Misc. corrections

components/base-debian-bullseye/packages.list

@@ -7,7 +7,8 @@ borgbackup rclone
 python3-pacparser
 python3-requests python3-gi python3-dbus
 btrfs-progs
-firmware-iwlwifi
+firmware-linux
 sshfs
 opensc-pkcs11
 tpm2-tools
+pciutils

components/guest-os/_config/hooks/live/0060-fairshell-services.hook.chroot

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# This file is part of INSECA.
+#
+#    Copyright (C) 2022 INSECA authors
+#
+#    INSECA is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    INSECA is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with INSECA.  If not, see <https://www.gnu.org/licenses/>
+
+for svce in fairshell-virt-system
+do
+	systemctl stop $svce
+	systemctl disable $svce
+done

lib/EncLUKS.py

@@ -38,9 +38,13 @@ def open(self):
                 2: "invalid password",
                 3: "out of memory",
                 4: "wrong device",
-                5: "device already exists or is busy"
+                5: "device already exists or is busy",
+                -9: "Not enough memory" # OOM killer did its job
             }
-            raise Exception("Unable to open LUKS volume '%s': %s"%(self._part_name, msgs[status]))
+            if status in msgs:
+                raise Exception("Unable to open LUKS volume '%s': %s"%(self._part_name, msgs[status]))
+            raise Exception("Unable to open LUKS volume '%s': %s(%s)"%(self._part_name, status))
+
         (mapped, mp)=util.get_encrypted_partition_mapped_elements(self._part_name)
         return mapped
 
@@ -56,7 +60,7 @@ def create(self):
         # LUKS format
         if not self._password:
             raise Exception("No password specified")
-        args=["/sbin/cryptsetup", "luksFormat", self._part_name, "--type", "luks2", "-d", "-"]
+        args=["/sbin/cryptsetup", "luksFormat", self._part_name, "--type", "luks2", "--pbkdf-memory", "524288", "-d", "-"] # limit mem consumption to 512 Mio
         (status, out, err)=util.exec_sync(args, stdin_data=self._password) # no newline!
         if status != 0:
             # from the man page: Error codes are: 1 wrong parameters, 2 no permission (bad passphrase),

lib/Live.py

@@ -203,7 +203,7 @@ class BootProcessWKS:
     @staticmethod
     def get_instance(live_env=None):
         """Method to get a singleton"""
-        if BootProcessWKS.__instance is None :
+        if BootProcessWKS.__instance is None and live_env:
             BootProcessWKS.__instance = BootProcessWKS(live_env)
         return BootProcessWKS.__instance
 
@@ -315,7 +315,7 @@ def unlock(self, user_password):
             data=util.load_file_contents("%s/resources/internal-pass.enc"%dmp)
             int_password=eobj.decrypt(data).decode()
 
-            self._dev.set_partition_secret("internal", "password", int_password)
+            self._dev.set_partition_secret(partid_internal, "password", int_password)
             self._dev.mount(partid_internal, "/internal", options="nodev,x-gvfs-hide", auto_umount=False)
 
             # unlock and mount "data" partition
@@ -372,7 +372,8 @@ def unlock(self, user_password):
 
     def map_directories(self):
         """Map directories from the /data partition"""
-        data_map=json.load(open("/opt/share/inseca-data-map.json", "r"))
+        map_file="/opt/share/inseca-data-map.json"
+        data_map=json.load(open(map_file, "r"))
         for key in data_map:
             dest=data_map[key]
             src="/data/%s"%key
@@ -389,7 +390,10 @@ def map_directories(self):
                 raise Exception("Could not bind 'data/%s' to '%s': %s"%(src, dest, err))
 
     def unmap_directories(self):
-        data_map=json.load(open("/opt/share/inseca-data-map.json", "r"))
+        map_file="/opt/share/inseca-data-map.json"
+        if not os.path.exists(map_file):
+            return
+        data_map=json.load(open(map_file, "r"))
         for key in data_map:
             dest=data_map[key]
             syslog.syslog(syslog.LOG_INFO, "Unbinding %s"%dest)

tools/inseca

@@ -438,8 +438,6 @@ def list_configs(args):
     elif ctype=="repo":
         configs=gconf.repo_configs
         for type in confs.RepoType:
-            if not args.verbose and type!=confs.RepoType.USERDATA:
-                continue
             print("%s repositories:"%type.value.upper())
             for uid in configs:
                 rconf=gconf.get_repo_conf(uid)
@@ -1108,6 +1106,7 @@ def sync_pull(args):
 
     # extract last archive of BUILD and USERDATA repos
     util.print_event("Extracting last BUILD and USERDATA archives")
+    ngconf=confs.GlobalConfiguration()
     for ruid in updated_repos:
         rconf=ngconf.get_repo_conf(ruid)
         if rconf.type in (confs.RepoType.BUILD, confs.RepoType.USERDATA):
@@ -2099,7 +2098,7 @@ def dev_run_in_vm(args):
     # umount all partitions of @target
     Device.umount_all_partitions(args.devfile)
 
-    mem=2048
+    mem=3072
     if args.mem:
         mem=int(args.mem)
 

tools/resources/template-generic-build.json

@@ -8,7 +8,8 @@
   "validity-months": 3,
   "version": "0.1",
   "components": {
-    "base-debian-bullseye": {
+    "base-debian-bullseye": null,
+    "gnome-desktop": {
       "display-type": "wayland"
     },
     "veracrypt": null,
@@ -23,7 +24,7 @@
     "sandboxed-programs": null,
     "inseca-live-wks": {
       "userdata-skey-pub-file": "userdata-sign-key.pub",
-      "network-connections-allowed": true,
+      "allow-network-connections": true,
       "allowed-virtualized": ""
     }
   }