feat: build system hardening — collision detection, validation gates, init path enforcement
5-phase hardening to prevent silent file-layer collisions (the D-Bus regression class): Phase 1: lint-config-paths.sh + make lint-config in depends.mk Phase 2: CollisionTracker in installer (content-hash comparison) Phase 3: installs manifests in recipe.toml + validate-file-ownership.sh Phase 4: validate-init-services.sh + make validate in disk.mk Phase 5: documentation (AGENTS.md, BUILD-SYSTEM-HARDENING-PLAN.md) Both redbear-mini and redbear-full build and validate clean. 66 declared install paths in base, zero conflicts.
This commit is contained in:
+20
-19
@@ -159,7 +159,7 @@ data = "/usr/share/fonts"
|
||||
symlink = true
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/05_boot-essential.target"
|
||||
path = "/etc/init.d/05_boot-essential.target"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Boot essential services target"
|
||||
@@ -169,7 +169,7 @@ requires_weak = [
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/13_iommu.service"
|
||||
path = "/etc/init.d/13_iommu.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "IOMMU DMA remapping daemon"
|
||||
@@ -184,7 +184,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/12_dbus.service"
|
||||
path = "/etc/init.d/12_dbus.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "D-Bus system bus"
|
||||
@@ -200,7 +200,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/13_redbear-sessiond.service"
|
||||
path = "/etc/init.d/13_redbear-sessiond.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Red Bear session broker (org.freedesktop.login1)"
|
||||
@@ -214,7 +214,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/13_seatd.service"
|
||||
path = "/etc/init.d/13_seatd.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "seatd seat management daemon"
|
||||
@@ -230,7 +230,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/13_redbear-keymapd.service"
|
||||
path = "/etc/init.d/13_redbear-keymapd.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Runtime keymap daemon"
|
||||
@@ -244,7 +244,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/13_redbear-ime.service"
|
||||
path = "/etc/init.d/13_redbear-ime.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Input method engine daemon"
|
||||
@@ -258,7 +258,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/13_redbear-accessibility.service"
|
||||
path = "/etc/init.d/13_redbear-accessibility.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Accessibility input filter daemon (sticky/slow/bounce keys)"
|
||||
@@ -272,7 +272,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/14_redbear-upower.service"
|
||||
path = "/etc/init.d/14_redbear-upower.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "UPower D-Bus service (org.freedesktop.UPower)"
|
||||
@@ -286,7 +286,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/14_redbear-udisks.service"
|
||||
path = "/etc/init.d/14_redbear-udisks.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "UDisks2 D-Bus service (org.freedesktop.UDisks2)"
|
||||
@@ -300,7 +300,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/14_redbear-polkit.service"
|
||||
path = "/etc/init.d/14_redbear-polkit.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "PolicyKit1 D-Bus service (org.freedesktop.PolicyKit1)"
|
||||
@@ -314,7 +314,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/19_redbear-authd.service"
|
||||
path = "/etc/init.d/19_redbear-authd.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Red Bear authentication daemon"
|
||||
@@ -329,7 +329,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/20_display.service"
|
||||
path = "/etc/init.d/20_display.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "KDE session assembly helper"
|
||||
@@ -349,7 +349,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/20_greeter.service"
|
||||
path = "/etc/init.d/20_greeter.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Red Bear greeter service"
|
||||
@@ -369,7 +369,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/29_activate_console.service"
|
||||
path = "/etc/init.d/29_activate_console.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Activate fallback console VT"
|
||||
@@ -384,7 +384,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/30_console.service"
|
||||
path = "/etc/init.d/30_console.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Console terminals"
|
||||
@@ -399,7 +399,7 @@ type = "oneshot_async"
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/31_debug_console.service"
|
||||
path = "/etc/init.d/31_debug_console.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Debug console on serial port"
|
||||
@@ -409,12 +409,13 @@ requires_weak = [
|
||||
|
||||
[service]
|
||||
cmd = "getty"
|
||||
args = ["/scheme/debug", "-J"]
|
||||
args = ["/scheme/debug/no-preserve", "-J"]
|
||||
type = "oneshot_async"
|
||||
respawn = true
|
||||
"""
|
||||
|
||||
[[files]]
|
||||
path = "/usr/lib/init.d/99_diag_serial.service"
|
||||
path = "/etc/init.d/99_diag_serial.service"
|
||||
data = """
|
||||
[unit]
|
||||
description = "Serial diagnostic marker"
|
||||
|
||||
Reference in New Issue
Block a user