From c2ca7ff308d3573fcd8c4e26d1c590c29e649080 Mon Sep 17 00:00:00 2001 From: Igor Pecovnik Date: Thu, 5 Dec 2024 15:07:22 +0100 Subject: [PATCH] Kernel switching module: hardening --- tools/json/config.system.json | 22 +- tools/modules/system/armbian_fw_manipulate.sh | 84 ------ .../modules/system/module_armbian_firmware.sh | 239 ++++++++++++++++++ tools/modules/system/set_rolling.sh | 20 -- tools/modules/system/set_stable.sh | 20 -- tools/modules/system/switch_kernels.sh | 41 --- 6 files changed, 250 insertions(+), 176 deletions(-) delete mode 100644 tools/modules/system/armbian_fw_manipulate.sh create mode 100644 tools/modules/system/module_armbian_firmware.sh delete mode 100644 tools/modules/system/set_rolling.sh delete mode 100644 tools/modules/system/set_stable.sh delete mode 100644 tools/modules/system/switch_kernels.sh diff --git a/tools/json/config.system.json b/tools/json/config.system.json index a35b99ca0..c65a8bd1f 100644 --- a/tools/json/config.system.json +++ b/tools/json/config.system.json @@ -9,22 +9,22 @@ "description": "Enable Armbian firmware upgrades", "about": "This will enable Armbian kernel upgrades that are currently put on hold.", "command": [ - "armbian_fw_manipulate unhold" + "module_armbianfirmware unhold" ], "status": "Stable", "author": "@igorpecovnik", - "condition": "[[ -n \"$(apt-mark showhold)\" ]]" + "condition": "module_armbianfirmware hold status" }, { "id": "SY002", "description": "Disable Armbian kernel upgrades", "about": "Disable Armbian kernel/firmware upgrades", "command": [ - "armbian_fw_manipulate hold" + "module_armbianfirmware hold" ], "status": "Stable", "author": "@igorpecovnik", - "condition": "[[ -z \"$(apt-mark showhold)\" ]]" + "condition": "! module_armbianfirmware hold status" }, { "id": "SY003", @@ -230,25 +230,25 @@ }, { "id": "SY010", - "description": "Switch to rolling release", + "description": "Switch to rolling packages repository", "about": "This will switch OS to rolling releases.", "command": [ - "set_rolling" + "module_armbianfirmware repository rolling" ], "status": "Stable", "author": "@igorpecovnik", - "condition": "grep -q 'apt.armbian.com' /etc/apt/sources.list.d/armbian.list && [[ -z \"$(apt-mark showhold)\" ]]" + "condition": "module_armbianfirmware repository stable status" }, { "id": "SY011", - "description": "Switch to stable release", + "description": "Switch to stable packages repository", "about": "This will switch OS to stable releases", "command": [ - "set_stable" + "module_armbianfirmware repository stable" ], "status": "Stable", "author": "@igorpecovnik", - "condition": "grep -q 'beta.armbian.com' /etc/apt/sources.list.d/armbian.list && [[ -z \"$(apt-mark showhold)\" ]]" + "condition": "module_armbianfirmware repository rolling status" }, { "id": "SY012", @@ -287,7 +287,7 @@ "description": "Install alternative kernels", "about": "Switching between kernels might change functionality of your device. \n\nIt might fail to boot!", "command": [ - "switch_kernels" + "module_armbianfirmware select" ], "status": "Stable", "author": "@igorpecovnik", diff --git a/tools/modules/system/armbian_fw_manipulate.sh b/tools/modules/system/armbian_fw_manipulate.sh deleted file mode 100644 index 162a0aba1..000000000 --- a/tools/modules/system/armbian_fw_manipulate.sh +++ /dev/null @@ -1,84 +0,0 @@ -module_options+=( - ["armbian_fw_manipulate,author"]="@igorpecovnik" - ["armbian_fw_manipulate,ref_link"]="" - ["armbian_fw_manipulate,feature"]="armbian_fw_manipulate" - ["armbian_fw_manipulate,desc"]="freeze, unhold, reinstall armbian related packages." - ["armbian_fw_manipulate,example"]="armbian_fw_manipulate unhold/freeze/reinstall" - ["armbian_fw_manipulate,status"]="Active" -) -# -# freeze/unhold/reinstall armbian firmware packages -# -armbian_fw_manipulate() { - - local function=$1 - local version=$2 - local branch=$3 - - [[ -n $version ]] && local version="=${version}" - - # fallback to $BRANCH - [[ -z "${branch}" ]] && branch="${BRANCH}" - [[ -z "${branch}" ]] && branch="current" # fallback in case we switch to very old BSP that have no such info - - # packages to install - local armbian_packages=( - "linux-u-boot-${BOARD}-${branch}" - "linux-image-${branch}-${LINUXFAMILY}" - "linux-dtb-${branch}-${LINUXFAMILY}" - "armbian-zsh" - "armbian-bsp-cli-${BOARD}-${branch}" - ) - - # reinstall headers only if they were previously installed - if dpkg -l | grep -E "linux-headers" >/dev/null; then - local armbian_packages+=("linux-headers-${branch}-${LINUXFAMILY}") - fi - - local packages="" - for pkg in "${armbian_packages[@]}"; do - if [[ "${function}" == reinstall ]]; then - local pkg_search=$(apt search "$pkg" 2> /dev/null | grep "^$pkg") - if [[ $? -eq 0 && -n "${pkg_search}" ]]; then - if [[ "${pkg_search}" == *$version* ]] ; then - packages+="$pkg${version} "; - else - packages+="$pkg "; - fi - fi - else - if check_if_installed $pkg; then - packages+="$pkg${version} " - fi - fi - done - for pkg in "${packages[@]}"; do - case $function in - unhold) apt-mark unhold ${pkg} | show_infobox ;; - hold) apt-mark hold ${pkg} | show_infobox ;; - reinstall) - apt_install_wrapper apt-get -y --simulate --download-only --allow-change-held-packages --allow-downgrades install ${pkg} - if [[ $? == 0 ]]; then - apt_install_wrapper apt-get -y purge "linux-u-boot-*" "linux-image-*" "linux-dtb-*" "linux-headers-*" "armbian-zsh-*" "armbian-bsp-cli-*" # remove all branches - apt_install_wrapper apt-get -y --allow-change-held-packages install ${pkg} - apt_install_wrapper apt-get -y autoremove - apt_install_wrapper apt-get -y clean - else - exit 1 - fi - - - ;; - *) return ;; - esac - done - - # update branch information - BRANCH=$(dpkg -l | grep -E "linux-image" | grep -E "current|legacy|edge" | awk '{print $2}' | cut -d"-" -f3 | head -1) - if grep -q BRANCH /etc/armbian-release; then - [[ -n ${BRANCH} ]] && sed -i "s/BRANCH=.*/BRANCH=$BRANCH/g" /etc/armbian-release - else - [[ -n ${BRANCH} ]] && echo "BRANCH=$BRANCH" >> /etc/armbian-release - fi -} - diff --git a/tools/modules/system/module_armbian_firmware.sh b/tools/modules/system/module_armbian_firmware.sh new file mode 100644 index 000000000..21e682988 --- /dev/null +++ b/tools/modules/system/module_armbian_firmware.sh @@ -0,0 +1,239 @@ +declare -A module_options +module_options+=( + ["module_armbianfirmware,author"]="@igorpecovnik" + ["module_armbianfirmware,feature"]="module_armbianfirmware" + ["module_armbianfirmware,example"]="select install show hold unhold repository help" + ["module_armbianfirmware,desc"]="Example module unattended interface." + ["module_armbianfirmware,status"]="review" +) + +function module_armbianfirmware() { + local title="Armbian firmware" + local condition=$(which "$title" 2>/dev/null) + + # Convert the example string to an array + local commands + IFS=' ' read -r -a commands <<< "${module_options["module_armbianfirmware,example"]}" + + case "$1" in + "${commands[0]}") # choose kernel from the list + + # make sure to proceed if this variable is not defined. This can surface on some old builds + [[ -z "${KERNEL_TEST_TARGET}" ]] && KERNEL_TEST_TARGET="legacy,vendor,current,edge" + + # by default we define which kernels are suitable + if ! $DIALOG --title "Advanced options" --yesno "Show only mainstream kernels on the list?" 7 60; then + KERNEL_TEST_TARGET="legacy,vendor,current,edge" + fi + + # read what is possible to install + local kernel_test_target=$(for kernel_test_target in ${KERNEL_TEST_TARGET//,/ }; do echo "linux-image-${kernel_test_target}-${LINUXFAMILY}"; done;) + local installed_kernel_version=$(dpkg -l | grep '^ii' | grep linux-image | awk '{print $2"="$3}') + + # workaroun in case current is not installed + [[ -n ${installed_kernel_version} ]] && local grep_current_kernel=" | grep -v ${installed_kernel_version}" + + # main search command + local search_exec="apt-cache show ${kernel_test_target} \ + | grep -E \"Package:|Version:|version:|family\" \ + | grep -v \"Config-Version\" \ + | sed -n -e 's/^.*: //p' \ + | sed 's/\.$//g' \ + | xargs -n3 -d'\n' \ + | sed \"s/ /=/\" $grep_current_kernel" + + # construct a list of kernels with their Armbian release versions and kernel version + IFS=$'\n' + local LIST=() + for line in $(eval ${search_exec}); do + LIST+=($(echo $line | awk -F ' ' '{print $1 " "}') $(echo $line | awk -F ' ' '{print "v"$2}')) + done + unset IFS + + # generate selection menu + local list_length=$((${#LIST[@]} / 2)) + if [ "$list_length" -eq 0 ]; then + $DIALOG --backtitle "$BACKTITLE" --title " Warning " --msgbox "No other kernels available!" 7 31 + else + if target_version=$(\ + $DIALOG \ + --separate-output \ + --title "Select kernel" \ + --menu "" \ + $((${list_length} + 7)) 80 $((${list_length})) "${LIST[@]}" \ + 3>&1 1>&2 2>&3) + then + # extract branch + local branch=${target_version##*image-} + # call install function + ${module_options["module_armbianfirmware,feature"]} ${commands[1]} "${branch%%-*}" "${target_version/*=/}" + fi + fi + + ;; + + "${commands[1]}") # purge old and install selected kernel from desired branch and version + + # input parameters + local branch=$2 + local version=$3 + + # generate list + ${module_options["module_armbianfirmware,feature"]} ${commands[2]} "${branch}" "${version}" "hide" + + # purge and install + for pkg in "${packages[@]}"; do + purge_pkg=$(echo $pkg | sed -e 's/current/*/;s/legacy/*/;s/edge/*/;s/vendor/*/') + apt_install_wrapper apt-get -y --simulate --download-only --allow-change-held-packages --allow-downgrades install ${pkg} + # if test install is succesfull, proceed + if [[ $? == 0 ]]; then + apt_install_wrapper apt-get -y purge ${purge_pkg} + apt_install_wrapper apt-get -y --autoremove --allow-change-held-packages install ${pkg} + fi + done + + ;; + "${commands[2]}") # generate a list of possible packages to install + + # input parameters + local branch="$2" + local version="$3" + local hide="$4" + local repository="$5" + + # if branch is not defined, we use the one that is currently installed + [[ -z $branch ]] && local branch=$BRANCH + + # if repository is not defined, we use stable one + [[ -z $repository ]] && local repository="apt.armbian.com" + + # select Armbian packages we want to searching for + armbian_packages=( + "linux-image-${branch}-${LINUXFAMILY}" + "linux-dtb-${branch}-${LINUXFAMILY}" + ) + + # install headers only if they were previously installed + if dpkg -l | grep -E "linux-headers" >/dev/null; then + armbian_packages+=("linux-headers-${branch}-${LINUXFAMILY}") + fi + + # install full firmware if it was installed previously + if dpkg -l | grep -E "armbian-firmware-full" >/dev/null; then + armbian_packages+=("armbian-firmware-full") + else + armbian_packages+=("armbian-firmware") + fi + + # when we select a specific version of Armbian, we need to make sure that version exists + # for each package we want to install. In case desired version does not exists, it installs + # package without specifying version. This prevent breaking install in case some + # package version was removed from repository. Just in case. + packages="" + for pkg in "${armbian_packages[@]}"; do + # use package + version if found else use package if found + if apt-cache show "$pkg" 2> /dev/null \ + | grep -E "Package:|^Version:|family" \ + | sed -n -e 's/^.*: //p' \ + | sed 's/\.$//g' \ + | xargs -n2 -d'\n' \ + | grep ${pkg} | grep -e ${version} >/dev/null 2>&1; then + packages+="${pkg}=${version} "; + elif + apt-cache show "$pkg" 2> /dev/null \ + | grep -E "Package:|^Version:|family" \ + | sed -n -e 's/^.*: //p' \ + | sed 's/\.$//g' \ + | xargs -n2 -d'\n' \ + | grep "${pkg}" >/dev/null 2>&1 ; then + packages+="${pkg} "; + fi + done + + # if this is called with a parameter hide, we only prepare this list but don't show its content + [[ "$4" != "hide" ]] && echo ${packages[@]} + + ;; + "${commands[3]}") + + local status=$2 + + # apt-mark hold + ${module_options["module_armbianfirmware,feature"]} ${commands[2]} "" "" hide + if [[ "$status" == "status" ]]; then + hold=($(apt-mark showhold)) + test=($(for lol in ${packages[@]}; do + for x in ${hold[@]}; do + echo $lol | grep $x + done + done)) + [[ -z ${test[@]} ]] && return 1 || return 0 + else + apt-mark hold ${packages[@]} + fi + + ;; + "${commands[4]}") + + # apt-mark unhold + ${module_options["module_armbianfirmware,feature"]} ${commands[2]} "" "" hide + apt-mark unhold ${packages[@]} + ;; + "${commands[5]}") + + # Parameter $2 = rolling | stable + # Parameter $3 = status which returns true or false + # + # It switches to rolling or stable Armbian repository and performs list update if this is needed + + local repository=$2 + local status=$3 + + if grep -q 'apt.armbian.com' /etc/apt/sources.list.d/armbian.list; then + if [[ "$repository" == "rolling" && "$status" == "status" ]]; then + return 1 + elif [[ "$status" == "status" ]]; then + return 0 + fi + if [[ "$repository" == "rolling" ]]; then + sed -i "s/http:\/\/[^ ]*/http:\/\/beta.armbian.com/" /etc/apt/sources.list.d/armbian.list + apt_install_wrapper apt-get update + fi + else + if [[ "$repository" == "stable" && "$status" == "status" ]]; then + return 1 + elif [[ "$status" == "status" ]]; then + return 0 + fi + if [[ "$repository" == "stable" ]]; then + sed -i "s/http:\/\/[^ ]*/http:\/\/apt.armbian.com/" /etc/apt/sources.list.d/armbian.list + apt_install_wrapper apt-get update + fi + fi + + # reinstall firmware + [[ "$status" != "status" ]] && ${module_options["module_armbianfirmware,feature"]} ${commands[1]} + ;; + + "${commands[6]}") + echo -e "\nUsage: ${module_options["module_armbianfirmware,feature"]} " + echo -e "Commands: ${module_options["module_armbianfirmware,example"]}" + echo "Available commands:" + echo -e "\tselect \t- [stable]|[rolling] TUI to select $title." + echo -e "\tinstall \t- Install $title [\$BRANCH] [\$VERSION]." + echo -e "\tshow \t- Show $title packages." + echo -e "\thold \t- [status] Mark $title packages as held back. When parameter status is used, it returns false or true." + echo -e "\tunhold \t- Unset $title packages set as held back." + echo -e "\trepository\t- [stable]|[rolling] selects repository and performs update." + echo + ;; + *) + ${module_options["module_armbianfirmware,feature"]} ${commands[6]} + ;; + esac + } + +# uncomment to test the module +DIALOG=whiptail +source /etc/armbian-release +module_armbianfirmware "$1" "$2" "$3" "$4" diff --git a/tools/modules/system/set_rolling.sh b/tools/modules/system/set_rolling.sh deleted file mode 100644 index fe2aad4d1..000000000 --- a/tools/modules/system/set_rolling.sh +++ /dev/null @@ -1,20 +0,0 @@ -module_options+=( - ["set_rolling,author"]="@Tearran" - ["set_rolling,ref_link"]="https://github.com/armbian/config/blob/master/debian-config-jobs#L1446" - ["set_rolling,feature"]="set_rolling" - ["set_rolling,desc"]="Set Armbian to rolling release" - ["set_rolling,example"]="set_rolling" - ["set_rolling,status"]="Active" -) -# -# @description Set Armbian to rolling release -# -function set_rolling() { - - if ! grep -q 'beta.armbian.com' /etc/apt/sources.list.d/armbian.list; then - sed -i "s/http:\/\/[^ ]*/http:\/\/beta.armbian.com/" /etc/apt/sources.list.d/armbian.list - apt_install_wrapper apt-get update - armbian_fw_manipulate "reinstall" - fi -} - diff --git a/tools/modules/system/set_stable.sh b/tools/modules/system/set_stable.sh deleted file mode 100644 index 7cb467fbb..000000000 --- a/tools/modules/system/set_stable.sh +++ /dev/null @@ -1,20 +0,0 @@ -module_options+=( - ["set_stable,author"]="@Tearran" - ["set_stable,ref_link"]="https://github.com/armbian/config/blob/master/debian-config-jobs#L1446" - ["set_stable,feature"]="set_stable" - ["set_stable,desc"]="Set Armbian to stable release" - ["set_stable,example"]="set_stable" - ["set_stable,status"]="Active" -) -# -# @description Set Armbian to stable release -# -function set_stable() { - - if ! grep -q 'apt.armbian.com' /etc/apt/sources.list.d/armbian.list; then - sed -i "s/http:\/\/[^ ]*/http:\/\/apt.armbian.com/" /etc/apt/sources.list.d/armbian.list - apt_install_wrapper apt-get update - armbian_fw_manipulate "reinstall" - fi -} - diff --git a/tools/modules/system/switch_kernels.sh b/tools/modules/system/switch_kernels.sh deleted file mode 100644 index d183dc848..000000000 --- a/tools/modules/system/switch_kernels.sh +++ /dev/null @@ -1,41 +0,0 @@ -module_options+=( - ["switch_kernels,author"]="@igorpecovnik" - ["switch_kernels,ref_link"]="" - ["switch_kernels,feature"]="switch_kernels" - ["switch_kernels,desc"]="Switching to alternative kernels" - ["switch_kernels,example"]="switch_kernels" - ["switch_kernels,status"]="Active" -) -# -# @description Switch between alternative kernels -# -function switch_kernels() { - - # we only allow switching kerneles that are in the test pool - [[ -z "${KERNEL_TEST_TARGET}" ]] && KERNEL_TEST_TARGET="legacy,current,edge" - dialog --title "Warning!" --yesno "\nInclude untested kernels on the list?" 7 60 - [[ $? -eq 0 ]] && KERNEL_TEST_TARGET="legacy,vendor,current,edge" - local kernel_test_target=$(for x in ${KERNEL_TEST_TARGET//,/ }; do echo "linux-image-$x-${LINUXFAMILY}"; done;) - local installed_kernel_version=$(dpkg -l | grep '^ii' | grep linux-image | awk '{print $2"="$3}') - # just in case current is not installed - [[ -n ${installed_kernel_version} ]] && local grep_current_kernel=" | grep -v ${installed_kernel_version}" - local search_exec="apt-cache show ${kernel_test_target} | grep -E \"Package:|Version:|version:|family\" | grep -v \"Config-Version\" | sed -n -e 's/^.*: //p' | sed 's/\.$//g' | xargs -n3 -d'\n' | sed \"s/ /=/\" $grep_current_kernel" - IFS=$' -' - local LIST=() - for line in $(eval ${search_exec}); do - LIST+=($(echo $line | awk -F ' ' '{print $1 " "}') $(echo $line | awk -F ' ' '{print "v"$2}')) - done - unset IFS - local list_length=$((${#LIST[@]} / 2)) - if [ "$list_length" -eq 0 ]; then - dialog --backtitle "$BACKTITLE" --title " Warning " --msgbox "No other kernels available!" 7 32 - else - local target_version=$(whiptail --separate-output --title "Select kernel" --menu "ed" $((${list_length} + 7)) 80 $((${list_length})) "${LIST[@]}" 3>&1 1>&2 2>&3) - if [ $? -eq 0 ] && [ -n "${target_version}" ]; then - local branch=${target_version##*image-} - armbian_fw_manipulate "reinstall" "${target_version/*=/}" "${branch%%-*}" - fi - fi -} -