patch module

nihil-admirari · Feb 18, 2025 · fa686f4 · fa686f4
1 parent 9bac2a6
commit fa686f4
Show file tree

Hide file tree

Showing 9 changed files with 57 additions and 26 deletions.
diff --git a/...s/scripts/patches/common/login.defs.patch → files/patches/hardenlogindefs.patch b/...s/scripts/patches/common/login.defs.patch → files/patches/hardenlogindefs.patch
diff --git a/files/patches/run0gvfsadmin.patch b/files/patches/run0gvfsadmin.patch
@@ -0,0 +1,11 @@
+--- a/usr/share/gvfs/mounts/admin.mount
++++ b/usr/share/gvfs/mounts/admin.mount
+@@ -1,7 +1,7 @@
+ [Mount]
+ Type=admin
+ # Add a dummy argument after pkexec, or '/bin/sh -c' will eat the first argument in '$@'
+-Exec=/bin/sh -c 'pkexec /usr/libexec/gvfsd-admin "$@" --address $DBUS_SESSION_BUS_ADDRESS --dir $XDG_RUNTIME_DIR' gvfsd-admin
++Exec=/bin/sh -c 'run0 --setenv=PKEXEC_UID="$UID" /usr/libexec/gvfsd-admin "$@" --address $DBUS_SESSION_BUS_ADDRESS --dir $XDG_RUNTIME_DIR' gvfsd-admin
+ AutoMount=false
+ DBusName=org.gtk.vfs.mountpoint_admin
+ MountPerClient=true
diff --git a/files/scripts/patchcommonconf.sh b/files/scripts/patchcommonconf.sh
diff --git a/files/scripts/patchconf.sh b/files/scripts/patchconf.sh
diff --git a/modules/patch/module.yml b/modules/patch/module.yml
@@ -0,0 +1,6 @@
+name: patch
+shortdesc: This module is used to apply patches to files at image build image.
+example: |
+  type: patch
+  patches:
+    - hardenlogindefs.patch
diff --git a/modules/patch/patch.sh b/modules/patch/patch.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s nullglob
+
+get_json_array PATCHES 'try .["patches"][]' "$1"
+PATCH_DIR="$CONFIG_DIRECTORY/patches"
+readonly PATCHES PATCH_DIR
+
+main() {
+    local p
+    for p in "${PATCHES[@]}"; do
+        patch --forward --directory=/ --strip=1 --no-backup-if-mismatch < "$PATCH_DIR/$p"
+    done
+}
+
+main "$@"
diff --git a/modules/patch/patch.tsp b/modules/patch/patch.tsp
@@ -0,0 +1,19 @@
+import "@typespec/json-schema";
+using TypeSpec.JsonSchema;
+
+@jsonSchema("/modules/script-latest.json")
+model ScriptModuleLatest {
+  ...ScriptModuleV1;
+}
+
+@jsonSchema("/modules/script-v1.json")
+model ScriptModuleV1 {
+  /** The patch module can be used to to apply patches to files at image build image. */
+  type: "patch" | "patch@v1" | "patch@latest";
+
+  /**
+   * List of patches to apply. Each patch has path components till the first / stripped
+   * and is then applied relative to image's root.
+   */
+  patches: Array<string>;
+}
diff --git a/recipes/common/common-modules.yml b/recipes/common/common-modules.yml
@@ -20,5 +20,9 @@ modules:
     - type: script
       scripts:
         - enablecommonautoupdate.sh
+    - type: patch
+      patches:
+        - hardenlogindefs.patch
+        - run0gvfsadmin.patch
     - type: secureblue-signing
       source: local
diff --git a/recipes/common/common-scripts.yml b/recipes/common/common-scripts.yml
@@ -8,4 +8,3 @@ scripts:
   - disablegeoclue.sh
   - enablesecurebluefirstrun.sh
   - createjustcompletions.sh
-  - patchcommonconf.sh