-fira/FiraSans-Regular.otf" ] || [ -f "/usr/share/fonts/TTF/FiraSans-Regular.ttf" ]; then
184 | gsettings set org.gnome.desktop.interface font-name 'Fira Sans 10';
185 | gsettings set org.gnome.desktop.wm.preferences titlebar-font 'Fira Sans Bold 11';
186 | gsettings set org.cinnamon.desktop.interface font-name 'Fira Sans 10';
187 | #TODO cinnamon legacy title font
188 | gsettings set org.mate.caja.desktop font 'Fira Sans 10';
189 | gsettings set org.mate.desktop.interface font-name 'Fira Sans 10';
190 | gsettings set org.mate.marco.general titlebar-font 'Fira Sans Bold 11';
191 | fi;
192 | if [ -f "/usr/share/fonts/mozilla-fira/FiraMono-Regular.otf" ] || [ -f "/usr/share/fonts/TTF/FiraMono-Regular.ttf" ]; then
193 | gsettings set org.gnome.builder.editor font-name 'Fira Mono 10';
194 | gsettings set org.gnome.desktop.interface monospace-font-name 'Fira Mono 10';
195 | gsettings set org.gnome.gedit.preferences.editor editor-font 'Fira Mono 10';
196 | gsettings set org.cinnamon.desktop.interface monospace-font-name 'Fira Mono 10';
197 | gsettings set org.mate.desktop.interface monospace-font-name 'Fira Mono 10';
198 | fi;
199 | if [ -d "/usr/share/icons/Numix-Circle" ]; then
200 | gsettings set org.gnome.desktop.interface icon-theme 'Numix-Circle';
201 | gsettings set org.cinnamon.desktop.interface icon-theme 'Numix-Circle';
202 | gsettings set org.mate.desktop.interface icon-theme 'Numix-Circle';
203 | fi;
204 |
205 | #Thumbnails
206 | echo "Do you want thumbnails enabled? (brace default disabled)";
207 | select yn in "Yes" "No"; do
208 | case $yn in
209 | Yes )
210 | #Only allow enabling thumbnailers where extra restrictions (eg. seccomp) are in place
211 | gsettings set org.gnome.desktop.thumbnailers disable-all false;
212 | #gsettings set org.cinnamon.desktop.thumbnailers disable-all false;
213 | #gsettings set org.mate.desktop.thumbnailers disable-all false;
214 | break;;
215 | No )
216 | gsettings set org.gnome.desktop.thumbnailers disable-all true;
217 | gsettings set org.cinnamon.desktop.thumbnailers disable-all true;
218 | gsettings set org.mate.desktop.thumbnailers disable-all true;
219 | break;;
220 | esac
221 | done
222 |
223 | #Night Light
224 | echo "Do you want GNOME Night Light enabled?";
225 | select yn in "Yes" "No"; do
226 | case $yn in
227 | Yes )
228 | gsettings set org.gnome.settings-daemon.plugins.color night-light-enabled true;
229 | break;;
230 | No )
231 | gsettings set org.gnome.settings-daemon.plugins.color night-light-enabled false;
232 | break;;
233 | esac
234 | done
235 |
236 | #Power #TODO: MATE
237 | echo "Do you want auto suspend enabled?";
238 | select yn in "Yes" "No"; do
239 | case $yn in
240 | Yes )
241 | gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type 'suspend';
242 | gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type 'suspend';
243 | break;;
244 | No )
245 | gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type 'nothing';
246 | gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type 'nothing';
247 | break;;
248 | esac
249 | done
250 |
251 | #Search
252 | echo "Do you want search enabled? (brace default disabled)";
253 | select yn in "Yes" "No"; do
254 | case $yn in
255 | Yes )
256 | gsettings set org.gnome.desktop.search-providers disable-external false;
257 | break;;
258 | No )
259 | gsettings set org.gnome.desktop.search-providers disable-external true;
260 | break;;
261 | esac
262 | done
263 | echo "Do you want Tracker enabled? (brace default disabled)";
264 | select yn in "Yes" "No"; do
265 | case $yn in
266 | Yes )
267 | gsettings set org.freedesktop.Tracker3.Miner.Files enable-monitors true;
268 | gsettings set org.freedesktop.Tracker3.Miner.Files crawling-interval -1;
269 | systemctl unmask --user --now tracker-miner-fs-3.service || true;
270 | break;;
271 | No )
272 | gsettings set org.freedesktop.Tracker3.Miner.Files enable-monitors false;
273 | gsettings set org.freedesktop.Tracker3.Miner.Files crawling-interval -2;
274 | systemctl mask --user --now tracker-miner-fs-3.service || true;
275 | tracker3 reset -s || true;
276 | break;;
277 | esac
278 | done
279 |
280 | #Themes
281 | echo "Do you want the dark theme?";
282 | select yn in "Yes" "No"; do
283 | case $yn in
284 | Yes )
285 | gsettings set org.gnome.desktop.interface color-scheme 'prefer-dark';
286 | gsettings set org.gnome.desktop.interface gtk-theme 'Adwaita-dark';
287 | gsettings set org.cinnamon.theme name 'Mint-Y-Dark';
288 | gsettings set org.cinnamon.desktop.interface gtk-theme 'Mint-Y-Dark';
289 | gsettings set org.cinnamon.desktop.wm.preferences theme 'Mint-Y-Dark';
290 | gsettings set org.mate.desktop.interface gtk-theme 'BlackMATE';
291 | gsettings set org.mate.marco.general theme 'BlackMATE';
292 | break;;
293 | No )
294 | gsettings set org.gnome.desktop.interface color-scheme 'default';
295 | gsettings set org.gnome.desktop.interface gtk-theme 'Adwaita';
296 | gsettings set org.cinnamon.theme name 'Mint-Y';
297 | gsettings set org.cinnamon.desktop.interface gtk-theme 'Mint-Y';
298 | gsettings set org.cinnamon.desktop.wm.preferences theme 'Mint-Y';
299 | gsettings set org.mate.desktop.interface gtk-theme 'BlueMenta';
300 | gsettings set org.mate.marco.general theme 'BlueMenta';
301 | break;;
302 | esac
303 | done
304 |
305 | #Wallpaper
306 | echo "Would you like a solid color wallpaper?";
307 | select bgyrns in "Black" "Green" "Yellow" "Red" "No" "Skip"; do
308 | case $bgyrns in
309 | Black )
310 | gsettings set org.gnome.desktop.background primary-color '#000000';
311 | gsettings set org.cinnamon.desktop.background primary-color '#000000';
312 | gsettings set org.gnome.desktop.background picture-options 'none';
313 | break;;
314 | Green )
315 | gsettings set org.gnome.desktop.background primary-color '#1B5E20';
316 | gsettings set org.cinnamon.desktop.background primary-color '#1B5E20';
317 | gsettings set org.gnome.desktop.background picture-options 'none';
318 | break;;
319 | Yellow )
320 | gsettings set org.gnome.desktop.background primary-color '#FCBD02';
321 | gsettings set org.cinnamon.desktop.background primary-color '#FCBD02';
322 | gsettings set org.gnome.desktop.background picture-options 'none';
323 | break;;
324 | Red )
325 | gsettings set org.gnome.desktop.background primary-color '#880505';
326 | gsettings set org.cinnamon.desktop.background primary-color '#880505';
327 | gsettings set org.gnome.desktop.background picture-options 'none';
328 | break;;
329 | No )
330 | gsettings set org.gnome.desktop.background picture-options 'zoom';
331 | break;;
332 | Skip )
333 | break;;
334 | esac
335 | done
336 | fi;
337 |
338 | echo "Applied the supplemental changes";
339 |
--------------------------------------------------------------------------------
/brace/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf:
--------------------------------------------------------------------------------
1 | [connection-mac-randomization]
2 | ethernet.cloned-mac-address=stable
3 | wifi.cloned-mac-address=random
4 |
5 | [connection]
6 | ipv6.ip6-privacy=2
7 |
8 | [connectivity]
9 | enabled=false
10 | uri=
11 |
--------------------------------------------------------------------------------
/brace/usr/lib/firefox-esr/browser/defaults/preferences/userjs-arkenfox.js:
--------------------------------------------------------------------------------
1 | /usr/lib/firefox/browser/defaults/preferences/userjs-arkenfox.js
--------------------------------------------------------------------------------
/brace/usr/lib/firefox-esr/browser/defaults/preferences/userjs-brace-perf.js:
--------------------------------------------------------------------------------
1 | /usr/lib/firefox/browser/defaults/preferences/userjs-brace-perf.js
--------------------------------------------------------------------------------
/brace/usr/lib/firefox-esr/browser/defaults/preferences/userjs-brace.js:
--------------------------------------------------------------------------------
1 | /usr/lib/firefox/browser/defaults/preferences/userjs-brace.js
--------------------------------------------------------------------------------
/brace/usr/lib/firefox-esr/distribution/policies.json:
--------------------------------------------------------------------------------
1 | /usr/lib/firefox/distribution/policies.json
--------------------------------------------------------------------------------
/brace/usr/lib/firefox/browser/defaults/preferences/userjs-brace-perf.js:
--------------------------------------------------------------------------------
1 | //Performance
2 | // Force enable some options
3 | // May cause crashes
4 | pref("browser.tabs.remote.autostart", true);
5 | pref("browser.tabs.remote.force-enabled", true);
6 | pref("extensions.webextensions.remote", true);
7 | pref("gfx.canvas.azure.accelerated", true);
8 | pref("gfx.webrender.all", true);
9 | pref("gfx.webrender.compositor", true);
10 | pref("gfx.webrender.enabled", true);
11 | pref("layers.acceleration.force-enabled", true);
12 | pref("layers.omtp.enabled", true);
13 | pref("media.ffmpeg.vaapi.enabled", true);
14 | pref("media.hardware-video-decoding.force-enabled", true);
15 | pref("widget.wayland-dmabuf-vaapi.enabled", true);
16 |
--------------------------------------------------------------------------------
/brace/usr/lib/firefox/browser/defaults/preferences/userjs-brace.js:
--------------------------------------------------------------------------------
1 | //Look
2 | pref("browser.ctrlTab.recentlyUsedOrder", false);
3 | pref("browser.privatebrowsing.vpnpromourl", "");
4 | pref("browser.vpn_promo.enabled", false);
5 | pref("browser.tabs.drawInTitlebar", true);
6 | pref("devtools.netmonitor.persistlog", true);
7 | pref("devtools.webconsole.persistlog", true);
8 | pref("general.smoothScroll", false);
9 | pref("widget.allow-client-side-decoration", true);
10 | pref("mailnews.start_page.enabled", false);
11 | pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); //BRACE-KEEP_FOR_NOW
12 | pref("browser.library.activity-stream.enabled", false); //BRACE-UNCOMMENTED
13 |
14 | //Privacy
15 | pref("privacy.globalprivacycontrol.enabled", true);
16 | pref("browser.snippets.enabled", false);
17 | pref("browser.snippets.firstrunHomepage.enabled", false);
18 | pref("browser.snippets.syncPromo.enabled", false);
19 | pref("browser.snippets.updateUrl", "");
20 | pref("general.useragent.updates.enabled", false);
21 | pref("network.negotiate-auth.trusted-uris", "");
22 | pref("network.dns.native_https_query", true);
23 | pref("network.trr.uri", "https://dns.quad9.net/dns-query");
24 | pref("network.trr.custom_uri", "https://dns.quad9.net/dns-query");
25 | pref("plugin.expose_full_path", false);
26 | pref("extensions.enigmail.autoWkdLookup", 0);
27 | pref("messenger.status.reportIdle", false);
28 | pref("media.gmp-widevinecdm.visible", false); //BRACE-KEEP_FOR_NOW: proprietary
29 | pref("network.manage-offline-status", false);
30 | pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
31 | pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
32 | pref("browser.urlbar.quicksuggest.dataCollection.enabled", false);
33 | pref("mailnews.headers.sendUserAgent", false);
34 | pref("mail.sanitize_date_header", true);
35 | pref("dom.private-attribution.submission.enabled", false);
36 |
37 | //Security
38 | pref("browser.gnome-search-provider.enabled", false);
39 | pref("fission.autostart", true); //MULL-COMMENT_ME
40 | pref("security.webauth.u2f", true); //MULL-COMMENT_ME
41 | pref("security.tls.enable_kyber", true);
42 | pref("network.http.http3.enable_kyber", true);
43 | pref("mail.phishing.detection.enabled", true);
44 | pref("mailnews.message_display.disable_remote_image", true);
45 |
46 | //Disable Pocket
47 | pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
48 | pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
49 | pref("extensions.pocket.enabled", false);
50 |
51 | //Disable Sync
52 | pref("identity.fxaccounts.enabled", false);
53 |
54 | //Fix IPv6 when using DoH
55 | pref("network.dns.preferIPv6", true); //BRACE-KEEP_FOR_NOW
--------------------------------------------------------------------------------
/brace/usr/lib/firefox/distribution/policies.json:
--------------------------------------------------------------------------------
1 | {
2 | "policies": {
3 | "CaptivePortal": false,
4 | "Cookies": {
5 | "Behavior": "reject-tracker-and-partition-foreign",
6 | "BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign"
7 | },
8 | "DisableFirefoxAccounts": true,
9 | "DisableFirefoxStudies": true,
10 | "DisablePocket": true,
11 | "DisableSecurityBypass": false,
12 | "DisableTelemetry": true,
13 | "EnableTrackingProtection": {
14 | "Value": true,
15 | "Locked": false,
16 | "Cryptomining": true,
17 | "Fingerprinting": true,
18 | "EmailTracking": true
19 | },
20 | "DNSOverHTTPS": {
21 | "Enabled": true,
22 | "Locked": false,
23 | "Fallback": false,
24 | "ProviderURL": "https://dns.quad9.net/dns-query"
25 | },
26 | "Extensions": {
27 | "Install": [
28 | "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
29 | ]
30 | },
31 | "ExtensionSettings": {
32 | "*": {
33 | "blocked_install_message": "Denied by Brace",
34 | "install_sources": [ "about:addons", "https://addons.mozilla.org/" ],
35 | "installation_mode": "blocked",
36 | "allowed_types": [ "extension" ]
37 | },
38 | "uBlock0@raymondhill.net": {
39 | "installation_mode": "force_installed",
40 | "install_url": "https://addons.mozilla.org/firefox/downloads/latest/uBlock0@raymondhill.net/latest.xpi"
41 | },
42 | "{73a6fe31-595d-460b-a920-fcc0f8843232}": {
43 | "installation_mode": "allowed",
44 | "install_url": "https://addons.mozilla.org/firefox/downloads/latest/{73a6fe31-595d-460b-a920-fcc0f8843232}/latest.xpi"
45 | }
46 | },
47 | "FirefoxHome": {
48 | "Search": true,
49 | "TopSites": false,
50 | "SponsoredTopSites": false,
51 | "Highlights": false,
52 | "Pocket": false,
53 | "SponsoredPocket": false,
54 | "Snippets": false,
55 | "Locked": false
56 | },
57 | "FirefoxSuggest": {
58 | "WebSuggestions": false,
59 | "SponsoredSuggestions": false,
60 | "ImproveSuggest": false,
61 | "Locked": false
62 | },
63 | "NetworkPrediction": false,
64 | "OverrideFirstRunPage": "about:home",
65 | "UserMessaging": {
66 | "WhatsNew": false,
67 | "ExtensionRecommendations": false,
68 | "FeatureRecommendations": false,
69 | "SkipOnboarding": false
70 | }
71 | }
72 | }
73 |
--------------------------------------------------------------------------------
/brace/usr/lib/modprobe.d/brace.conf:
--------------------------------------------------------------------------------
1 | # Disable Firewire due to DMA
2 | blacklist firewire-core
3 | blacklist firewire-net
4 | blacklist firewire-ohci
5 | blacklist firewire_sbp2
6 | blacklist firewire-uapi-test
7 |
8 | # Disable Thunderbolt due to DMA
9 | blacklist thunderbolt
10 | blacklist thunderbolt_net
11 |
12 | # Disable generic USB networking
13 | # See: https://samy.pl/poisontap/
14 | # Note: this still lets true USB NICs work
15 | blacklist cdc_eem
16 | blacklist cdc_ether
17 | blacklist cdc_mbim
18 | blacklist cdc_ncm
19 | blacklist rndis_host
20 | blacklist usbnet
21 |
22 | #The following sections are directly sourced from
23 | #https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
24 |
25 | #Block obscure networking modules
26 | install af_802154 /bin/false
27 | install appletalk /bin/false
28 | install atm /bin/false
29 | install ax25 /bin/false
30 | install can /bin/false
31 | install dccp /bin/false
32 | install decnet /bin/false
33 | install econet /bin/false
34 | install ipx /bin/false
35 | install netrom /bin/false
36 | install n-hdlc /bin/false
37 | install p8022 /bin/false
38 | install p8023 /bin/false
39 | install psnap /bin/false
40 | install rds /bin/false
41 | install rose /bin/false
42 | install sctp /bin/false
43 | install tipc /bin/false
44 | install x25 /bin/false
45 |
46 | #Block rare filesystem modules
47 | install cramfs /bin/false
48 | install freevxfs /bin/false
49 | #install hfs /bin/false
50 | #install hfsplus /bin/false
51 | install jffs2 /bin/false
52 | #install squashfs /bin/false
53 | #install udf /bin/false
54 |
55 | #Block testing modules
56 | install vivid /bin/false
57 |
--------------------------------------------------------------------------------
/brace/usr/lib/modprobe.d/wireless-perf.conf:
--------------------------------------------------------------------------------
1 | options iwlwifi 11n_disable=8
2 | options b43 allhwsupport=1
3 |
--------------------------------------------------------------------------------
/brace/usr/lib/sysctl.d/60-restrict.conf:
--------------------------------------------------------------------------------
1 | #Disable autoloading of TTY line diciplines
2 | dev.tty.ldisc_autoload=0
3 |
4 | #Enable various path sanity checks
5 | fs.protected_fifos=2
6 | fs.protected_hardlinks=1
7 | fs.protected_regular=2
8 | fs.protected_symlinks=1
9 |
10 | #Disable coredumps
11 | fs.suid_dumpable=0
12 | kernel.core_pattern=|/bin/false
13 |
14 | #Restrict dmesg to root
15 | kernel.dmesg_restrict=1
16 |
17 | #Disable loading another kernel
18 | kernel.kexec_load_disabled=1
19 |
20 | #Hide kernel pointers
21 | kernel.kptr_restrict=2
22 |
23 | #Restrict access to performance events
24 | kernel.perf_event_paranoid=3
25 |
26 | #Restrict ptrace to child processes or other privileged processes
27 | kernel.yama.ptrace_scope=1
28 |
29 | #Disable the BPF JIT
30 | #net.core.bpf_jit_enable=0
31 | kernel.unprivileged_bpf_disabled=2
32 |
33 | #Harden the BPF JIT against JIT spraying attacks
34 | net.core.bpf_jit_harden=2
35 |
36 | #Disable io-uring
37 | kernel.io_uring_disabled=2
38 |
39 | #Enable strict reverse path filtering
40 | net.ipv4.conf.all.rp_filter=1
41 | net.ipv4.conf.default.rp_filter=1
42 |
43 | #Don't log bogus responses
44 | net.ipv4.icmp_ignore_bogus_error_responses=1
45 |
46 | #Enable TCP ECN
47 | #net.ipv4.tcp_ecn=1
48 | #net.ipv4.tcp_ecn_fallback=1
49 |
50 | #Enable IPv6 privacy addresses
51 | net.ipv6.conf.all.addr_gen_mode=3
52 | net.ipv6.conf.all.use_tempaddr=2
53 | net.ipv6.conf.default.addr_gen_mode=3
54 | net.ipv6.conf.default.use_tempaddr=2
55 |
56 | #Rotate addresses every 6 hours, and keep old ones for up to 32 days
57 | net.ipv6.conf.default.max_addresses=128
58 | net.ipv6.conf.default.regen_max_retry=32
59 | net.ipv6.conf.default.temp_prefered_lft=21600
60 | net.ipv6.conf.all.max_addresses=128
61 | net.ipv6.conf.all.regen_max_retry=32
62 | net.ipv6.conf.all.temp_prefered_lft=21600
63 |
64 | #Increase ASLR randomness
65 | kernel.randomize_va_space=2
66 | vm.mmap_rnd_bits=32
67 | vm.mmap_rnd_compat_bits=16
68 |
69 | #Restrict userfaultfd()
70 | vm.unprivileged_userfaultfd=0
71 |
72 | #Misc
73 | net.ipv4.conf.all.accept_redirects=0
74 | net.ipv4.conf.all.accept_source_route=0
75 | net.ipv4.conf.all.log_martians=1
76 | net.ipv4.conf.all.secure_redirects=0
77 | net.ipv4.conf.all.send_redirects=0
78 | net.ipv4.conf.default.accept_redirects=0
79 | net.ipv4.conf.default.accept_source_route=0
80 | net.ipv4.conf.default.log_martians=1
81 | net.ipv4.conf.default.secure_redirects=0
82 | net.ipv4.conf.default.send_redirects=0
83 | #net.ipv4.icmp_echo_ignore_all=1
84 | net.ipv4.icmp_echo_ignore_broadcasts=1
85 | net.ipv4.tcp_rfc1337=1
86 | net.ipv4.tcp_syncookies=1
87 | net.ipv6.conf.all.accept_ra=0
88 | net.ipv6.conf.all.accept_redirects=0
89 | net.ipv6.conf.all.accept_source_route=0
90 | net.ipv6.conf.default.accept_ra=0
91 | net.ipv6.conf.default.accept_redirects=0
92 | net.ipv6.conf.default.accept_source_route=0
93 | #net.ipv6.icmp.echo_ignore_all=1
94 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/resolved.conf.d/brace.conf:
--------------------------------------------------------------------------------
1 | [Resolve]
2 | #enable DNSSEC, default is disabled
3 | DNSSEC=allow-downgrade
4 |
5 | #switch to a DoT resolver
6 | #DNS=9.9.9.9#dns.quad9.net 2620:fe::fe#dns.quad9.net
7 | #FallbackDNS=149.112.112.112#dns.quad9.net 2620:fe::9#dns.quad9.net
8 | #DNSOverTLS=yes
9 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=CAP_SYS_ADMIN
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | NoNewPrivileges=true
7 | #ProtectProc=invisible
8 | PrivateTmp=yes
9 | PrivateUsers=true
10 | ProtectClock=true
11 | ProtectControlGroups=true
12 | ProtectHome=true
13 | ProtectHostname=true
14 | ProtectKernelLogs=true
15 | #ProtectKernelTunables=true
16 | ProtectSystem=strict
17 | RemoveIPC=true
18 | RestrictAddressFamilies=AF_NETLINK AF_UNIX
19 | RestrictNamespaces=true
20 | RestrictRealtime=true
21 | RestrictSUIDSGID=true
22 | SystemCallArchitectures=native
23 | SystemCallFilter=@system-service
24 | UMask=0077
25 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | #PrivateDevices=true #breaks tun usage
7 | #ProtectProc=invisible
8 | PrivateTmp=yes
9 | ProtectClock=true
10 | ProtectControlGroups=true
11 | ProtectHome=read-only
12 | ProtectKernelLogs=true
13 | #ProtectKernelModules=true
14 | #ProtectSystem=strict
15 | ReadOnlyPaths=/etc/NetworkManager
16 | ReadOnlyPaths=-/home
17 | ReadWritePaths=-/etc/NetworkManager/system-connections
18 | ReadWritePaths=-/etc/sysconfig/network-scripts
19 | ReadWritePaths=/var/lib/NetworkManager
20 | ReadWritePaths=-/var/run/NetworkManager
21 | ReadWritePaths=-/run/NetworkManager
22 | RemoveIPC=true
23 | RestrictNamespaces=true
24 | RestrictRealtime=true
25 | RestrictSUIDSGID=true
26 | SystemCallArchitectures=native
27 | SystemCallFilter=@system-service
28 | UMask=0077
29 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/biboumi.service.d/98-user.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | User=biboumi
3 | Group=biboumi
4 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/biboumi.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | NoNewPrivileges=true
7 | PrivateDevices=true
8 | ProtectProc=invisible
9 | PrivateTmp=yes
10 | PrivateUsers=true
11 | ProtectClock=true
12 | ProtectControlGroups=true
13 | ProtectHome=true
14 | ProtectHostname=true
15 | ProtectKernelLogs=true
16 | ProtectKernelModules=true
17 | ProtectKernelTunables=true
18 | ProtectSystem=strict
19 | ReadOnlyPaths=/etc/biboumi
20 | ReadWritePaths=/var/lib/biboumi
21 | RemoveIPC=true
22 | RestrictAddressFamilies=~AF_PACKET
23 | RestrictNamespaces=true
24 | RestrictRealtime=true
25 | RestrictSUIDSGID=true
26 | SystemCallArchitectures=native
27 | SystemCallFilter=@system-service
28 | SystemCallFilter=~@privileged
29 | UMask=0077
30 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/chronyd.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | #Unset first to allow setting again
3 | ExecStart=
4 | #Use our config instead
5 | ExecStart=/usr/sbin/chronyd $OPTIONS -f /etc/chrony.brace.conf
6 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/ejabberd.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=""
4 | LockPersonality=true
5 | NoNewPrivileges=true
6 | PrivateDevices=true
7 | #ProtectProc=invisible
8 | PrivateTmp=yes
9 | PrivateUsers=true
10 | ProtectClock=true
11 | ProtectControlGroups=true
12 | ProtectHome=true
13 | ProtectHostname=true
14 | ProtectKernelLogs=true
15 | ProtectKernelModules=true
16 | ProtectKernelTunables=true
17 | ProtectSystem=strict
18 | ReadOnlyPaths=-/etc/ejabberd
19 | ReadWritePaths=-/var/lib/ejabberd
20 | ReadWritePaths=-/var/log/ejabberd
21 | ReadWritePaths=-/opt/ejabberd
22 | RemoveIPC=true
23 | RestrictAddressFamilies=~AF_PACKET
24 | RestrictNamespaces=true
25 | RestrictRealtime=true
26 | RestrictSUIDSGID=true
27 | SystemCallArchitectures=native
28 | SystemCallFilter=@system-service
29 | UMask=0077
30 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/firewalld.service.d/99-brace.conf.disabled:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | LockPersonality=true
4 | MemoryDenyWriteExecute=true
5 | PrivateDevices=true
6 | #ProtectProc=invisible
7 | PrivateTmp=yes
8 | ProtectClock=true
9 | ProtectControlGroups=true
10 | ProtectHome=true
11 | ProtectHostname=true
12 | ProtectKernelLogs=true
13 | ProtectSystem=strict
14 | ReadOnlyPaths=-/etc/sysconfig/firewalld
15 | ReadOnlyPaths=/etc/firewalld
16 | ReadWritePaths=-/run/firewalld
17 | ReadWritePaths=-/var/run/firewalld
18 | ReadWritePaths=/var/log/firewalld
19 | RestrictAddressFamilies=~AF_INET
20 | RestrictAddressFamilies=~AF_INET6
21 | RestrictAddressFamilies=~AF_PACKET
22 | RestrictNamespaces=true
23 | RestrictRealtime=true
24 | SystemCallArchitectures=native
25 | SystemCallFilter=@system-service
26 | UMask=0077
27 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/httpd.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | NoNewPrivileges=true
7 | PrivateDevices=true
8 | #ProtectProc=invisible
9 | PrivateTmp=yes
10 | ProtectClock=true
11 | ProtectControlGroups=true
12 | ProtectHome=true
13 | ProtectHostname=true
14 | ProtectKernelLogs=true
15 | ProtectKernelModules=true
16 | ProtectKernelTunables=true
17 | ProtectSystem=strict
18 | ReadOnlyPaths=/etc/httpd
19 | ReadWritePaths=/var/www
20 | ReadWritePaths=/var/log/httpd
21 | ReadWritePaths=-/var/lib/mod_security
22 | ReadWritePaths=-/var/run/httpd
23 | ReadWritePaths=-/run/httpd
24 | RemoveIPC=true
25 | RestrictAddressFamilies=~AF_PACKET
26 | RestrictNamespaces=true
27 | RestrictRealtime=true
28 | RestrictSUIDSGID=true
29 | SystemCallArchitectures=native
30 | SystemCallFilter=@system-service
31 | #SystemCallFilter=~@privileged
32 | SystemCallFilter=~@resources
33 | UMask=0077
34 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | #CapabilityBoundingSet="CAP_SETPCAP"
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | #NoNewPrivileges=true
7 | PrivateDevices=true
8 | #ProtectProc=invisible
9 | PrivateTmp=yes
10 | ProtectClock=true
11 | ProtectControlGroups=true
12 | ProtectHome=true
13 | ProtectHostname=true
14 | ProtectKernelLogs=true
15 | ProtectKernelModules=true
16 | ProtectKernelTunables=true
17 | ProtectSystem=strict
18 | ReadOnlyPaths=-/etc/default/irqbalance
19 | ReadOnlyPaths=-/etc/sysconfig/irqbalance
20 | ReadOnlyPaths=-/etc/irqbalance
21 | ReadWritePaths=/proc/irq
22 | ReadWritePaths=-/run/irqbalance
23 | ReadWritePaths=-/var/run/irqbalance
24 | RemoveIPC=true
25 | RestrictAddressFamilies=~AF_INET
26 | RestrictAddressFamilies=~AF_INET6
27 | #RestrictAddressFamilies=~AF_NETLINK
28 | RestrictAddressFamilies=~AF_PACKET
29 | RestrictNamespaces=true
30 | RestrictRealtime=true
31 | RestrictSUIDSGID=true
32 | SystemCallArchitectures=native
33 | SystemCallFilter=@system-service
34 | UMask=0077
35 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/minetest@.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=""
4 | LockPersonality=true
5 | NoNewPrivileges=true
6 | PrivateDevices=true
7 | ProtectProc=invisible
8 | PrivateTmp=yes
9 | PrivateUsers=true
10 | ProtectClock=true
11 | ProtectControlGroups=true
12 | ProtectHome=true
13 | ProtectHostname=true
14 | ProtectKernelLogs=true
15 | ProtectKernelModules=true
16 | ProtectKernelTunables=true
17 | ProtectSystem=strict
18 | ReadOnlyPaths=-/etc/minetest
19 | ReadOnlyPaths=-/etc/sysconfig/minetest
20 | ReadWritePaths=/var/lib/minetest
21 | RemoveIPC=true
22 | RestrictAddressFamilies=~AF_NETLINK
23 | RestrictAddressFamilies=~AF_PACKET
24 | RestrictAddressFamilies=~AF_UNIX
25 | RestrictNamespaces=true
26 | RestrictRealtime=true
27 | RestrictSUIDSGID=true
28 | SystemCallArchitectures=native
29 | SystemCallFilter=@system-service
30 | SystemCallFilter=~@privileged
31 | SystemCallFilter=~@resources
32 | UMask=0077
33 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/murmur.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=""
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | NoNewPrivileges=true
7 | PrivateDevices=true
8 | ProtectProc=invisible
9 | PrivateTmp=yes
10 | PrivateUsers=true
11 | ProtectClock=true
12 | ProtectControlGroups=true
13 | ProtectHome=true
14 | ProtectHostname=true
15 | ProtectKernelLogs=true
16 | ProtectKernelModules=true
17 | ProtectKernelTunables=true
18 | ProtectSystem=strict
19 | ReadOnlyPaths=-/etc/default/mumble-server
20 | ReadOnlyPaths=-/etc/murmur
21 | ReadOnlyPaths=/etc/mumble-server.ini
22 | ReadWritePaths=/var/lib/mumble-server
23 | RemoveIPC=true
24 | RestrictAddressFamilies=~AF_PACKET
25 | RestrictAddressFamilies=~AF_UNIX
26 | RestrictNamespaces=true
27 | RestrictRealtime=true
28 | RestrictSUIDSGID=true
29 | SystemCallArchitectures=native
30 | SystemCallFilter=@system-service
31 | SystemCallFilter=~@privileged
32 | UMask=0077
33 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/php-fpm.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | LockPersonality=true
4 | MemoryDenyWriteExecute=true
5 | NoNewPrivileges=true
6 | PrivateDevices=true
7 | #ProtectProc=invisible
8 | PrivateTmp=yes
9 | ProtectClock=true
10 | ProtectControlGroups=true
11 | ProtectHome=true
12 | ProtectHostname=true
13 | ProtectKernelLogs=true
14 | ProtectKernelModules=true
15 | ProtectKernelTunables=true
16 | ProtectSystem=strict
17 | ReadOnlyPaths=-/etc/php-fpm.conf
18 | ReadOnlyPaths=-/etc/php.ini
19 | ReadOnlyPaths=-/etc/php.d
20 | ReadOnlyPaths=-/etc/php-fpm.d
21 | ReadOnlyPaths=-/etc/php-zts.d
22 | ReadWritePaths=/var/www
23 | ReadWritePaths=/var/lib/php
24 | ReadWritePaths=/var/log/php-fpm
25 | ReadWritePaths=-/var/run/php-fpm
26 | ReadWritePaths=-/run/php-fpm
27 | RemoveIPC=true
28 | RestrictAddressFamilies=~AF_PACKET
29 | RestrictNamespaces=true
30 | RestrictRealtime=true
31 | RestrictSUIDSGID=true
32 | SystemCallArchitectures=native
33 | SystemCallFilter=@system-service
34 | SystemCallFilter=~@resources
35 | UMask=0077
36 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/radiusd.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | LockPersonality=true
4 | MemoryDenyWriteExecute=true
5 | NoNewPrivileges=true
6 | PrivateDevices=true
7 | ProtectProc=invisible
8 | PrivateTmp=yes
9 | ProtectClock=true
10 | ProtectControlGroups=true
11 | ProtectHome=true
12 | ProtectHostname=true
13 | ProtectKernelLogs=true
14 | ProtectKernelModules=true
15 | ProtectKernelTunables=true
16 | ProtectSystem=strict
17 | ReadOnlyPaths=-/etc/default/freeradius
18 | ReadOnlyPaths=-/etc/raddb
19 | ReadWritePaths=/var/lib/radiusd
20 | ReadWritePaths=/var/log/radius
21 | ReadWritePaths=-/var/run/radiusd
22 | ReadWritePaths=-/run/radiusd
23 | RemoveIPC=true
24 | RestrictAddressFamilies=~AF_NETLINK
25 | RestrictAddressFamilies=~AF_PACKET
26 | RestrictAddressFamilies=~AF_UNIX
27 | RestrictNamespaces=true
28 | RestrictRealtime=true
29 | RestrictSUIDSGID=true
30 | SystemCallArchitectures=native
31 | UMask=0077
32 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/redis.service.d/99-brace.conf.disabled:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=""
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | NoNewPrivileges=true
7 | PrivateDevices=true
8 | ProtectProc=invisible
9 | PrivateTmp=yes
10 | PrivateUsers=true
11 | ProtectClock=true
12 | ProtectControlGroups=true
13 | ProtectHome=true
14 | ProtectHostname=true
15 | ProtectKernelLogs=true
16 | ProtectKernelModules=true
17 | ProtectKernelTunables=true
18 | ProtectSystem=strict
19 | ReadOnlyPaths=-/etc/redis
20 | ReadWritePaths=/var/lib/redis
21 | ReadWritePaths=/var/log/redis
22 | ReadWritePaths=-/var/run/redis
23 | ReadWritePaths=-/run/redis
24 | RemoveIPC=true
25 | RestrictAddressFamilies=~AF_PACKET
26 | RestrictNamespaces=true
27 | RestrictRealtime=true
28 | RestrictSUIDSGID=true
29 | SystemCallArchitectures=native
30 | SystemCallFilter=@system-service
31 | SystemCallFilter=~@privileged
32 | SystemCallFilter=~@resources
33 | UMask=0077
34 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/rngd.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | #CapabilityBoundingSet=CAP_SYS_ADMIN
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | ProtectProc=invisible
7 | PrivateTmp=yes
8 | #ProtectClock=true
9 | ProtectControlGroups=true
10 | ProtectHome=true
11 | ProtectHostname=true
12 | ProtectKernelLogs=true
13 | #ProtectKernelModules=true
14 | #ProtectKernelTunables=true
15 | ProtectSystem=strict
16 | RemoveIPC=true
17 | RestrictAddressFamilies=~AF_INET
18 | RestrictAddressFamilies=~AF_INET6
19 | RestrictAddressFamilies=~AF_NETLINK
20 | RestrictAddressFamilies=~AF_PACKET
21 | RestrictAddressFamilies=~AF_UNIX
22 | RestrictNamespaces=true
23 | RestrictRealtime=true
24 | RestrictSUIDSGID=true
25 | SystemCallArchitectures=native
26 | SystemCallFilter=@system-service
27 | UMask=0077
28 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/tor.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
4 | LockPersonality=true
5 | MemoryDenyWriteExecute=true
6 | PrivateDevices=true
7 | ProtectProc=invisible
8 | PrivateTmp=yes
9 | ProtectClock=true
10 | ProtectControlGroups=true
11 | ProtectHome=true
12 | ProtectHostname=true
13 | ProtectKernelLogs=true
14 | ProtectKernelModules=true
15 | ProtectKernelTunables=true
16 | ProtectSystem=strict
17 | ReadOnlyPaths=-/etc/default/tor
18 | ReadOnlyPaths=/etc/tor
19 | ReadWritePaths=/var/lib/tor
20 | ReadWritePaths=/var/log/tor
21 | ReadWritePaths=-/var/run/tor
22 | ReadWritePaths=-/run/tor
23 | RemoveIPC=true
24 | RestrictAddressFamilies=~AF_PACKET
25 | RestrictNamespaces=true
26 | RestrictRealtime=true
27 | RestrictSUIDSGID=true
28 | SystemCallArchitectures=native
29 | SystemCallFilter=@system-service
30 | UMask=0077
31 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/system/wpa_supplicant.service.d/99-brace.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | LockPersonality=true
4 | MemoryDenyWriteExecute=true
5 | #ProtectProc=invisible
6 | PrivateTmp=yes
7 | ProtectControlGroups=true
8 | ProtectHome=read-only
9 | ProtectHostname=true
10 | ProtectKernelLogs=true
11 | #ProtectKernelModules=true
12 | ProtectSystem=strict
13 | ReadOnlyPaths=-/etc/sysconfig/wpa_supplicant
14 | ReadOnlyPaths=-/etc/network
15 | ReadOnlyPaths=-/etc/ifplugd
16 | ReadOnlyPaths=/etc/wpa_supplicant
17 | ReadOnlyPaths=-/home
18 | RemoveIPC=true
19 | RestrictNamespaces=true
20 | RestrictRealtime=true
21 | RestrictSUIDSGID=true
22 | SystemCallArchitectures=native
23 | SystemCallFilter=@system-service
24 | SystemCallFilter=~@privileged
25 | SystemCallFilter=~@resources
26 | UMask=0077
27 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/user/restic-backup@.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=restic backup service using config %i
3 | After=network.target
4 |
5 | [Service]
6 | Type=oneshot
7 | EnvironmentFile=%h/.config/restic-automatic-%i.conf
8 | ExecStart=restic backup --verbose --one-file-system --tag systemd.timer --exclude-caches $BACKUP_EXCLUDES $BACKUP_INCLUDES
9 |
--------------------------------------------------------------------------------
/brace/usr/lib/systemd/user/restic-backup@.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=backup with restic daily
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | RandomizedDelaySec=60m
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/brace/usr/lib/thunderbird/defaults/pref/userjs-arkenfox.js:
--------------------------------------------------------------------------------
1 | /usr/lib/firefox/browser/defaults/preferences/userjs-arkenfox.js
--------------------------------------------------------------------------------
/brace/usr/lib/thunderbird/defaults/pref/userjs-brace-perf.js:
--------------------------------------------------------------------------------
1 | /usr/lib/firefox/browser/defaults/preferences/userjs-brace-perf.js
--------------------------------------------------------------------------------
/brace/usr/lib/thunderbird/defaults/pref/userjs-brace.js:
--------------------------------------------------------------------------------
1 | /usr/lib/firefox/browser/defaults/preferences/userjs-brace.js
--------------------------------------------------------------------------------
/brace/usr/lib/tmpfiles.d/99-brace-proc.conf:
--------------------------------------------------------------------------------
1 | #Original Author: Topi Miettinen (@topimiettinen)
2 | #Credit (GPL-2.0+): https://salsa.debian.org/corsac/hardening-runtime/-/blob/cbbec33d236cfe985e7579c43a59924be150ff82/debian/permissions/proc-hardening.conf
3 |
4 | #Read-only files
5 | z /proc/buddyinfo 0400 root root
6 | z /proc/cgroups 0400 root root
7 | z /proc/consoles 0400 root root
8 | #z /proc/crypto 0400 root root #XXX: breaks zram-generator: https://github.com/systemd/zram-generator/blob/7e14ee973dd5d6ac00fcc4a392425e5d12d7c0ac/src/generator.rs#L125
9 | z /proc/devices 0400 root root
10 | #z /proc/diskstats 0400 root root #XXX: breaks libgtop: https://gitlab.gnome.org/GNOME/libgtop/-/commit/a067db056927db232a2eb8cf79d4af096962eced
11 | z /proc/dma 0400 root root
12 | z /proc/execdomains 0400 root root
13 | z /proc/fb 0400 root root
14 | z /proc/filesystems 0400 root root
15 | z /proc/interrupts 0400 root root
16 | z /proc/iomem 0400 root root
17 | z /proc/ioports 0400 root root
18 | z /proc/kallsyms 0400 root root
19 | z /proc/keys 0400 root root
20 | z /proc/key-users 0400 root root
21 | z /proc/locks 0400 root root
22 | z /proc/misc 0400 root root
23 | z /proc/pagetypeinfo 0400 root root
24 | z /proc/partitions 0400 root root
25 | z /proc/sched_debug 0400 root root
26 | z /proc/schedstat 0400 root root
27 | z /proc/slabinfo 0400 root root
28 | z /proc/softirqs 0400 root root
29 | #z /proc/swaps 0400 root root #systemd complains without it
30 | z /proc/zoneinfo 0400 root root
31 |
32 | #Writable files
33 | z /proc/mtrr 0600 root root
34 |
35 | #Directories
36 | z /proc/acpi 0700 root root
37 | z /proc/bus 0700 root root
38 | #vmware-user expects /proc/fs/vmblock/dev
39 | z /proc/fs 0700 root root
40 | #z /proc/irq 0700 root root #XXX: breaks irqbalance when SELinux enforcing
41 | z /proc/pressure 0700 root root
42 | z /proc/sysvipc 0700 root root
43 | z /proc/tty 0700 root root
44 |
--------------------------------------------------------------------------------
/brace/usr/lib/tmpfiles.d/99-brace-sys.conf:
--------------------------------------------------------------------------------
1 | #Original Author: Topi Miettinen (@topimiettinen)
2 | #Credit (GPL-2.0+): https://salsa.debian.org/corsac/hardening-runtime/-/blob/cbbec33d236cfe985e7579c43a59924be150ff82/debian/permissions/sys-hardening.conf
3 |
4 | #Directories
5 | #z /sys/block 0700 root root #XXX: breaks zram-generator: https://github.com/systemd/zram-generator/blob/7e14ee973dd5d6ac00fcc4a392425e5d12d7c0ac/src/setup.rs#L24
6 | z /sys/bus/memory 0700 root root
7 | z /sys/bus/nvmem 0700 root root
8 | z /sys/bus/scsi 0700 root root
9 | z /sys/class/ata_device 0700 root root
10 | z /sys/class/ata_link 0700 root root
11 | z /sys/class/ata_port 0700 root root
12 | #z /sys/class/block 0700 root root
13 | z /sys/class/firmware 0700 root root
14 | z /sys/class/iommu 0700 root root
15 | #z /sys/class/mem 0700 root root #required for udev?
16 | z /sys/class/scsi_device 0700 root root
17 | z /sys/class/scsi_disk 0700 root root
18 | z /sys/class/scsi_host 0700 root root
19 | #z /sys/dev/block 0700 root root #XXX: breaks systemd: https://github.com/systemd/systemd/blob/dbc3cf009a0a4a2a99bb4094a779fe89b059199a/src/core/device.c#L1030
20 | #z /sys/firmware 0700 root root #XXX: breaks bluetooth
21 | z /sys/fs/bpf 0700 root root
22 | z /sys/fs/btrfs 0700 root root
23 | z /sys/fs/ext4 0700 root root
24 | z /sys/fs/pstore 0700 root root
25 | z /sys/hypervisor 0700 root root
26 | #z /sys/module 0700 root root #XXX: breaks dbus-broker: https://github.com/bus1/dbus-broker/blob/250529d15cc80fefaae57416e1108f692a424c24/src/util/apparmor.c#L33
27 | z /sys/power 0700 root root
28 |
--------------------------------------------------------------------------------
/brace/usr/lib/udev/rules.d/10-trim.rules:
--------------------------------------------------------------------------------
1 | #Enables TRIM for non-standard devices
2 | #https://www.jeffgeerling.com/blog/2020/enabling-trim-on-external-ssd-on-raspberry-pi
3 | #https://bbs.archlinux.org/viewtopic.php?id=236280
4 |
5 | #
6 | #NVMe Enclosures
7 | #
8 |
9 | #RTL9210A, tested working
10 | ACTION=="add|change", ATTRS{idVendor}=="0bda", ATTRS{idProduct}=="9210", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
11 |
12 |
13 | #
14 | #SATA Enclosures
15 | #
16 |
17 | #ASMedia ASM1051E/ASM1053E/ASM1153/ASM1153E, tested not working
18 | #ACTION=="add|change", ATTRS{idVendor}=="174c", ATTRS{idProduct}=="55aa", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
19 |
20 | #JMicron JMS578, tested working
21 | #ACTION=="add|change", ATTRS{idVendor}=="152d", ATTRS{idProduct}=="0578", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
22 |
23 | #JMicron JMS583, reported working
24 | #ACTION=="add|change", ATTRS{idVendor}=="152d", ATTRS{idProduct}=="0580", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
25 |
26 | #VIA VL716, reported working
27 | #ACTION=="add|change", ATTRS{idVendor}=="2109", ATTRS{idProduct}=="0715", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
28 |
29 |
30 | #
31 | #Standalone Products
32 | #
33 |
34 | #Corsair Flash Voyager GTX, reported working
35 | ACTION=="add|change", ATTRS{idVendor}=="1b1c", ATTRS{idProduct}=="1a0e", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
36 |
37 | #Lexar JumpDrive, tested not working
38 | #ACTION=="add|change", ATTRS{idVendor}=="05dc", ATTRS{idProduct}=="a838", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
39 |
40 | #Samsung Fit Plus, tested not working
41 | #ACTION=="add|change", ATTRS{idVendor}=="090c", ATTRS{idProduct}=="1000", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
42 |
43 | #Samsung Portable SSD T5, reported working
44 | ACTION=="add|change", ATTRS{idVendor}=="04e8", ATTRS{idProduct}=="61f5", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
45 |
46 | #Generic, tested not working
47 | #ACTION=="add|change", ATTRS{idVendor}=="6557", ATTRS{idProduct}=="1631", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
48 |
--------------------------------------------------------------------------------
/brace/usr/lib/udev/rules.d/50-usb-realtek-net-exceprt.rules:
--------------------------------------------------------------------------------
1 | # Excerpt from (GPL-2.0-only): r8152-2.16.1.tar.bz2
2 |
3 | ACTION!="add", GOTO="usb_realtek_net_excerpt_end"
4 | SUBSYSTEM!="usb", GOTO="usb_realtek_net_excerpt_end"
5 | ENV{DEVTYPE}!="usb_device", GOTO="usb_realtek_net_excerpt_end"
6 |
7 | # Switch into vendor mode
8 | ATTR{idVendor}=="0bda", ATTR{idProduct}=="815[2,3,5,6]", ATTR{bConfigurationValue}!="1", ATTR{bConfigurationValue}="1"
9 |
10 | LABEL="usb_realtek_net_excerpt_end"
11 |
--------------------------------------------------------------------------------
/brace/usr/sbin/brace-audit:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Copyright (c) 2024 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | if [ "$(/usr/bin/id -u)" -ne "0" ]; then echo 'This script needs to be run as root!'; exit 1; fi;
18 |
19 | coloroff='\e[0m';
20 | black='\e[0;30m';
21 | blue='\e[0;34m';
22 | cyan='\e[0;36m';
23 | green='\e[0;32m';
24 | purple='\e[0;35m';
25 | red='\e[0;31m';
26 | white='\e[0;37m';
27 | yellow='\e[0;33m';
28 |
29 | logYes() {
30 | echo -e "${green}[..YES..] $1 $2${coloroff}";
31 | return 0;
32 | }
33 |
34 | logPartial() {
35 | echo -e "${yellow}[..YES..] $1 $2${coloroff}";
36 | return 0;
37 | }
38 |
39 | logSkip() {
40 | echo -e "${purple}[..SKIP.] $1 $2${coloroff}";
41 | return 0;
42 | }
43 |
44 | logNo() {
45 | echo -e "${red}[..NO...] $1 $2${coloroff}";
46 | if [ -n "$3" ]; then
47 | echo -e "${white}\t[SOLUTION] $3";
48 | fi;
49 | return 1;
50 | }
51 |
52 | logUnknown() {
53 | echo -e "${purple}[..UNKN.] $1 $2${coloroff}";
54 | if [ -n "$3" ]; then
55 | echo -e "${white}\t[SOLUTION] $3";
56 | fi;
57 | return 1;
58 | }
59 |
60 | rpmPackageInstalled() {
61 | if rpm -qi "$1" > /dev/null 2>&1; then
62 | logYes "Install check:" "$1";
63 | else
64 | local resolver="$2";
65 | if [ -z "$resolver" ]; then
66 | local resolver="sudo dnf install $1";
67 | fi;
68 | logNo "Install check:" "$1" "$resolver";
69 | fi;
70 | }
71 |
72 | systemdServiceRunning() {
73 | if systemctl status "$1" > /dev/null 2>&1; then
74 | logYes "systemd service running:" "$1";
75 | else
76 | logNo "systemd service running:" "$1";
77 | fi;
78 | }
79 |
80 | firewalldCheckDefaultZone() {
81 | if firewall-cmd --get-default-zone | grep -q "$1" > /dev/null 2>&1; then
82 | logYes "firewalld default zone correct:" "$1";
83 | else
84 | logNo "firewalld default zone correct:" "$1" "$2";
85 | fi;
86 | }
87 |
88 | firewalldCheckActiveZones() {
89 | if firewall-cmd --get-active-zone | grep -q "$1" > /dev/null 2>&1; then
90 | logYes "firewalld active zone enabled:" "$1";
91 | else
92 | logNo "firewalld active zone enabled:" "$1" "$2";
93 | fi;
94 | }
95 |
96 | verifyFapolicydIntegrity() {
97 | if grep -q "integrity = sha256" /etc/fapolicyd/fapolicyd.conf > /dev/null 2>&1; then
98 | logYes "fapolicyd integrity mode:" "sha256";
99 | elif grep -q "integrity = size" /etc/fapolicyd/fapolicyd.conf > /dev/null 2>&1; then
100 | logPartial "fapolicyd integrity mode:" "size";
101 | else
102 | logNo "fapolicyd integrity mode:" "none";
103 | fi;
104 | }
105 |
106 | verifyHardenedMalloc() {
107 | if grep -q "hardened_malloc" /proc/self/maps > /dev/null 2>&1; then
108 | logYes "hardened_malloc preloaded";
109 | else
110 | logNo "hardened_malloc preloaded" "ensure /etc/ld.so.preload is correct";
111 | fi;
112 | }
113 |
114 | verifyKernelCommandLine() {
115 | if grep -q "init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on kpti=on randomize_kstack_offset=1 slab_nomerge iommu=force iommu.passthrough=0 iommu.strict=1 intel_iommu=on amd_iommu=force_isolation spec_store_bypass_disable=on ssbd=force-on spectre_v2=on spectre_bhi=on tsx=off lockdown=confidentiality mce=0 module.sig_enforce=1 vsyscall=none fsck.mode=force i8042.reset=1" /proc/cmdline > /dev/null 2>&1; then
116 | logYes "kernel hardening via command line";
117 | else
118 | if ! grep -q "init_on_alloc=1" /proc/cmdline > /dev/null 2>&1; then
119 | logNo "kernel hardening via command line" "missing init_on_alloc=1" "sudo brace-supplemental-changes";
120 | fi;
121 | if ! grep -q "init_on_free=1" /proc/cmdline > /dev/null 2>&1; then
122 | logNo "kernel hardening via command line" "missing init_on_free=1" "sudo brace-supplemental-changes";
123 | fi;
124 | if ! grep -q "page_alloc.shuffle=1" /proc/cmdline > /dev/null 2>&1; then
125 | logNo "kernel hardening via command line" "missing page_alloc.shuffle=1" "sudo brace-supplemental-changes";
126 | fi;
127 | if ! grep -q "pti=on" /proc/cmdline > /dev/null 2>&1; then
128 | logNo "kernel hardening via command line" "missing pti=on" "sudo brace-supplemental-changes";
129 | fi;
130 | if ! grep -q "kpti=on" /proc/cmdline > /dev/null 2>&1; then
131 | logNo "kernel hardening via command line" "missing kpti=on" "sudo brace-supplemental-changes";
132 | fi;
133 | if ! grep -q "randomize_kstack_offset=1" /proc/cmdline > /dev/null 2>&1; then
134 | logNo "kernel hardening via command line" "missing randomize_kstack_offset=1" "sudo brace-supplemental-changes";
135 | fi;
136 | if ! grep -q "slab_nomerge" /proc/cmdline > /dev/null 2>&1; then
137 | logNo "kernel hardening via command line" "missing slab_nomerge" "sudo brace-supplemental-changes";
138 | fi;
139 | if ! grep -q "iommu=force" /proc/cmdline > /dev/null 2>&1; then
140 | logNo "kernel hardening via command line" "missing iommu=force" "sudo brace-supplemental-changes";
141 | fi;
142 | if ! grep -q "iommu.passthrough=0" /proc/cmdline > /dev/null 2>&1; then
143 | logNo "kernel hardening via command line" "missing iommu.passthrough=0" "sudo brace-supplemental-changes";
144 | fi;
145 | if ! grep -q "iommu.strict=1" /proc/cmdline > /dev/null 2>&1; then
146 | logNo "kernel hardening via command line" "missing iommu.strict=1" "sudo brace-supplemental-changes";
147 | fi;
148 | if ! grep -q "intel_iommu=on" /proc/cmdline > /dev/null 2>&1; then
149 | logNo "kernel hardening via command line" "missing intel_iommu=on" "sudo brace-supplemental-changes";
150 | fi;
151 | if ! grep -q "amd_iommu=force_isolation" /proc/cmdline > /dev/null 2>&1; then
152 | logNo "kernel hardening via command line" "missing amd_iommu=force_isolation" "sudo brace-supplemental-changes";
153 | fi;
154 | if ! grep -q "spec_store_bypass_disable=on" /proc/cmdline > /dev/null 2>&1; then
155 | logNo "kernel hardening via command line" "missing spec_store_bypass_disable=on" "sudo brace-supplemental-changes";
156 | fi;
157 | if ! grep -q "ssbd=force-on" /proc/cmdline > /dev/null 2>&1; then
158 | logNo "kernel hardening via command line" "missing ssbd=force-on" "sudo brace-supplemental-changes";
159 | fi;
160 | if ! grep -q "spectre_v2=on" /proc/cmdline > /dev/null 2>&1; then
161 | logNo "kernel hardening via command line" "missing spectre_v2=on" "sudo brace-supplemental-changes";
162 | fi;
163 | if ! grep -q "spectre_bhi=on" /proc/cmdline > /dev/null 2>&1; then
164 | logNo "kernel hardening via command line" "missing spectre_bhi=on" "sudo brace-supplemental-changes";
165 | fi;
166 | if ! grep -q "tsx=off" /proc/cmdline > /dev/null 2>&1; then
167 | logNo "kernel hardening via command line" "missing tsx=off" "sudo brace-supplemental-changes";
168 | fi;
169 | if ! grep -q "lockdown=confidentiality" /proc/cmdline > /dev/null 2>&1; then
170 | logNo "kernel hardening via command line" "missing lockdown=confidentiality" "sudo brace-supplemental-changes";
171 | fi;
172 | if ! grep -q "mce=0" /proc/cmdline > /dev/null 2>&1; then
173 | logNo "kernel hardening via command line" "missing mce=0" "sudo brace-supplemental-changes";
174 | fi;
175 | if ! grep -q "module.sig_enforce=1" /proc/cmdline > /dev/null 2>&1; then
176 | logNo "kernel hardening via command line" "missing module.sig_enforce=1" "sudo brace-supplemental-changes";
177 | fi;
178 | if ! grep -q "vsyscall=none" /proc/cmdline > /dev/null 2>&1; then
179 | logNo "kernel hardening via command line" "missing vsyscall=none" "sudo brace-supplemental-changes";
180 | fi;
181 | if ! grep -q "fsck.mode=force" /proc/cmdline > /dev/null 2>&1; then
182 | logNo "kernel hardening via command line" "missing fsck.mode=force" "sudo brace-supplemental-changes";
183 | fi;
184 | if ! grep -q "i8042.reset=1" /proc/cmdline > /dev/null 2>&1; then
185 | logNo "kernel hardening via command line" "missing i8042.reset=1" "sudo brace-supplemental-changes";
186 | fi;
187 | fi;
188 | }
189 |
190 | secureBootEnforcing() {
191 | if mokutil --sb-state | grep -q "SecureBoot enabled" > /dev/null 2>&1; then
192 | logYes "secure boot enabled";
193 | else
194 | logNo "secure boot enabled" "" "please enable via EFI settings";
195 | fi;
196 | }
197 |
198 | secureBootTestKeys() {
199 | if grep -q -i -e "DO NOT TRUST" -e "DO NOT SHIP" /sys/firmware/efi/efivars/PK* > /dev/null 2>&1; then
200 | logNo "secure boot excludes test-keys" "check for vendor EFI update";
201 | else
202 | logYes "secure boot excludes test-keys";
203 | fi;
204 | }
205 |
206 | fwupdmgrSecurity() {
207 | if fwupdmgr security --force --json | jq '.SecurityAttributes.[] | select(.AppstreamId=="'"$2"'").HsiResult' | grep -q "$3" > /dev/null 2>&1; then
208 | logYes "$1";
209 | else
210 | logNo "$1";
211 | fi;
212 | }
213 |
214 | #verifyFST() { #TODO
215 | #}
216 |
217 | if [ -f /etc/fedora-release ] || [ -f /etc/centos-release ]; then
218 | if grep -q hypervisor /proc/cpuinfo; then
219 | isVirtualMachine="true";
220 | else
221 | isVirtualMachine="false";
222 | fi;
223 | echo -e "${cyan}[QUESTION] Is this a machine a desktop or a server?${coloroff}";
224 | select ds in "Desktop" "Server"; do
225 | case $ds in
226 | Desktop )
227 | isDesktop=true;
228 | break;;
229 | Server )
230 | isDesktop=false;
231 | echo -e "${cyan}[QUESTION] Is this server public facing?${coloroff}";
232 | select yn in "Yes" "No"; do
233 | case $yn in
234 | Yes )
235 | publicFacing=true;
236 | break;;
237 | No )
238 | publicFacing=false;
239 | break;;
240 | esac
241 | done
242 | break;;
243 | esac
244 | done
245 |
246 | echo "================================================================"
247 | echo "START OF brace-audit"
248 | echo "================================================================"
249 |
250 | echo -e "\nChecking packages";
251 | rpmPackageInstalled "divested-release";
252 | rpmPackageInstalled "brace";
253 | if [ "$isVirtualMachine" == "false" ]; then
254 | rpmPackageInstalled "real-ucode";
255 | #rpmPackageInstalled "tlp";
256 | #rpmPackageInstalled "tlp-rdw";
257 | else
258 | logSkip "virtual machine detected, ignoring some packages";
259 | fi;
260 | if [ "$isDesktop" == "true" ]; then
261 | rpmPackageInstalled "firejail";
262 | rpmPackageInstalled "rpmfusion-free-release" "sudo brace-enable-rpmfusion";
263 | rpmPackageInstalled "mesa-va-drivers-freeworld" "sudo dnf swap mesa-va-drivers mesa-va-drivers-freeworld --allowerasing";
264 | fi;
265 |
266 | echo -e "\nChecking fapolicyd";
267 | if rpmPackageInstalled "fapolicyd" "sudo brace-enable-fapolicyd"; then
268 | systemdServiceRunning "fapolicyd";
269 | verifyFapolicydIntegrity;
270 | fi;
271 |
272 | echo -e "\nChecking firewalld";
273 | if rpmPackageInstalled "firewalld"; then
274 | systemdServiceRunning "firewalld" "sudo systemctl enable firewalld --now";
275 | firewalldCheckDefaultZone "drop" "sudo brace-supplemental-changes";
276 | firewalldCheckActiveZones "drop" "sudo brace-supplemental-changes";
277 | if [ "$publicFacing" == "true" ]; then
278 | firewalldCheckActiveZones "scfw" "see https://codeberg.org/divested/scfw3";
279 | firewalldCheckActiveZones "trash" "see https://codeberg.org/divested/scfw3";
280 | else
281 | logSkip "ignoring scfw/trash checks, not public facing"
282 | fi;
283 | fi;
284 |
285 | echo -e "\nChecking hardened_malloc";
286 | if rpmPackageInstalled "hardened_malloc"; then
287 | verifyHardenedMalloc;
288 | fi;
289 |
290 | echo -e "\nChecking DNF automatic updates";
291 | if [ "$isDesktop" == "true" ]; then
292 | logSkip "ignoring automatic updates, too unreliable on desktops"
293 | else
294 | if type "dnf5" > /dev/null 2>&1; then
295 | systemdServiceRunning "dnf5-automatic.timer";
296 | else
297 | if rpmPackageInstalled "dnf-automatic" "sudo brace-enable-auto-updates"; then
298 | systemdServiceRunning "dnf-automatic-install.timer";
299 | fi;
300 | fi;
301 | fi;
302 |
303 | echo -e "\nChecking kernel";
304 | verifyKernelCommandLine;
305 | if [ "$isVirtualMachine" == "false" ]; then
306 | if type "fwupdmgr" > /dev/null 2>&1; then
307 | fwupdmgrSecurity "kernel lockdown" "org.fwupd.hsi.Kernel.Lockdown" "\"enabled\"";
308 | fi;
309 | fi;
310 |
311 | echo -e "\nChecking firmware";
312 | if secureBootEnforcing; then
313 | secureBootTestKeys;
314 | fi;
315 | if [ "$isVirtualMachine" == "false" ]; then
316 | if type "fwupdmgr" > /dev/null 2>&1; then
317 | fwupdmgrSecurity "iommu" "org.fwupd.hsi.Iommu" "\"enabled\"";
318 | fwupdmgrSecurity "system memory encryption" "org.fwupd.hsi.EncryptedRam" "\"encrypted\"";
319 | fi;
320 | fi;
321 |
322 | #echo -e "\nChecking file system table";
323 | #verifyFST;
324 |
325 | echo -e "\n================================================================"
326 | echo "END OF brace-audit"
327 | echo "================================================================"
328 | else
329 | echo "Currently only Fedora and CentOS are supported";
330 | fi;
331 |
--------------------------------------------------------------------------------
/brace/usr/sbin/brace-fedora-enable-auto-updates:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #Copyright (c) 2018-2024 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | if [ "$(/usr/bin/id -u)" -ne "0" ]; then echo 'This script needs to be run as root!'; exit 1; fi;
18 |
19 | if [ -f /etc/fedora-release ]; then
20 | echo "Enabling DNF automatic update download/install";
21 | dnf install dnf-automatic rpm-plugin-systemd-inhibit;
22 | sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/dnf/automatic.conf;
23 | if type "dnf5" > /dev/null 2>&1; then
24 | systemctl enable dnf5-automatic.timer --now;
25 | else
26 | systemctl enable dnf-automatic-install.timer --now;
27 | fi;
28 | echo "Do you want automatic reboots after installing?";
29 | select yn in "Yes" "No"; do
30 | case $yn in
31 | Yes )
32 | sed -i 's/reboot = never/reboot = when-changed/g' /etc/dnf/automatic.conf;
33 | break;;
34 | No )
35 | sed -i 's/reboot = when-changed/reboot = never/g' /etc/dnf/automatic.conf;
36 | break;;
37 | esac
38 | done
39 | else
40 | echo "Currently only Fedora is supported";
41 | fi;
42 |
--------------------------------------------------------------------------------
/brace/usr/sbin/brace-fedora-enable-fapolicyd:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #Copyright (c) 2018-2024 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | if [ "$(/usr/bin/id -u)" -ne "0" ]; then echo 'This script needs to be run as root!'; exit 1; fi;
18 |
19 | if [ -f /etc/fedora-release ]; then
20 | echo "Installing fapolicyd";
21 | dnf install fapolicyd;
22 | echo "Do you want strict integrity verification? 3rd party packages are often incompatible.";
23 | select yn in "Yes" "No"; do
24 | case $yn in
25 | Yes )
26 | sed -i 's/integrity = none/integrity = sha256/g' /etc/fapolicyd/fapolicyd.conf;
27 | break;;
28 | No )
29 | sed -i 's/integrity = none/integrity = size/g' /etc/fapolicyd/fapolicyd.conf;
30 | break;;
31 | esac
32 | done
33 | sed -i 's/deny_audit/deny_log/' /etc/fapolicyd/rules.d/*.rules; #log to journald too
34 | echo "Enabling fapolicyd";
35 | systemctl enable fapolicyd --now;
36 | systemctl status fapolicyd;
37 | else
38 | echo "Currently only Fedora is supported";
39 | fi;
40 |
--------------------------------------------------------------------------------
/brace/usr/sbin/brace-fedora-enable-rpmfusion:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #Copyright (c) 2018-2020 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | if [ "$(/usr/bin/id -u)" -ne "0" ]; then echo 'This script needs to be run as root!'; exit 1; fi;
18 |
19 | if [ -f /etc/fedora-release ] || [ -f /etc/centos-release ]; then
20 | echo "Enabling RPM Fusion Free";
21 | echo "Please verify the RPM Fusion signing keys from here: https://rpmfusion.org/keys";
22 | echo "F33-39 E9A4 91A3 DE24 7814 E7E0 67EA E06F 8ECD D651 FF2E";
23 | echo "EL8: 8379 35CD 19E1 23AA 7F8A 8E69 979F 0C69 158B 3811";
24 | echo "EL7: DB9A 9A57 CAFD 23DA 3A88 792F 758B 3D18 F5CF 6C1E";
25 | fi;
26 |
27 | if [ -f /etc/fedora-release ]; then
28 | dnf install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm";
29 | elif [ -f /etc/centos-release ]; then
30 | yum install epel-release;
31 | yum localinstall --nogpgcheck "https://download1.rpmfusion.org/free/el/rpmfusion-free-release-$(rpm -E %centos).noarch.rpm";
32 | else
33 | echo "Currently only Fedora and CentOS are supported";
34 | fi;
35 |
--------------------------------------------------------------------------------
/brace/usr/sbin/brace-fedora-update-system:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #Copyright (c) 2018-2020 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | if [ "$(/usr/bin/id -u)" -ne "0" ]; then echo 'This script needs to be run as root!'; exit 1; fi;
18 |
19 | if [ -f /etc/fedora-release ]; then
20 | if [ -z "$1" ]; then echo 'You must provide a version to upgrade to'; exit 1; fi;
21 | if rpm -qi hardened_malloc > /dev/null; then echo "Please disable or uninstall hardened_malloc before starting the system update."; fi;
22 |
23 | dnf distro-sync --refresh;
24 | dnf install dnf-plugin-system-upgrade;
25 | dnf system-upgrade download --refresh --releasever="$1";
26 | else
27 | echo "Currently only Fedora is supported";
28 | fi;
29 |
--------------------------------------------------------------------------------
/brace/usr/sbin/brace-installer:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Copyright (c) 2015-2020 Divested Computing Group
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | coloroff='\e[0m';
18 | black='\e[0;30m';
19 | blue='\e[0;34m';
20 | cyan='\e[0;36m';
21 | green='\e[0;32m';
22 | purple='\e[0;35m';
23 | red='\e[0;31m';
24 | white='\e[0;37m';
25 | yellow='\e[0;33m';
26 |
27 | if [ "$(/usr/bin/id -u)" -ne "0" ]; then echo -e "${red}ERROR: This script needs to be run as root!${coloroff}"; exit 1; fi;
28 |
29 | #
30 | #Start functions
31 | #
32 | whichPackageManager() {
33 | if type "zypper" > /dev/null 2>&1; then
34 | echo "zypper" && return 0;
35 | fi;
36 | if type "dnf5" > /dev/null 2>&1; then
37 | echo "dnf5" && return 0;
38 | fi;
39 | if type "dnf" > /dev/null 2>&1; then
40 | echo "dnf" && return 0;
41 | fi;
42 | if type "yum" > /dev/null 2>&1; then
43 | echo "yum" && return 0;
44 | fi;
45 | if type "pacman" > /dev/null 2>&1; then
46 | echo "pacman" && return 0;
47 | fi;
48 | if type "apt" > /dev/null 2>&1; then
49 | echo "apt" && return 0;
50 | fi;
51 | #if type "flatpak" > /dev/null 2>&1; then
52 | # echo "flatpak" && return 0;
53 | #fi;
54 | }
55 |
56 | handleInstall() {
57 | if [ "$packageManager" == "apt" ]; then
58 | packagesCombined="$packagesDebian $packagesBaseDebian";
59 | #Credit (CC BY-SA 4.0): https://superuser.com/a/1623381
60 | for packageToCheck in $packagesCombined
61 | do
62 | if [ -z "$(apt-cache madison $packageToCheck 2>/dev/null)" ]; then
63 | echo -e "${yellow}Warning: Skipping missing package: $packageToCheck ${coloroff}";
64 | else
65 | packagesToInstallReal="$packagesToInstallReal $packageToCheck";
66 | fi;
67 | done
68 | $packageManager install --no-install-recommends $packagesToInstallReal;
69 | fi;
70 | if [ "$packageManager" == "dnf5" ]; then
71 | $packageManager install --skip-unavailable $packagesFedora $packagesBaseFedora && $packageManager mark install --skip-unavailable $packagesFedora $packagesBaseFedora;
72 | fi;
73 | if [ "$packageManager" == "dnf" ] || [ "$packageManager" == "yum" ]; then
74 | $packageManager install --skip-broken $packagesFedora $packagesBaseFedora && $packageManager mark install --skip-broken $packagesFedora $packagesBaseFedora;
75 | fi;
76 | if [ "$packageManager" == "flatpak" ]; then
77 | $packageManager install $packagesFlathub $packagesBaseFlathub;
78 | fi;
79 | if [ "$packageManager" == "pacman" ]; then
80 | #TODO: handle AUR?
81 | $packageManager -S --needed $packagesArch $packagesBaseArch;
82 | fi;
83 | if [ "$packageManager" == "zypper" ]; then
84 | $packageManager install $packagesSuse $packagesBaseSuse;
85 | fi;
86 | }
87 |
88 | handleRemove() {
89 | if [ "$packageManager" == "apt" ]; then
90 | $packageManager remove $packagesDebian;
91 | fi;
92 | if [ "$packageManager" == "dnf5" ]; then
93 | $packageManager remove $packagesFedora;
94 | fi;
95 | if [ "$packageManager" == "dnf" ] || [ "$packageManager" == "yum" ]; then
96 | $packageManager remove --skip-broken $packagesFedora;
97 | fi;
98 | if [ "$packageManager" == "flatpak" ]; then
99 | $packageManager remove $packagesFlathub;
100 | fi;
101 | if [ "$packageManager" == "pacman" ]; then
102 | #$packageManager -Rsc $packagesArch;
103 | for package in $packagesArch; do
104 | $packageManager -Rsc $package;
105 | done;
106 | fi;
107 | if [ "$packageManager" == "zypper" ]; then
108 | $packageManager remove $packagesSuse;
109 | fi;
110 | }
111 |
112 | cleanupOperation() {
113 | unset category baseIncluded packagesArch packagesDebian packagesFedora packagesFlathub packagesSuse packagesCombined packageToCheck packagesToInstallReal;
114 | }
115 |
116 | handleOperation() {
117 | if [ "$baseInstall" = true ]; then
118 | if [ "$baseIncluded" = true ]; then
119 | echo -e "${green}Including packages from the $category category${coloroff}";
120 | if [ "$packageManager" == "apt" ]; then
121 | packagesBaseDebian="$packagesBaseDebian $packagesDebian";
122 | fi;
123 | if [ "$packageManager" == "dnf5" ] || [ "$packageManager" == "dnf" ] || [ "$packageManager" == "yum" ]; then
124 | packagesBaseFedora="$packagesBaseFedora $packagesFedora";
125 | fi;
126 | if [ "$packageManager" == "flatpak" ]; then
127 | packagesBaseFlathub="$packagesBaseFlathub $packagesFlathub";
128 | fi;
129 | if [ "$packageManager" == "pacman" ]; then
130 | packagesBaseArch="$packagesBaseArch $packagesArch";
131 | fi;
132 | if [ "$packageManager" == "zypper" ]; then
133 | packagesBaseSuse="$packagesBaseSuse $packagesSuse";
134 | fi;
135 | else
136 | echo -e "${yellow}Skipping packages from the $category category${coloroff}";
137 | fi;
138 | else
139 | echo -e "${purple}Do you want packages from the $category category?${coloroff}";
140 | select yns in "Yes" "No" "Skip"; do
141 | case $yns in
142 | Yes )
143 | handleInstall;
144 | break;;
145 | No )
146 | handleRemove;
147 | break;;
148 | Skip )
149 | #do nothing
150 | break;;
151 | esac;
152 | done;
153 | fi;
154 | cleanupOperation;
155 | }
156 |
157 | handleCleanup() {
158 | if [ "$packageManager" == "apt" ]; then
159 | $packageManager autoremove;
160 | fi;
161 | if [ "$packageManager" == "dnf5" ] || [ "$packageManager" == "dnf" ] || [ "$packageManager" == "yum" ]; then
162 | $packageManager autoremove;
163 | fi;
164 | if [ "$packageManager" == "flatpak" ]; then
165 | $packageManager remove --unused;
166 | fi;
167 | if [ "$packageManager" == "pacman" ]; then
168 | $packageManager -Rns $(pacman -Qttdq);
169 | paccache -rk0;
170 | fi;
171 | if [ "$packageManager" == "zypper" ]; then
172 | #TODO: handle this, similar to pacman
173 | true;
174 | fi;
175 | }
176 | #
177 | #End functions
178 | #
179 |
180 | #
181 | #Start glue
182 | #
183 | echo -e "${cyan}INFO: This script is intended for use on desktop machines, not servers!${coloroff}";
184 | echo -e "${cyan}INFO: This script is geared towards personal use and some packages may not be appropiate for business systems!${coloroff}";
185 | if [ -f /etc/centos-release ]; then yum install epel-release; fi;
186 |
187 | packageManager=$(whichPackageManager);
188 | if [ -z ${packageManager} ]; then
189 | echo -e "${red}ERROR: No package manager found!${coloroff}";
190 | return 1;
191 | else
192 | echo -e "${cyan}INFO: Using $packageManager as package manager${coloroff}";
193 | fi;
194 |
195 | echo -e "${purple}Would you like to simply install all recommended packages?${coloroff}";
196 | select yn in "Yes" "No"; do
197 | case $yn in
198 | Yes )
199 | baseInstall=true;
200 | break;;
201 | No )
202 | baseInstall=false;
203 | break;;
204 | esac;
205 | done;
206 | #
207 | #End glue
208 | #
209 |
210 | #
211 | #Start categories
212 | #
213 | category='Recommended for Removal';
214 | baseIncluded=false;
215 | packagesArch='gnome-documents gnome-weather gnome-music gnome-software packagekit epiphany sushi';
216 | packagesDebian='gnome-documents gnome-weather gnome-music gnome-games rhythmbox gnome-software packagekit sushi';
217 | packagesFedora='abiword adapta-gtk-theme akregator amarok asunder calligra* clipit clipman compiz emerald empathy exaile falkon filezilla geany gnomebaker gnome-documents gnome-weather gnote gnumeric hexchat juk k3b kget kmahjongg kmines konqueror konversation kpatience ktnef ktorrent lxmusic midori osmo paper-icon-theme pidgin *powerline pragha qlipper quassel qupzilla rhythmbox xawtv xfburn xfdashboard xpad yarock gnome-software PackageKit dnfdragora* sushi passim';
218 | packagesSuse='gnome-documents gnome-weather gnome-music brasero iagno lightsoff gnome-mahjongg pidgin polari tigervnc swell-foop xterm sushi';
219 | handleOperation;
220 | category='Core';
221 | baseIncluded=true;
222 | packagesArch='rng-tools irqbalance openssh nano htop wget screen zip p7zip pixz pigz lm_sensors ripgrep dialog crda pacman-contrib lostfiles'; packagesAUR='downgrade';
223 | packagesDebian='rng-tools irqbalance ssh nano htop wget screen p7zip pixz lm-sensors ripgrep unattended-upgrades';
224 | packagesFedora='rng-tools irqbalance openssh nano htop wget screen p7zip pixz lm_sensors ripgrep grubby';
225 | packagesSuse='rng-tools irqbalance openssh nano htop wget screen p7zip pixz sensors ripgrep grubby';
226 | handleOperation;
227 | category='Frameworks';
228 | baseIncluded=false;
229 | packagesArch='jre8-openjdk python';
230 | packagesDebian='default-jre';
231 | packagesFedora='java-1.8.0-openjdk';
232 | packagesSuse='java-1_8_0-openjdk';
233 | handleOperation;
234 | category='GNOME Extras';
235 | baseIncluded=false;
236 | packagesArch='gnome-tweak-tool file-roller gedit';
237 | packagesDebian='nautilus-extension-gnome-terminal gnome-tweak-tool file-roller gedit';
238 | packagesFedora='gnome-terminal-nautilus gnome-tweak-tool file-roller gedit';
239 | packagesSuse='nautilus-terminal gnome-tweaks file-roller gedit';
240 | handleOperation;
241 | category='OpenCL';
242 | baseIncluded=false;
243 | packagesArch='';
244 | packagesDebian='clinfo mesa-opencl-icd pocl-opencl-icd';
245 | packagesFedora='clinfo mesa-libOpenCL pocl';
246 | packagesSuse='clinfo Mesa-libOpenCL pocl';
247 | handleOperation;
248 | category='VA-API';
249 | baseIncluded=true;
250 | packagesArch='libva-mesa-driver libva-utils libva-intel-driver intel-media-driver gstreamer-vaapi';
251 | packagesDebian='mesa-va-drivers vainfo i965-va-driver intel-media-va-driver gstreamer1.0-vaapi';
252 | packagesFedora='mesa-dri-drivers libva libva-utils libva-intel-driver libva-intel-hybrid-driver'; #gstreamer1-vaapi (https://bugzilla.redhat.com/show_bug.cgi?id=2129000), mesa-va-drivers
253 | packagesSuse=''; #TODO
254 | handleOperation;
255 | category='VDPAU';
256 | baseIncluded=false;
257 | packagesArch='vdpauinfo libvdpau libvdpau-va-gl libva-vdpau-driver mesa-vdpau';
258 | packagesDebian='vdpauinfo libvdpau-va-gl1 vdpau-va-driver';
259 | packagesFedora='vdpauinfo libvdpau libvdpau-va-gl libva-vdpau-driver';
260 | packagesSuse=''; #TODO
261 | handleOperation;
262 | category='Theming';
263 | baseIncluded=true;
264 | packagesArch=''; packagesAUR='numix-circle-icon-theme-git';
265 | packagesDebian='numix-icon-theme-circle';
266 | packagesFedora='numix-icon-theme-circle';
267 | packagesSuse='';
268 | handleOperation;
269 | category='Fonts';
270 | baseIncluded=true;
271 | packagesArch='adobe-source-code-pro-fonts ttf-fira-mono ttf-fira-sans ttf-liberation cantarell-fonts gsfonts noto-fonts noto-fonts-emoji';
272 | packagesDebian='';
273 | packagesFedora='adobe-source-code-pro-fonts mozilla-fira-mono-fonts mozilla-fira-sans-fonts';
274 | packagesSuse='adobe-sourcecodepro-fonts';
275 | handleOperation;
276 | category='Audio Manipulation';
277 | baseIncluded=true;
278 | packagesArch='audacity';
279 | packagesDebian='audacity';
280 | packagesFedora='audacity';
281 | packagesFlathub='org.audacityteam.Audacity';
282 | packagesSuse='audacity';
283 | handleOperation;
284 | category='Chat';
285 | baseIncluded=true;
286 | packagesArch='hexchat dino mumble';
287 | packagesDebian='hexchat dino-im mumble';
288 | packagesFedora='hexchat dino mumble';
289 | packagesFlathub='io.github.Hexchat info.mumble.Mumble';
290 | packagesSuse='hexchat gajim gajim-plugin-omemo mumble';
291 | handleOperation;
292 | category='Communication';
293 | baseIncluded=true;
294 | packagesArch='evolution';
295 | packagesDebian='evolution';
296 | packagesFedora='evolution';
297 | packagesFlathub='org.gnome.Evolution';
298 | packagesSuse='evolution';
299 | handleOperation;
300 | category='Development';
301 | baseIncluded=false;
302 | packagesArch='git gitg ghex sqlitebrowser gcc';
303 | packagesDebian='git gitg ghex sqlitebrowser build-essential';
304 | packagesFedora='git gitg ghex sqlitebrowser @development-tools';
305 | packagesFlathub='org.gnome.gitg org.gnome.GHex';
306 | packagesSuse='git gitg ghex sqlitebrowser'; #devel_basis
307 | handleOperation;
308 | category='Development - Android';
309 | baseIncluded=false;
310 | packagesArch='android-udev android-tools enjarify'; packagesAUR='android-apktool sdat2img android-studio';
311 | packagesDebian='adb fastboot enjarify';
312 | packagesFedora='android-tools enjarify';
313 | packagesSuse=''; #unavailable
314 | handleOperation;
315 | category='Development - Java';
316 | baseIncluded=false;
317 | packagesArch='jdk8-openjdk'; packagesAUR='proguard jd-gui launch4j';
318 | packagesDebian='default-jdk proguard';
319 | packagesFedora='java-1.8.0-openjdk-devel eclipse-jdt proguard';
320 | packagesSuse=''; #unavailable
321 | handleOperation;
322 | category='Development - Distro Specific Packaging';
323 | baseIncluded=false;
324 | packagesArch='asp';
325 | packagesDebian='';
326 | packagesFedora='rpmbuild fedpkg';
327 | packagesSuse='rpmbuild';
328 | handleOperation;
329 | category='Disks - Management';
330 | baseIncluded=true;
331 | packagesArch='testdisk smartmontools parted';
332 | packagesDebian='testdisk smartmontools parted';
333 | packagesFedora='testdisk smartmontools parted';
334 | packagesSuse='testdisk smartmontools parted';
335 | handleOperation;
336 | category='Disks - File Systems';
337 | baseIncluded=true;
338 | packagesArch='btrfs-progs compsize dosfstools exfat-utils f2fs-tools mtools ntfs-3g udftools xfsprogs duperemove sshfs';
339 | packagesDebian='btrfs-progs btrfs-compsize dosfstools exfat-utils f2fs-tools mtools ntfs-3g udftools xfsprogs duperemove sshfs';
340 | packagesFedora='btrfs-progs compsize dosfstools exfat-utils f2fs-tools mtools ntfs-3g ntfsprogs udftools xfsprogs duperemove fuse-sshfs';
341 | packagesSuse='btrfsprogs compsize dosfstools exfat-utils f2fs-tools mtools ntfs-3g ntfsprogs udftools xfsprogs duperemove sshfs';
342 | handleOperation;
343 | category='Files - Backup';
344 | baseIncluded=true;
345 | packagesArch='restic';
346 | packagesDebian='restic';
347 | packagesFedora='restic';
348 | packagesSuse='restic';
349 | handleOperation;
350 | category='Files - Encryption';
351 | baseIncluded=true;
352 | packagesArch='gocryptfs';
353 | packagesDebian='gocryptfs';
354 | packagesFedora='gocryptfs cryptsetup-reencrypt';
355 | packagesSuse=''; #unavailable
356 | handleOperation;
357 | category='Files - Sharing';
358 | baseIncluded=true;
359 | packagesArch='transmission-gtk';
360 | packagesDebian='transmission-gtk';
361 | packagesFedora='transmission';
362 | packagesFlathub='com.transmissionbt.Transmission';
363 | packagesSuse='transmission-gtk';
364 | handleOperation;
365 | category='Files - Syncing';
366 | baseIncluded=false;
367 | packagesArch='syncthing';
368 | packagesDebian='syncthing';
369 | packagesFedora='syncthing';
370 | packagesSuse='syncthing';
371 | handleOperation;
372 | category='Games - Tiny';
373 | baseIncluded=false;
374 | packagesArch='quadrapassel gnome-mines gnome-chess gnome-sudoku aisleriot';
375 | packagesDebian='quadrapassel gnome-mines gnome-chess gnome-sudoku aisleriot';
376 | packagesFedora='quadrapassel gnome-mines gnome-chess gnome-sudoku aisleriot nethack-vultures';
377 | packagesSuse='quadrapassel gnome-mines gnome-chess gnome-sudoku aisleriot';
378 | handleOperation;
379 | category='Games - Sandbox';
380 | baseIncluded=false;
381 | packagesArch='minetest';
382 | packagesDebian='minetest';
383 | packagesFedora='minetest';
384 | packagesSuse='minetest';
385 | handleOperation;
386 | category='Games - Arena';
387 | baseIncluded=false;
388 | packagesArch='xonotic';
389 | packagesDebian=''; #unavailable
390 | packagesFedora='xonotic';
391 | packagesSuse='xonotic';
392 | handleOperation;
393 | category='Image Manipulation - CLI';
394 | baseIncluded=true;
395 | packagesArch='imagemagick jpegoptim optipng';
396 | packagesDebian='imagemagick jpegoptim optipng';
397 | packagesFedora='ImageMagick jpegoptim optipng';
398 | packagesSuse='ImageMagick jpegoptim optipng';
399 | handleOperation;
400 | category='Image Manipulation - Graphical';
401 | baseIncluded=true;
402 | packagesArch='gimp inkscape darktable pitivi';
403 | packagesDebian='gimp inkscape darktable pitivi';
404 | packagesFedora='gimp gimpfx-foundry inkscape darktable pitivi';
405 | packagesSuse='gimp inkscape darktable pitivi';
406 | handleOperation;
407 | category='Internet';
408 | baseIncluded=true;
409 | packagesArch='firefox firefox-ublock-origin chromium liferea';
410 | packagesDebian='firefox-esr chromium chromium-sandbox liferea';
411 | packagesFedora='firefox mozilla-ublock-origin chromium liferea';
412 | packagesSuse='MozillaFirefox chromium liferea';
413 | handleOperation;
414 | category='Media - Consumption';
415 | baseIncluded=true;
416 | packagesArch='ffmpeg vlc lollypop yt-dlp'; #TODO: codecs
417 | packagesDebian='ffmpeg vlc lollypop youtube-dl'; #TODO: codecs
418 | packagesFedora='@multimedia gstreamer1-plugin-openh264 vlc lollypop yt-dlp'; #ffmpeg
419 | packagesSuse='ffmpeg vlc lollypop yt-dlp'; #TODO: codecs
420 | handleOperation;
421 | category='Media - Books';
422 | baseIncluded=false;
423 | packagesArch='foliate';
424 | packagesDebian=''; #unavailable
425 | packagesFedora='foliate';
426 | packagesSuse='foliate';
427 | handleOperation;
428 | category='Media - HTPC';
429 | baseIncluded=false;
430 | packagesArch='kodi';
431 | packagesDebian='kodi';
432 | packagesFedora='kodi';
433 | packagesSuse=''; #unavailable
434 | handleOperation;
435 | category='Media - Music Management';
436 | baseIncluded=false;
437 | packagesArch='picard soundconverter sound-juicer';
438 | packagesDebian='picard soundconverter sound-juicer';
439 | packagesFedora='picard soundconverter sound-juicer';
440 | packagesSuse='picard soundconverter sound-juicer';
441 | handleOperation;
442 | category='Office';
443 | baseIncluded=true;
444 | packagesArch='libreoffice-fresh meld scribus gnucash aspell aspell-en hyphen hyphen-en libmythes mythes-en qalculate-gtk';
445 | packagesDebian='libreoffice meld scribus gnucash dia aspell aspell-en qalculate-gtk';
446 | packagesFedora='libreoffice libreoffice-writer libreoffice-calc libreoffice-impress libreoffice-draw libreoffice-base meld scribus gnucash dia aspell aspell-en qalculate-gtk';
447 | packagesSuse='libreoffice meld scribus gnucash dia aspell';
448 | handleOperation;
449 | category='Passwords';
450 | baseIncluded=true;
451 | packagesArch='keepassxc pwgen'; packagesAUR='u2f-hidraw-policy';
452 | packagesDebian='keepassxc pwgen diceware ssss libu2f-udev';
453 | packagesFedora='keepassxc pwgen diceware ssss u2f-hidraw-policy';
454 | packagesSuse='keepassxc pwgen libu2f-host0';
455 | handleOperation;
456 | category='Privacy';
457 | baseIncluded=true;
458 | packagesArch='bleachbit'; packagesAUR='scrub';
459 | packagesDebian='bleachbit scrub';
460 | packagesFedora='bleachbit srm scrub';
461 | packagesSuse='bleachbit srm scrub';
462 | handleOperation;
463 | category='Reference';
464 | baseIncluded=false;
465 | packagesArch='kiwix-desktop';
466 | packagesDebian=''; #unavailable
467 | packagesFedora='kiwix-desktop';
468 | packagesSuse=''; #unavailable
469 | handleOperation;
470 | category='Screencast';
471 | baseIncluded=false;
472 | packagesArch='obs-studio';
473 | packagesDebian='obs-studio';
474 | packagesFedora='obs-studio';
475 | packagesSuse=''; #unavailable
476 | handleOperation;
477 | category='Security - Malware Scanner';
478 | baseIncluded=false;
479 | packagesArch='clamav clamtk';
480 | packagesDebian='clamav clamtk';
481 | packagesFedora='clamav clamav-data-empty clamav-update clamtk';
482 | packagesSuse='clamav clamtk';
483 | handleOperation;
484 | category='Security - System';
485 | baseIncluded=true;
486 | packagesArch='firewalld firejail apparmor linux-hardened';
487 | packagesDebian='firewalld firewall-config firejail firejail-profiles apparmor apparmor-profiles apparmor-profiles-extra apparmor-utils';
488 | packagesFedora='firewalld firewall-config firejail';
489 | packagesSuse='firewalld firewall-config firejail apparmor-profiles';
490 | handleOperation;
491 | category='Tor';
492 | baseIncluded=true;
493 | packagesArch='tor torsocks onionshare torbrowser-launcher';
494 | packagesDebian='tor torsocks onionshare'; #torbrowser-launcher (contrib)
495 | packagesFedora='tor torsocks onionshare torbrowser-launcher';
496 | packagesSuse='tor torsocks python3-onionshare torbrowser-launcher'; #torbrowser-apparmor-profile
497 | handleOperation;
498 | category='Utility';
499 | baseIncluded=true;
500 | packagesArch='whois mtr stress iotop wavemon pv tree iperf3 bmon powertop ncdu intel-gpu-tools radeontop fwupd';
501 | packagesDebian='dconf-cli whois mtr stress iotop wavemon pv tree iperf3 bmon powertop ncdu vrms intel-gpu-tools radeontop fwupd';
502 | packagesFedora='whois mtr stress iotop wavemon pv tree iperf3 bmon powertop ncdu vrms-rpm intel-gpu-tools radeontop fwupd';
503 | packagesSuse='whois mtr stress-ng iotop wavemon pv tree iperf bmon powertop ncdu intel-gpu-tools radeontop';
504 | handleOperation;
505 | category='Utility - Graphical';
506 | baseIncluded=true;
507 | packagesArch='dconf-editor gnome-firmware gsmartcontrol seahorse';
508 | packagesDebian='dconf-editor gnome-firmware software-properties-gtk gsmartcontrol seahorse';
509 | packagesFedora='dconf-editor gnome-firmware gsmartcontrol seahorse openssh-askpass';
510 | packagesFlathub='org.gnome.seahorse.Application';
511 | packagesSuse='dconf-editor gsmartcontrol seahorse';
512 | handleOperation;
513 | category='Virtualization';
514 | baseIncluded=false;
515 | packagesArch='libvirt virt-manager qemu';
516 | packagesDebian=''; #TODO
517 | packagesFedora='@virtualization';
518 | packagesSuse=''; #'Install Hypervisor' can be used
519 | handleOperation;
520 | #
521 | #End categories
522 | #
523 |
524 | #Queued base install if selected
525 | if [ "$baseInstall" = true ]; then
526 | handleInstall;
527 | echo -e "${cyan}INFO: Packages installed${coloroff}";
528 | fi;
529 |
530 | #Cleanup
531 | echo -e "${cyan}INFO: Cleaning up${coloroff}";
532 | handleCleanup;
533 |
534 | #Finish
535 | echo -e "${cyan}INFO: Installer complete!${coloroff}";
536 |
--------------------------------------------------------------------------------
/brace/usr/sbin/brace-rpm-verify:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #Credit (CC BY-SA 3.0): https://unix.stackexchange.com/a/217024
3 | if [ "$(/usr/bin/id -u)" -ne "0" ]; then echo 'This script needs to be run as root!'; exit 1; fi;
4 |
5 | if [ -f /etc/fedora-release ] || [ -f /etc/centos-release ]; then
6 | echo "Verifying installed packages"
7 | echo "This script is *not* for security purposes, but instead to fix broken packages.";
8 | dnf reinstall $(rpm -qf $(rpm -Va 2>&1 | grep -vE '^$|prelink:' | sed 's|.* /|/|') | sort -u | grep -v -e "kernel-" -e "fedora-" -e "setup" -e "grub2-");
9 | else
10 | echo "Currently only Fedora and CentOS are supported";
11 | fi;
12 |
--------------------------------------------------------------------------------
/permissions.facl:
--------------------------------------------------------------------------------
1 | # file: .
2 | user::rwx
3 | group::r-x
4 | other::r-x
5 |
6 | # file: brace
7 | user::rwx
8 | group::r-x
9 | other::r-x
10 |
11 | # file: brace/DEBIAN
12 | user::rwx
13 | group::r-x
14 | other::r-x
15 |
16 | # file: brace/DEBIAN/control
17 | user::rw-
18 | group::r--
19 | other::r--
20 |
21 | # file: brace/DEBIAN/postinst
22 | user::rwx
23 | group::r-x
24 | other::r-x
25 |
26 | # file: brace/DEBIAN/postrm
27 | user::rwx
28 | group::r-x
29 | other::r-x
30 |
31 | # file: brace/etc
32 | user::rwx
33 | group::r-x
34 | other::r-x
35 |
36 | # file: brace/etc/apt
37 | user::rwx
38 | group::r-x
39 | other::r-x
40 |
41 | # file: brace/etc/apt/apt.conf.d
42 | user::rwx
43 | group::r-x
44 | other::r-x
45 |
46 | # file: brace/etc/apt/apt.conf.d/90-brace
47 | user::rw-
48 | group::r--
49 | other::r--
50 |
51 | # file: brace/etc/chromium
52 | user::rwx
53 | group::r-x
54 | other::r-x
55 |
56 | # file: brace/etc/chromium/policies
57 | user::rwx
58 | group::r-x
59 | other::r-x
60 |
61 | # file: brace/etc/chromium/policies/managed
62 | user::rwx
63 | group::r-x
64 | other::r-x
65 |
66 | # file: brace/etc/chromium/policies/managed/brace.json
67 | user::rw-
68 | group::r--
69 | other::r--
70 |
71 | # file: brace/etc/chrony.brace.conf
72 | user::rw-
73 | group::r--
74 | other::r--
75 |
76 | # file: brace/etc/dconf
77 | user::rwx
78 | group::r-x
79 | other::r-x
80 |
81 | # file: brace/etc/dconf/db
82 | user::rwx
83 | group::r-x
84 | other::r-x
85 |
86 | # file: brace/etc/dconf/db/local.d
87 | user::rwx
88 | group::r-x
89 | other::r-x
90 |
91 | # file: brace/etc/dconf/db/local.d/00-brace-cinnamon
92 | user::rw-
93 | group::r--
94 | other::r--
95 |
96 | # file: brace/etc/dconf/db/local.d/00-brace-extra
97 | user::rw-
98 | group::r--
99 | other::r--
100 |
101 | # file: brace/etc/dconf/db/local.d/00-brace-gnome
102 | user::rw-
103 | group::r--
104 | other::r--
105 |
106 | # file: brace/etc/dconf/db/local.d/00-brace-mate
107 | user::rw-
108 | group::r--
109 | other::r--
110 |
111 | # file: brace/etc/dconf/db/local.d/00-brace-pantheon
112 | user::rw-
113 | group::r--
114 | other::r--
115 |
116 | # file: brace/etc/dconf/profile
117 | user::rwx
118 | group::r-x
119 | other::r-x
120 |
121 | # file: brace/etc/dconf/profile/user
122 | user::rw-
123 | group::r--
124 | other::r--
125 |
126 | # file: brace/etc/dconf/profile/user-full
127 | user::rw-
128 | group::r--
129 | other::r--
130 |
131 | # file: brace/etc/default
132 | user::rwx
133 | group::r-x
134 | other::r-x
135 |
136 | # file: brace/etc/default/grub.d
137 | user::rwx
138 | group::r-x
139 | other::r-x
140 |
141 | # file: brace/etc/default/grub.d/brace.cfg
142 | user::rw-
143 | group::r--
144 | other::r--
145 |
146 | # file: brace/etc/opt
147 | user::rwx
148 | group::r-x
149 | other::r-x
150 |
151 | # file: brace/etc/opt/chrome
152 | user::rwx
153 | group::r-x
154 | other::r-x
155 |
156 | # file: brace/etc/opt/chrome/policies
157 | user::rwx
158 | group::r-x
159 | other::r-x
160 |
161 | # file: brace/etc/opt/chrome/policies/managed
162 | user::rwx
163 | group::r-x
164 | other::r-x
165 |
166 | # file: brace/etc/profile.d
167 | user::rwx
168 | group::r-x
169 | other::r-x
170 |
171 | # file: brace/etc/profile.d/brace-env-overrides.sh
172 | user::rw-
173 | group::r--
174 | other::r--
175 |
176 | # file: brace/etc/profile.d/brace-helpers.sh
177 | user::rw-
178 | group::r--
179 | other::r--
180 |
181 | # file: brace/etc/tlp.d
182 | user::rwx
183 | group::r-x
184 | other::r-x
185 |
186 | # file: brace/etc/tlp.d/00-brace.conf
187 | user::rw-
188 | group::r--
189 | other::r--
190 |
191 | # file: brace.install
192 | user::rw-
193 | group::r-x
194 | other::r-x
195 |
196 | # file: brace.spec
197 | user::rw-
198 | group::---
199 | other::---
200 |
201 | # file: brace/usr
202 | user::rwx
203 | group::r-x
204 | other::r-x
205 |
206 | # file: brace/usr/bin
207 | user::rwx
208 | group::r-x
209 | other::r-x
210 |
211 | # file: brace/usr/bin/brace-supplemental-changes
212 | user::rwx
213 | group::r-x
214 | other::r-x
215 |
216 | # file: brace/usr/lib
217 | user::rwx
218 | group::r-x
219 | other::r-x
220 |
221 | # file: brace/usr/lib/firefox
222 | user::rwx
223 | group::r-x
224 | other::r-x
225 |
226 | # file: brace/usr/lib/firefox/browser
227 | user::rwx
228 | group::r-x
229 | other::r-x
230 |
231 | # file: brace/usr/lib/firefox/browser/defaults
232 | user::rwx
233 | group::r-x
234 | other::r-x
235 |
236 | # file: brace/usr/lib/firefox/browser/defaults/preferences
237 | user::rwx
238 | group::r-x
239 | other::r-x
240 |
241 | # file: brace/usr/lib/firefox/browser/defaults/preferences/userjs-arkenfox.js
242 | user::rw-
243 | group::r--
244 | other::r--
245 |
246 | # file: brace/usr/lib/firefox/browser/defaults/preferences/userjs-brace.js
247 | user::rw-
248 | group::r--
249 | other::r--
250 |
251 | # file: brace/usr/lib/firefox/browser/defaults/preferences/userjs-brace-perf.js
252 | user::rw-
253 | group::r--
254 | other::r--
255 |
256 | # file: brace/usr/lib/firefox/distribution
257 | user::rwx
258 | group::r-x
259 | other::r-x
260 |
261 | # file: brace/usr/lib/firefox/distribution/policies.json
262 | user::rw-
263 | group::r--
264 | other::r--
265 |
266 | # file: brace/usr/lib/firefox-esr
267 | user::rwx
268 | group::r-x
269 | other::r-x
270 |
271 | # file: brace/usr/lib/firefox-esr/browser
272 | user::rwx
273 | group::r-x
274 | other::r-x
275 |
276 | # file: brace/usr/lib/firefox-esr/browser/defaults
277 | user::rwx
278 | group::r-x
279 | other::r-x
280 |
281 | # file: brace/usr/lib/firefox-esr/browser/defaults/preferences
282 | user::rwx
283 | group::r-x
284 | other::r-x
285 |
286 | # file: brace/usr/lib/firefox-esr/distribution
287 | user::rwx
288 | group::r-x
289 | other::r-x
290 |
291 | # file: brace/usr/lib/modprobe.d
292 | user::rwx
293 | group::r-x
294 | other::r-x
295 |
296 | # file: brace/usr/lib/modprobe.d/brace.conf
297 | user::rw-
298 | group::r--
299 | other::r--
300 |
301 | # file: brace/usr/lib/modprobe.d/wireless-perf.conf
302 | user::rw-
303 | group::r--
304 | other::r--
305 |
306 | # file: brace/usr/lib/NetworkManager
307 | user::rwx
308 | group::r-x
309 | other::r-x
310 |
311 | # file: brace/usr/lib/NetworkManager/conf.d
312 | user::rwx
313 | group::r-x
314 | other::r-x
315 |
316 | # file: brace/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf
317 | user::rw-
318 | group::r--
319 | other::r--
320 |
321 | # file: brace/usr/lib/sysctl.d
322 | user::rwx
323 | group::r-x
324 | other::r-x
325 |
326 | # file: brace/usr/lib/sysctl.d/60-restrict.conf
327 | user::rw-
328 | group::r--
329 | other::r--
330 |
331 | # file: brace/usr/lib/systemd
332 | user::rwx
333 | group::r-x
334 | other::r-x
335 |
336 | # file: brace/usr/lib/systemd/resolved.conf.d
337 | user::rwx
338 | group::r-x
339 | other::r-x
340 |
341 | # file: brace/usr/lib/systemd/resolved.conf.d/brace.conf
342 | user::rw-
343 | group::r--
344 | other::r--
345 |
346 | # file: brace/usr/lib/systemd/system
347 | user::rwx
348 | group::r-x
349 | other::r-x
350 |
351 | # file: brace/usr/lib/systemd/system/biboumi.service.d
352 | user::rwx
353 | group::r-x
354 | other::r-x
355 |
356 | # file: brace/usr/lib/systemd/system/biboumi.service.d/98-user.conf
357 | user::rw-
358 | group::r--
359 | other::r--
360 |
361 | # file: brace/usr/lib/systemd/system/biboumi.service.d/99-brace.conf
362 | user::rw-
363 | group::r--
364 | other::r--
365 |
366 | # file: brace/usr/lib/systemd/system/chronyd.service.d
367 | user::rwx
368 | group::r-x
369 | other::r-x
370 |
371 | # file: brace/usr/lib/systemd/system/chronyd.service.d/99-brace.conf
372 | user::rw-
373 | group::r--
374 | other::r--
375 |
376 | # file: brace/usr/lib/systemd/system/ejabberd.service.d
377 | user::rwx
378 | group::r-x
379 | other::r-x
380 |
381 | # file: brace/usr/lib/systemd/system/ejabberd.service.d/99-brace.conf
382 | user::rw-
383 | group::r--
384 | other::r--
385 |
386 | # file: brace/usr/lib/systemd/system/firewalld.service.d
387 | user::rwx
388 | group::r-x
389 | other::r-x
390 |
391 | # file: brace/usr/lib/systemd/system/firewalld.service.d/99-brace.conf.disabled
392 | user::rw-
393 | group::r--
394 | other::r--
395 |
396 | # file: brace/usr/lib/systemd/system/httpd.service.d
397 | user::rwx
398 | group::r-x
399 | other::r-x
400 |
401 | # file: brace/usr/lib/systemd/system/httpd.service.d/99-brace.conf
402 | user::rw-
403 | group::r--
404 | other::r--
405 |
406 | # file: brace/usr/lib/systemd/system/irqbalance.service.d
407 | user::rwx
408 | group::r-x
409 | other::r-x
410 |
411 | # file: brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf
412 | user::rw-
413 | group::r--
414 | other::r--
415 |
416 | # file: brace/usr/lib/systemd/system/minetest@.service.d
417 | user::rwx
418 | group::r-x
419 | other::r-x
420 |
421 | # file: brace/usr/lib/systemd/system/minetest@.service.d/99-brace.conf
422 | user::rw-
423 | group::r--
424 | other::r--
425 |
426 | # file: brace/usr/lib/systemd/system/ModemManager.service.d
427 | user::rwx
428 | group::r-x
429 | other::r-x
430 |
431 | # file: brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf
432 | user::rw-
433 | group::r--
434 | other::r--
435 |
436 | # file: brace/usr/lib/systemd/system/murmur.service.d
437 | user::rwx
438 | group::r-x
439 | other::r-x
440 |
441 | # file: brace/usr/lib/systemd/system/murmur.service.d/99-brace.conf
442 | user::rw-
443 | group::r--
444 | other::r--
445 |
446 | # file: brace/usr/lib/systemd/system/NetworkManager.service.d
447 | user::rwx
448 | group::r-x
449 | other::r-x
450 |
451 | # file: brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf
452 | user::rw-
453 | group::r--
454 | other::r--
455 |
456 | # file: brace/usr/lib/systemd/system/php-fpm.service.d
457 | user::rwx
458 | group::r-x
459 | other::r-x
460 |
461 | # file: brace/usr/lib/systemd/system/php-fpm.service.d/99-brace.conf
462 | user::rw-
463 | group::r--
464 | other::r--
465 |
466 | # file: brace/usr/lib/systemd/system/radiusd.service.d
467 | user::rwx
468 | group::r-x
469 | other::r-x
470 |
471 | # file: brace/usr/lib/systemd/system/radiusd.service.d/99-brace.conf
472 | user::rw-
473 | group::r--
474 | other::r--
475 |
476 | # file: brace/usr/lib/systemd/system/redis.service.d
477 | user::rwx
478 | group::r-x
479 | other::r-x
480 |
481 | # file: brace/usr/lib/systemd/system/redis.service.d/99-brace.conf.disabled
482 | user::rw-
483 | group::r--
484 | other::r--
485 |
486 | # file: brace/usr/lib/systemd/system/rngd.service.d
487 | user::rwx
488 | group::r-x
489 | other::r-x
490 |
491 | # file: brace/usr/lib/systemd/system/rngd.service.d/99-brace.conf
492 | user::rw-
493 | group::r--
494 | other::r--
495 |
496 | # file: brace/usr/lib/systemd/system/tor.service.d
497 | user::rwx
498 | group::r-x
499 | other::r-x
500 |
501 | # file: brace/usr/lib/systemd/system/tor.service.d/99-brace.conf
502 | user::rw-
503 | group::r--
504 | other::r--
505 |
506 | # file: brace/usr/lib/systemd/system/wpa_supplicant.service.d
507 | user::rwx
508 | group::r-x
509 | other::r-x
510 |
511 | # file: brace/usr/lib/systemd/system/wpa_supplicant.service.d/99-brace.conf
512 | user::rw-
513 | group::r--
514 | other::r--
515 |
516 | # file: brace/usr/lib/systemd/user
517 | user::rwx
518 | group::r-x
519 | other::r-x
520 |
521 | # file: brace/usr/lib/systemd/user/restic-backup@.service
522 | user::rw-
523 | group::r--
524 | other::r--
525 |
526 | # file: brace/usr/lib/systemd/user/restic-backup@.timer
527 | user::rw-
528 | group::r--
529 | other::r--
530 |
531 | # file: brace/usr/lib/thunderbird
532 | user::rwx
533 | group::r-x
534 | other::r-x
535 |
536 | # file: brace/usr/lib/thunderbird/defaults
537 | user::rwx
538 | group::r-x
539 | other::r-x
540 |
541 | # file: brace/usr/lib/thunderbird/defaults/pref
542 | user::rwx
543 | group::r-x
544 | other::r-x
545 |
546 | # file: brace/usr/lib/tmpfiles.d
547 | user::rwx
548 | group::r-x
549 | other::r-x
550 |
551 | # file: brace/usr/lib/tmpfiles.d/99-brace-proc.conf
552 | user::rw-
553 | group::r--
554 | other::r--
555 |
556 | # file: brace/usr/lib/tmpfiles.d/99-brace-sys.conf
557 | user::rw-
558 | group::r--
559 | other::r--
560 |
561 | # file: brace/usr/lib/udev
562 | user::rwx
563 | group::r-x
564 | other::r-x
565 |
566 | # file: brace/usr/lib/udev/rules.d
567 | user::rwx
568 | group::r-x
569 | other::r-x
570 |
571 | # file: brace/usr/lib/udev/rules.d/10-trim.rules
572 | user::rw-
573 | group::r--
574 | other::r--
575 |
576 | # file: brace/usr/lib/udev/rules.d/50-usb-realtek-net-exceprt.rules
577 | user::rw-
578 | group::r--
579 | other::r--
580 |
581 | # file: brace/usr/sbin
582 | user::rwx
583 | group::r-x
584 | other::r-x
585 |
586 | # file: brace/usr/sbin/brace-audit
587 | user::rwx
588 | group::r-x
589 | other::r-x
590 |
591 | # file: brace/usr/sbin/brace-fedora-enable-auto-updates
592 | user::rwx
593 | group::r-x
594 | other::r-x
595 |
596 | # file: brace/usr/sbin/brace-fedora-enable-fapolicyd
597 | user::rwx
598 | group::r-x
599 | other::r-x
600 |
601 | # file: brace/usr/sbin/brace-fedora-enable-rpmfusion
602 | user::rwx
603 | group::r-x
604 | other::r-x
605 |
606 | # file: brace/usr/sbin/brace-fedora-update-system
607 | user::rwx
608 | group::r-x
609 | other::r-x
610 |
611 | # file: brace/usr/sbin/brace-installer
612 | user::rwx
613 | group::r-x
614 | other::r-x
615 |
616 | # file: brace/usr/sbin/brace-rpm-verify
617 | user::rwx
618 | group::r-x
619 | other::r-x
620 |
621 | # file: LICENSE
622 | user::rw-
623 | group::r--
624 | other::r--
625 |
626 | # file: permissions.facl
627 | user::rw-
628 | group::---
629 | other::---
630 |
631 | # file: PKGBUILD
632 | user::rw-
633 | group::---
634 | other::---
635 |
636 | # file: README.md
637 | user::rw-
638 | group::r--
639 | other::r--
640 |
641 | # file: TODO
642 | user::rw-
643 | group::---
644 | other::---
645 |
646 | # file: unused
647 | user::rwx
648 | group::r-x
649 | other::r-x
650 |
651 | # file: unused/99-brace.conf.template
652 | user::rw-
653 | group::r--
654 | other::r--
655 |
656 | # file: unused/brace-sebool.sh
657 | user::rwx
658 | group::r-x
659 | other::r-x
660 |
661 | # file: unused/chromium-brace-3p.json
662 | user::rw-
663 | group::r--
664 | other::r--
665 |
666 | # file: unused/chromium-brace-notes.txt
667 | user::rw-
668 | group::---
669 | other::---
670 |
671 | # file: unused/debian-firmware.sh
672 | user::rw-
673 | group::r-x
674 | other::r-x
675 |
676 | # file: unused/powersave.conf
677 | user::rw-
678 | group::r--
679 | other::r--
680 |
681 | # file: unused/tmp.mount.conf
682 | user::rw-
683 | group::r--
684 | other::r--
685 |
686 | # file: unused/uBlock0@raymondhill.net.json
687 | user::rw-
688 | group::r--
689 | other::r--
690 |
691 | # file: unused/zram-generator.conf
692 | user::rw-
693 | group::r--
694 | other::r--
695 |
696 | # file: .gitlab-ci.yml
697 | user::rw-
698 | group::r--
699 | other::r--
700 |
701 | # file: .gitignore
702 | user::rw-
703 | group::r--
704 | other::r--
705 |
--------------------------------------------------------------------------------
/unused/99-brace.conf.template:
--------------------------------------------------------------------------------
1 | [Service]
2 | # Hardening
3 | #CapabilityBoundingSet=""
4 | #LockPersonality=true
5 | #MemoryDenyWriteExecute=true
6 | #NoNewPrivileges=true
7 | #PrivateDevices=true
8 | #ProtectProc=invisible
9 | #PrivateTmp=yes
10 | #PrivateUsers=true
11 | #ProtectClock=true
12 | #ProtectControlGroups=true
13 | #ProtectHome=true
14 | #ProtectHostname=true
15 | #ProtectKernelLogs=true
16 | #ProtectKernelModules=true
17 | #ProtectKernelTunables=true
18 | #ProtectSystem=strict
19 | #ReadOnlyPaths=/etc/
20 | #ReadWritePaths=/var/lib/
21 | #RemoveIPC=true
22 | #RestrictAddressFamilies=~AF_INET
23 | #RestrictAddressFamilies=~AF_INET6
24 | #RestrictAddressFamilies=~AF_NETLINK
25 | #RestrictAddressFamilies=~AF_PACKET
26 | #RestrictAddressFamilies=~AF_UNIX
27 | #RestrictNamespaces=true
28 | #RestrictRealtime=true
29 | #RestrictSUIDSGID=true
30 | #SystemCallArchitectures=native
31 | #SystemCallFilter=@system-service
32 | #SystemCallFilter=~@privileged
33 | #SystemCallFilter=~@resources
34 | #UMask=0077
35 |
--------------------------------------------------------------------------------
/unused/brace-sebool.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/bash
2 | #Copyright (c) 2017-2019 Divested Computing, Inc.
3 | #
4 | #This program is free software: you can redistribute it and/or modify
5 | #it under the terms of the GNU Affero General Public License as published by
6 | #the Free Software Foundation, either version 3 of the License, or
7 | #(at your option) any later version.
8 | #
9 | #This program is distributed in the hope that it will be useful,
10 | #but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | #GNU Affero General Public License for more details.
13 | #
14 | #You should have received a copy of the GNU Affero General Public License
15 | #along with this program. If not, see .
16 |
17 | if [ "$(/usr/bin/id -u)" -ne "0" ]; then echo 'This script needs to be run as root!'; exit 1; fi;
18 |
19 | if [ -f /etc/fedora-release ] || [ -f /etc/centos-release ]; then
20 | echo "Setting hardened booleans for SELinux policy";
21 | setsebool -P deny_ptrace on;
22 | #setsebool -P deny_execmem on;
23 | setsebool -P selinuxuser_execheap off;
24 | setsebool -P selinuxuser_execmod off;
25 | setsebool -P selinuxuser_execstack off;
26 |
27 | setsebool -P allow_ptrace off;
28 | #setsebool -P allow_execmem off;
29 | setsebool -P allow_execheap off;
30 | setsebool -P allow_execmod off;
31 | setsebool -P allow_execstack off;
32 |
33 | setsebool -P logadm_exec_content off;
34 | setsebool -P dbadm_exec_content off;
35 | setsebool -P auditadm_exec_content off;
36 | setsebool -P secadm_exec_content off;
37 |
38 | setsebool -P guest_exec_content off;
39 | setsebool -P xguest_exec_content off;
40 | #setsebool -P user_exec_content off;
41 | #setsebool -P staff_exec_content off;
42 | #setsebool -P sysadm_exec_content off;
43 | else
44 | echo "Currently only Fedora and CentOS are supported";
45 | fi;
46 |
--------------------------------------------------------------------------------
/unused/chromium-brace-3p.json:
--------------------------------------------------------------------------------
1 | {
2 | "3rdparty": {
3 | "extensions": {
4 | "cjpalhdlnbpafiamejdnhcphjbkeiagm": {
5 | "adminSettings": "{\"userSettings\":{\"externalLists\":\"https://divested.dev/hosts-domains-wildcards\\nhttps://divested.dev/blocklists/Fingerprinting.ubl\"},\"selectedFilterLists\":[\"user-filters\",\"ublock-filters\",\"ublock-badware\",\"ublock-privacy\",\"ublock-abuse\",\"ublock-unbreak\",\"awrl-0\",\"adguard-generic\",\"adguard-mobile\",\"easylist\",\"adguard-spyware\",\"easyprivacy\",\"fanboy-enhanced\",\"malware-0\",\"malware-1\",\"adguard-annoyance\",\"adguard-social\",\"fanboy-thirdparty_social\",\"fanboy-cookiemonster\",\"fanboy-annoyance\",\"fanboy-social\",\"ublock-annoyances\",\"plowe-0\",\"https://divested.dev/blocklists/Fingerprinting.ubl\",\"https://divested.dev/hosts-domains-wildcards\"]}"
6 | }
7 | }
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/unused/chromium-brace-notes.txt:
--------------------------------------------------------------------------------
1 | Available:
2 | DefaultPopupsSetting
3 | ProxyMode
4 | AdvancedProtectionAllowed
5 | AllowPopupsDuringPageUnload
6 | PrivacyScreenEnabled
7 | BuiltInDnsClientEnabled
8 | DnsOverHttpsMode
9 | HideWebStoreIcon
10 | IntensiveWakeUpThrottlingEnabled
11 | IsolateOrigins
12 | PromptForDownloadLocation
13 | QuicAllowed
14 |
15 | Research:
16 | AmbientAuthenticationInPrivateModesEnabled
17 |
18 | Breaks things:
19 | DefaultMediaStreamSetting:3
20 | AudioSandboxEnabled:true
21 |
--------------------------------------------------------------------------------
/unused/debian-firmware.sh:
--------------------------------------------------------------------------------
1 | apt install firmware-amd-graphics firmware-atheros firmware-bnx2 firmware-bnx2x firmware-brcm80211 firmware-cavium firmware-intel-sound firmware-intelwimax firmware-iwlwifi firmware-libertas firmware-linux firmware-linux-free firmware-linux-nonfree firmware-misc-nonfree firmware-ralink firmware-realtek firmware-ti-connectivity intel-microcode amd64-microcode
2 |
--------------------------------------------------------------------------------
/unused/powersave.conf:
--------------------------------------------------------------------------------
1 | #https://wiki.archlinux.org/index.php/Power_management
2 | options snd_hda_intel power_save=1
3 | options snd_ac97_codec power_save=1
4 | options iwlwifi power_save=1 d0i3_disable=0 uapsd_disable=0
5 | options iwldvm force_cam=0
6 |
--------------------------------------------------------------------------------
/unused/tmp.mount.conf:
--------------------------------------------------------------------------------
1 | [Mount]
2 | #Remount tmp with strict permissions
3 | Options=mode=1777,strictatime,nosuid,nodev,noexec
4 |
--------------------------------------------------------------------------------
/unused/uBlock0@raymondhill.net.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "uBlock0@raymondhill.net",
3 | "description": "ignored",
4 | "type": "storage",
5 | "data": {
6 | "adminSettings": "{\"userSettings\":{\"externalLists\":\"https://divested.dev/hosts-domains-wildcards\\nhttps://divested.dev/blocklists/Fingerprinting.ubl\"},\"selectedFilterLists\":[\"user-filters\",\"ublock-filters\",\"ublock-badware\",\"ublock-privacy\",\"ublock-abuse\",\"ublock-unbreak\",\"awrl-0\",\"adguard-generic\",\"adguard-mobile\",\"easylist\",\"adguard-spyware\",\"easyprivacy\",\"fanboy-enhanced\",\"malware-0\",\"malware-1\",\"adguard-annoyance\",\"adguard-social\",\"fanboy-thirdparty_social\",\"fanboy-cookiemonster\",\"fanboy-annoyance\",\"fanboy-social\",\"ublock-annoyances\",\"plowe-0\",\"https://divested.dev/blocklists/Fingerprinting.ubl\",\"https://divested.dev/hosts-domains-wildcards\"]}"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/unused/zram-generator.conf:
--------------------------------------------------------------------------------
1 | [zram0]
2 | host-memory-limit = none
3 | zram-fraction = 0.5
4 | max-zram-size = 16384
5 | #zram-generator doesn't currently load required modules
6 | #compression-algorithm = zstd
7 |
8 | #/usr/lib/systemd/zram-generator.conf.d/
9 |
--------------------------------------------------------------------------------