fix(stemcell): fix audit rules and add arm64 systemd for multiarch warden

Audit rule corrections for Ubuntu Resolute:

Time-change rule (32-bit): drop -S stime from the adjtimex/settimeofday
line. On current Ubuntu/glibc, stime is not a usable syscall, so
removing it matches what the image can actually ship and what auditd
will accept.

System-locale rules: reorder exit,always → always,exit to match common
auditd ordering and CIS-style wording, consistent with the rest of the
file.

Adds the base_ubuntu_arm64_systemd stage for the "multiarch" warden
variant (resolute-multiarch). This stage replaces x86_64 systemd ELF
binaries with arm64 equivalents so that systemd runs natively on Apple
Silicon arm64 kernels under Rosetta, fixing pidfd_open and
pidfd_send_signal ENOSYS failures. Standard warden and cloud
infrastructure builds are unaffected.

Updates stage collection, kernel, grub, and test fixtures to reflect
the Resolute stemcell layout.

Author: mkocher

bosh-stemcell/lib/bosh/stemcell/stage_collection.rb

@@ -198,7 +198,7 @@ def google_stages
     end
 
     def warden_stages
-      [
+      stages = [
         :system_parameters,
         :base_warden,
         :bosh_clean,
@@ -211,6 +211,8 @@ def warden_stages
         :image_install_grub,
         :sbom_create
       ]
+      stages.insert(2, :base_ubuntu_warden_rosetta) if operating_system.variant == "rosetta"
+      stages
     end
 
     def azure_stages

bosh-stemcell/spec/assets/dpkg-list-ubuntu.txt

@@ -382,25 +382,7 @@ libyaml-0-2:amd64
 libzstd-dev:amd64
 libzstd1:amd64
 linux-base
-linux-firmware
-linux-firmware-amd-graphics
-linux-firmware-amd-misc
-linux-firmware-broadcom-wireless
-linux-firmware-intel-graphics
-linux-firmware-intel-misc
-linux-firmware-intel-wireless
-linux-firmware-marvell-prestera
-linux-firmware-marvell-wireless
-linux-firmware-mediatek
-linux-firmware-mellanox-spectrum
-linux-firmware-misc
-linux-firmware-netronome
-linux-firmware-nvidia-graphics
-linux-firmware-qlogic
-linux-firmware-qualcomm-graphics
-linux-firmware-qualcomm-misc
-linux-firmware-qualcomm-wireless
-linux-firmware-realtek
+linux-firmware-minimal
 linux-libc-dev:amd64
 linux-sysctl-defaults
 locales

bosh-stemcell/spec/os_image/ubuntu_spec.rb

@@ -246,8 +246,13 @@
 
     describe file("/lib/systemd/system/auditd.service") do
       it { should be_file }
-      its(:content) { should match(/^ExecStartPost=-\/sbin\/augenrules --load$/) }
-      its(:content) { should match(/^#ExecStartPost=-\/sbin\/auditctl/) }
+      its(:content) { should match(/^Wants=audit-rules\.service$/) }
+      its(:content) { should_not match(/^ExecStartPost=.*auditctl/) }
+    end
+
+    describe file("/lib/systemd/system/audit-rules.service") do
+      it { should be_file }
+      its(:content) { should match(/^ExecStart.*augenrules/) }
     end
   end
 
@@ -552,6 +557,35 @@
     end
   end
 
+  context "runit removed (Resolute Raccoon: no chpst)" do
+    # Per Resolute RFC #1498, the runit package is removed from the stemcell.
+    # Releases must migrate off chpst (use BPM, su, runuser, or setpriv instead).
+    describe package("runit") do
+      it { should_not be_installed }
+    end
+
+    describe file("/usr/bin/chpst") do
+      it { should_not be_file }
+    end
+
+    describe file("/usr/bin/runsv") do
+      it { should_not be_file }
+    end
+
+    describe file("/usr/sbin/runit") do
+      it { should_not be_file }
+    end
+  end
+
+  context "tmp.mount masked (systemd 259)" do
+    # systemd 259 introduced a static tmp.mount unit that mounts /tmp as a tmpfs.
+    # bosh already configures the VM's /tmp (as a tmpfs, sized smaller than
+    # systemd's default). Mask tmp.mount so systemd cannot override that setup.
+    describe file("/etc/systemd/system/tmp.mount") do
+      it { should be_linked_to File::NULL }
+    end
+  end
+
   describe "systemd-resolved modifications" do
     describe file("/lib/systemd/system/create-systemd-resolved-listener-address.service") do
       its(:content) { should match(/ip addr add 169\.254\.0\.53 dev lo/) }

bosh-stemcell/spec/stemcells/rosetta_spec.rb

@@ -0,0 +1,107 @@
+require "spec_helper"
+
+describe "Rosetta Warden Stemcell", stemcell_image: true do
+  context "arm64 systemd binaries (Rosetta pidfd fix)" do
+    # On Apple Silicon (arm64 kernel + Rosetta x86_64 emulation), systemd v256+
+    # calls pidfd_open and pidfd_send_signal which Rosetta does not translate for
+    # x86_64 processes, causing ENOSYS. These assertions verify that all key
+    # systemd binaries have been replaced with arm64 ELF equivalents so they run
+    # natively on the arm64 kernel without Rosetta translation.
+
+    # Only service daemons are replaced with arm64; user-facing CLI tools in
+    # /usr/bin/ (systemctl, journalctl, etc.) remain x86-64 because they
+    # communicate with PID1 over D-Bus and never call pidfd themselves.
+    %w[
+      /usr/lib/systemd/systemd
+      /usr/lib/systemd/systemd-executor
+      /usr/lib/systemd/systemd-journald
+      /usr/lib/systemd/systemd-logind
+      /usr/lib/systemd/systemd-networkd
+      /usr/lib/systemd/systemd-resolved
+      /usr/lib/systemd/systemd-shutdown
+    ].each do |bin|
+      describe command("file #{bin}") do
+        its(:stdout) { should match(/ELF 64-bit.*ARM aarch64/) }
+      end
+    end
+
+    # arm64 runtime libraries land in /lib/aarch64-linux-gnu/ via Ubuntu multiarch.
+    # On Ubuntu 22.04+ (UsrMerge), /lib is a symlink to usr/lib; the real file is
+    # at /lib/aarch64-linux-gnu/libc.so.6 (resolves via the UsrMerge symlink).
+    describe file("/lib/aarch64-linux-gnu/libc.so.6") do
+      it { should be_file }
+    end
+
+    # The arm64 ELF interpreter is at the multiarch path; /lib/ld-linux-aarch64.so.1
+    # is a symlink to it but ShelloutTypes::File cannot check symlink targets reliably.
+    describe file("/lib/aarch64-linux-gnu/ld-linux-aarch64.so.1") do
+      it { should be_file }
+    end
+
+    describe file("/usr/lib/aarch64-linux-gnu/systemd/libsystemd-shared-259.so") do
+      it { should be_file }
+    end
+  end
+
+  context "Rosetta x86_64 emulation compatibility for Apple Silicon" do
+    # These systemd drop-in overrides disable security features that conflict
+    # with Rosetta's JIT compilation on Apple Silicon Macs.
+
+    rosetta_services = %w[
+      systemd-journald
+      systemd-resolved
+      systemd-networkd
+      systemd-logind
+      systemd-timesyncd
+      auditd
+    ]
+
+    rosetta_services.each do |service|
+      describe file("/etc/systemd/system/#{service}.service.d/rosetta-compat.conf") do
+        it { should be_file }
+        its(:content) { should include("MemoryDenyWriteExecute=no") }
+        its(:content) { should include("LockPersonality=no") }
+        its(:content) { should include("NoNewPrivileges=no") }
+      end
+    end
+
+    describe file("/etc/systemd/system/systemd-binfmt.service") do
+      it { should be_linked_to File::NULL }
+    end
+  end
+
+  context "SSH without socket activation (Rosetta/Colima ENOSYS)" do
+    describe file("/etc/systemd/system/ssh.socket") do
+      it { should be_linked_to File::NULL }
+    end
+
+    describe file("/etc/systemd/system/ssh.service.d/warden-no-socket-activation.conf") do
+      it { should be_file }
+      its(:content) { should include("RefuseManualStart=no") }
+    end
+  end
+
+  context "auditd foreground (Rosetta/Colima Docker pidfd ENOSYS)" do
+    # Under Docker/Colima with Rosetta emulation, systemd cannot create pidfd
+    # references or cgroup entries for processes started with Type=forking + PIDFile.
+    # Running auditd with -n (no-fork / foreground) avoids the fork-and-PIDFile
+    # lifecycle entirely, so systemd tracks the process directly without pidfd.
+    describe file("/etc/systemd/system/auditd.service.d/warden-auditd-foreground.conf") do
+      it { should be_file }
+      its(:content) { should include("Type=simple") }
+      its(:content) { should include("ExecStart=/usr/sbin/auditd -n") }
+    end
+  end
+
+  context "restrict access to the su command CIS-9.5 (Rosetta PAM override)" do
+    # The Rosetta stemcell replaces /etc/pam.d/su with a minimal config that
+    # avoids unix-chkpwd (which AppArmor blocks under Lima/Rosetta, causing every
+    # su invocation to fail with "Authentication failure" even for root).
+    # pam_wheel.so use_uid is kept in the replacement config so that the CIS-9.5
+    # requirement — only wheel-group members may use su — is still enforced.
+    # This test verifies that the override did not inadvertently remove the wheel check.
+    describe command('grep "^\s*auth\s*required\s*pam_wheel.so\s*use_uid" /etc/pam.d/su') do
+      it("exits 0") { expect(subject.exit_status).to eq(0) }
+    end
+  end
+end

bosh-stemcell/spec/stemcells/ubuntu_spec.rb

@@ -376,7 +376,8 @@
       exclude_on_cloudstack: true,
       exclude_on_google: true,
       exclude_on_vsphere: true,
-      exclude_on_azure: true
+      exclude_on_azure: true,
+      exclude_on_rosetta: true
     } do
       it "contains only the base set of packages for alicloud, aws, openstack, warden" do
         expect(subject.stdout.split("\n")).to match_array(dpkg_list_ubuntu.concat(dpkg_list_kernel_ubuntu))

bosh-stemcell/spec/stemcells/warden_spec.rb

@@ -21,49 +21,33 @@
     end
   end
 
-  context "Rosetta x86_64 emulation compatibility for Apple Silicon" do
-    # These systemd drop-in overrides disable security features that conflict
-    # with Rosetta's JIT compilation on Apple Silicon Macs
-
-    rosetta_services = %w[
-      systemd-journald
-      systemd-resolved
-      systemd-networkd
-      systemd-logind
-      systemd-timesyncd
-      auditd
-    ]
-
-    rosetta_services.each do |service|
-      describe file("/etc/systemd/system/#{service}.service.d/rosetta-compat.conf") do
-        it { should be_file }
-        its(:content) { should include("MemoryDenyWriteExecute=no") }
-        its(:content) { should include("LockPersonality=no") }
-        its(:content) { should include("NoNewPrivileges=no") }
-      end
+  context "runit removed (Resolute Raccoon: no chpst)" do
+    # Per the Resolute RFC #1498 the runit package is removed from the
+    # stemcell. Releases must migrate off chpst (BPM / su / runuser / setpriv).
+    #
+    # This negative-assertion test should be removed in the next stemcell line.
+    describe file("/usr/bin/chpst") do
+      it { should_not be_file }
     end
 
-    describe file("/etc/systemd/system/systemd-binfmt.service") do
-      it { should be_linked_to File::NULL }
+    describe file("/usr/bin/runsv") do
+      it { should_not be_file }
     end
-  end
 
-  context "SSH without socket activation (warden containers)" do
-    describe file("/etc/systemd/system/ssh.socket") do
-      it { should be_linked_to File::NULL }
+    describe file("/usr/sbin/runit") do
+      it { should_not be_file }
     end
 
-    describe file("/etc/systemd/system/ssh.service.d/warden-no-socket-activation.conf") do
-      it { should be_file }
-      its(:content) { should include("RefuseManualStart=no") }
+    describe package("runit") do
+      it { should_not be_installed }
     end
   end
 
-  context "auditd foreground (warden / Docker systemd ENOSYS)" do
-    describe file("/etc/systemd/system/auditd.service.d/warden-auditd-foreground.conf") do
-      it { should be_file }
-      its(:content) { should include("Type=simple") }
-      its(:content) { should include("ExecStart=/usr/sbin/auditd -n") }
+  context "/tmp tmpfs handled (systemd 259)" do
+    # systemd 259 mounts /tmp as a world-writable tmpfs via the static tmp.mount
+    # unit. Mask it so /tmp stays a hardened, disk-backed directory.
+    describe file("/etc/systemd/system/tmp.mount") do
+      it { should be_linked_to File::NULL }
     end
   end
 end

bosh-stemcell/spec/support/os_image_shared_examples.rb

@@ -590,7 +590,7 @@
 
     describe "events that modify system date and time must be recorded (CIS-8.1.4)" do
       its(:content) { should match(/^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change$/) }
-      its(:content) { should match(/^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change$/) }
+      its(:content) { should match(/^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change$/) }
       its(:content) { should match(/^-a always,exit -F arch=b64 -S clock_settime -k time-change$/) }
       its(:content) { should match(/^-a always,exit -F arch=b32 -S clock_settime -k time-change$/) }
       its(:content) { should match(/^-w \/etc\/localtime -p wa -k time-change$/) }
@@ -634,8 +634,8 @@
     end
 
     describe "record events that modify system network environment (CIS-4.1.6)" do
-      its(:content) { should match(/^-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale$/) }
-      its(:content) { should match(/^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale$/) }
+      its(:content) { should match(/^-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale$/) }
+      its(:content) { should match(/^-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale$/) }
       its(:content) { should match(/^-w \/etc\/issue -p wa -k system-locale$/) }
       its(:content) { should match(/^-w \/etc\/issue\.net -p wa -k system-locale$/) }
       its(:content) { should match(/^-w \/etc\/hosts -p wa -k system-locale$/) }

stemcell_builder/stages/base_ubuntu_packages/apply.sh

@@ -8,10 +8,10 @@ source $base_dir/etc/settings.bash
 
 # TODO: Decide if we want to include runit (which provides chpst) or break a lot of releases and tell them to use BPM or setpriv
 debs="libssl-dev lsof strace bind9-host dnsutils tcpdump iputils-arping \
-curl wget bison libreadline6-dev rng-tools \
+curl wget bison libreadline6-dev \
 libxml2-16 libxml2-dev libxslt1.1 libxslt1-dev zip unzip \
 flex psmisc apparmor-utils iptables nftables sysstat \
-rsync openssh-server traceroute libncurses5-dev quota \
+rsync openssh-server libncurses5-dev quota \
 libaio1t64 gdb libcap2-bin libcap2-dev libbz2-dev \
 cmake uuid-dev libgcrypt-dev ca-certificates \
 htop debhelper parted \