1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
Source: bilibop
Section: admin
Priority: optional
Maintainer: Yann Amar <quidame@poivron.org>
Build-Depends: debhelper-compat (= 13), po-debconf
Rules-Requires-Root: no
Standards-Version: 4.5.1
Homepage: https://un.poivron.org/~quidame/wiki/bilibop
Vcs-Git: https://un.poivron.org/~quidame/git/bilibop.git
Package: bilibop
Section: metapackages
Architecture: linux-any
Depends: bilibop-lockfs (= ${binary:Version}), bilibop-rules (= ${binary:Version}), ${misc:Depends}
Description: run Debian GNU/Linux from external media - metapackage
${Description}
.
The installation of this metapackage will install other BILIBOP packages
as dependencies. You should not install it, unless your system is writable
and runs from an external device.
Package: bilibop-common
Architecture: linux-any
Depends: udev (>= 242-6), ${misc:Depends}
Suggests: bilibop-lockfs, bilibop-device-policy, cryptsetup, dmsetup, lvm2 (>= 2.02.98)
Description: shell functions for bilibop scripts
${Description}
.
This package provides shell functions usable by other bilibop scripts on the
running system or into the initramfs environment. These functions use /dev,
/proc and /sys databases to output the drive name or the partition hosting
the running system, and are fully usable by any unprivileged user or
application. Dm-crypt, LVM, loop devices, aufs and overlay root filesystems
(and almost any combination of them) are supported. A 'drivemap' command is
also provided, to show block devices in a tree of dependencies.
Package: bilibop-lockfs
Architecture: linux-any
Depends: bilibop-common (= ${binary:Version}), initramfs-tools, udev (>= 242-6), ${misc:Depends}
Recommends: cryptsetup
Suggests: aufs-dkms, bilibop-device-policy, gnome-icon-theme, libnotify-bin, plymouth
Description: lock filesystems and write changes into RAM
${Description}
.
If the lockfs feature is enabled (in a configuration file, in the boot
commandline or by a heuristic), nothing will be written on the filesystems
listed in /etc/fstab, except for those that have been whitelisted, or for
the encrypted swap devices. More, bilibop-lockfs now is able to detect if
the drive has been locked by a physical switch, and then overrides its own
settings to unconditionally apply a 'hard' policy.
.
The root filesystem is locked (set readonly, using either aufs or overlay)
by an initramfs script which also modifies the temporary fstab to prepare
other filesystems to be locked later by a mount helper script.
.
bilibop-lockfs provides the following features:
* whitelist based policy: filesystems on which you want to allow persistent
changes must be explicitly listed in a configuration file.
* swap devices policy: they can be used 'as is', noauto, only if encrypted,
only if encrypted with a random key, or not used at all.
* not only filesystems are set read-only, but also block devices: this
forbids changes of the partition table, boot sectors, LUKS headers and
LVM metadata.
* plymouth messages to know at boot time if bilibop-lockfs is enabled or
not, or if an error occurred.
* desktop notifications at startup about filesystems status, to inform the
user that volatile or persistent changes are allowed or not, and where.
.
This package can be used as an alternative to fsprotect or overlayroot,
especially for writable operating systems embedded on a USB stick; but it
may also be installed on public or personal computers, for daily use,
kiosks, testing purposes, or as a tool in anti-forensics strategies.
Package: bilibop-rules
Architecture: linux-any
Depends: bilibop-common (= ${binary:Version}), udev (>= 242-6), ${misc:Depends}
Recommends: initramfs-tools, lvm2 (>= 2.02.98)
Suggests: bilibop-lockfs, cryptsetup, policykit-1, udisks2
Conflicts: bilibop-udev
Provides: bilibop-device-policy
Description: device management rules for OS running from external media
${Description}
.
This package provides a udev rules file to manage the external drive hosting
the running system. Its main goal is to forbid low-level write access on this
drive and its partitions by any unprivileged user or application, but some
other convenient and optional rules have been added for desktop-level
management (in desktop environments based on udisks2) of the system disk and
partitions, as well as the internal disks of the computer. The 'lsbilibop'
command allows the admin to update udev properties of the devices after the
configuration file has been modified.
.
To ease device management, bilibop-rules also provides helper scripts to:
* build custom bilibop udev rules running faster than the generic ones
* filter Physical Volumes, to activate only those needed by the system
.
This package is not designed to be used on internal disks. It works only
for OS installed on removable and writable media, including LiveUSB as well
as native systems. See also the bilibop-udev package.
Package: bilibop-udev
Architecture: linux-any
Depends: bilibop-common (= ${binary:Version}), udev (>= 242-6), ${misc:Depends}
Suggests: bilibop-lockfs
Provides: bilibop-device-policy
Description: minimal udev rule for Debian GNU/Linux running from external media
${Description}
.
This package provides a udev rules file to manage the external drive hosting
the running system. Its goal is to forbid low-level write access on this
drive and its partitions by any unprivileged user or application.
.
This package is not designed to be used on internal disks. It works only
for OS installed on removable and writable media, especially LiveUSB systems
and disk images provided by most vendors of popular ARM-based development
boards. See also the bilibop-rules package.
|
