mios-dev
diff --git a/‎.gitignore‎
Lines changed: 9 additions & 1 deletion b/‎.gitignore‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎automation/manifest.json‎
Lines changed: 3 additions & 3 deletions b/‎automation/manifest.json‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎tools/manifest.json‎
Lines changed: 1 addition & 1 deletion b/‎tools/manifest.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎usr/lib/dracut/dracut-cpio‎
-424 KB b/‎usr/lib/dracut/dracut-cpio‎
-424 KB
diff --git a/‎usr/lib/dracut/dracut-functions‎
Lines changed: 0 additions & 1 deletion b/‎usr/lib/dracut/dracut-functions‎
Lines changed: 0 additions & 1 deletion
@@ -283,8 +283,16 @@ usr/lib/*
 !/usr/lib/crowdsec/**
 !/usr/lib/dnf/
 !/usr/lib/dnf/**
+# dracut: only MiOS-authored conf.d drop-ins are tracked. The dracut RPM
+# owns the binaries (dracut-init.sh, dracut-functions.sh, dracut-install,
+# dracut-cpio, ...) and the 100+ upstream modules under modules.d/. Carrying
+# verbatim copies in this repo would silently shadow newer dracut RPMs --
+# 292 vestigial files were dropped on 2026-05-05 (audit finding F10).
 !/usr/lib/dracut/
-!/usr/lib/dracut/**
+usr/lib/dracut/*
+!/usr/lib/dracut/dracut.conf.d/
+usr/lib/dracut/dracut.conf.d/*
+!/usr/lib/dracut/dracut.conf.d/*-mios-*.conf
 !/usr/lib/firewalld/
 !/usr/lib/firewalld/**
 !/usr/lib/greenboot/
 
@@ -1,5 +1,5 @@
 {
-  "generated_at": "2026-05-05T19:57:42.242965",
+  "generated_at": "2026-05-05T20:36:53.027050",
   "source_directory": "automation",
   "entries": [
     {
@@ -249,10 +249,10 @@
     },
     {
       "path": "automation\\40-composefs-verity.sh",
-      "last_modified": "2026-05-05T11:50:50.098680",
+      "last_modified": "2026-05-05T20:01:09.596044",
       "title": "40-composefs-verity.sh",
       "type": "source_code",
-      "full_content": "#!/usr/bin/env bash\n# 40-composefs-verity.sh - promote composefs from default (yes) to verity mode\n# Tamper-evident root. Requires ext4 or btrfs target FS (NOT xfs).\nset -euo pipefail\nsource \"$(dirname \"${BASH_SOURCE[0]}\")/lib/common.sh\"\n\nconf=/usr/lib/ostree/prepare-root.conf\nif [[ -f \"$conf\" ]]; then\n    log \"backing up existing $conf -> ${conf}.orig\"\n    cp -a \"$conf\" \"${conf}.orig\"\nfi\n\ncat > \"$conf\" <<'EOF'\n# 'MiOS': composefs in verity mode. Tamper-evident root.\n# Target filesystems must support fsverity (ext4, btrfs). XFS is NOT supported.\n[composefs]\nenabled = verity\n\n[root]\ntransient = false\n\n[etc]\ntransient = false\nEOF\n\n# Mask systemd-remount-fs (known-broken with composefs on F42+)\nlog \"masking systemd-remount-fs.service (composefs interop bug)\"\nln -sf /dev/null /etc/systemd/system/systemd-remount-fs.service\n\nlog \"composefs verity mode configured\""
+      "full_content": "#!/usr/bin/env bash\n# 40-composefs-verity.sh -- render /usr/lib/ostree/prepare-root.conf based\n# on the operator-tunable [security].composefs_mode knob in mios.toml.\n#\n# SSOT: usr/share/mios/mios.toml [security].composefs_mode\n#       (resolved through the documented overlay chain by lib/packages.sh\n#        + this script's local _read_mios_scalar awk helper).\n#\n# Modes:\n#   verity  -- composefs in fs-verity mode (tamper-evident root). Default.\n#              Requires ext4 or btrfs. Also masks systemd-remount-fs.service\n#              (known-broken on Fedora 42+ with composefs) when\n#              [security].mask_systemd_remount_fs = true.\n#   yes     -- composefs enabled without verity. Works on XFS too.\n#   off     -- skip prepare-root.conf rewrite entirely; honor base image.\n#\n# See usr/share/mios/mios.toml [security] prose for the full rationale.\nset -euo pipefail\nSCRIPT_DIR=\"$(cd \"$(dirname \"${BASH_SOURCE[0]}\")\" && pwd)\"\n# shellcheck source=lib/common.sh\nsource \"${SCRIPT_DIR}/lib/common.sh\"\n# shellcheck source=lib/packages.sh\n# Pulled in for _resolve_mios_toml; the same TOML overlay chain that\n# packages.sh uses is what we want for [security] too.\nsource \"${SCRIPT_DIR}/lib/packages.sh\"\n\n# _read_mios_scalar <table> <key> -- read a top-level scalar from the\n# [<table>] block of the resolved mios.toml. Strips quotes and inline\n# comments. Returns empty string when the key is absent.\n_read_mios_scalar() {\n    local table=\"$1\" key=\"$2\" toml_path\n    toml_path=\"$(_resolve_mios_toml 2>/dev/null || true)\"\n    [[ -n \"$toml_path\" && -f \"$toml_path\" ]] || return 0\n    awk -v table=\"$table\" -v key=\"$key\" '\n        /^\\[/ {\n            in_section = 0\n            line = $0\n            sub(/^\\[/, \"\", line); sub(/\\][[:space:]]*$/, \"\", line)\n            gsub(/[[:space:]]/, \"\", line)\n            if (line == table) in_section = 1\n            next\n        }\n        in_section {\n            if (match($0, \"^[[:space:]]*\" key \"[[:space:]]*=\")) {\n                value = $0\n                sub(/^[^=]*=[[:space:]]*/, \"\", value)\n                sub(/[[:space:]]*#.*$/, \"\", value)\n                gsub(/^[[:space:]]+|[[:space:]]+$/, \"\", value)\n                gsub(/^\"|\"$/, \"\", value)\n                print value\n                exit 0\n            }\n        }\n    ' \"$toml_path\"\n}\n\nMODE=\"$(_read_mios_scalar security composefs_mode)\"\nMODE=\"${MODE:-verity}\"\nMASK_REMOUNT=\"$(_read_mios_scalar security mask_systemd_remount_fs)\"\nMASK_REMOUNT=\"${MASK_REMOUNT:-true}\"\n\ncase \"$MODE\" in\n    verity|yes|off) ;;\n    *)\n        warn \"[40-composefs-verity] unknown composefs_mode='${MODE}', falling back to 'verity'\"\n        MODE=\"verity\"\n        ;;\nesac\n\nif [[ \"$MODE\" == \"off\" ]]; then\n    log \"[40-composefs-verity] composefs_mode=off -- honoring base image's prepare-root.conf\"\n    exit 0\nfi\n\nconf=/usr/lib/ostree/prepare-root.conf\nif [[ -f \"$conf\" ]]; then\n    log \"[40-composefs-verity] backing up existing $conf -> ${conf}.orig\"\n    cp -a \"$conf\" \"${conf}.orig\"\nfi\n\n# Render the table according to the requested mode. The [root] / [etc]\n# transient = false stanzas are independent of verity vs yes -- they\n# enforce immutable / non-tmpfs root and /etc on every composefs path.\nlog \"[40-composefs-verity] writing $conf with composefs mode=${MODE}\"\ncase \"$MODE\" in\n    verity)\n        cat > \"$conf\" <<'EOF'\n# 'MiOS': composefs in verity mode. Tamper-evident root.\n# Target filesystems must support fsverity (ext4, btrfs). XFS is NOT supported.\n# SSOT: mios.toml [security].composefs_mode = \"verity\".\n[composefs]\nenabled = verity\n\n[root]\ntransient = false\n\n[etc]\ntransient = false\nEOF\n        ;;\n    yes)\n        cat > \"$conf\" <<'EOF'\n# 'MiOS': composefs enabled (no verity). Read-only /usr without the\n# fs-verity cryptographic chain -- works on every composefs-capable\n# filesystem (ext4, btrfs, XFS). Default upstream FCOS / bootc posture.\n# SSOT: mios.toml [security].composefs_mode = \"yes\".\n[composefs]\nenabled = yes\n\n[root]\ntransient = false\n\n[etc]\ntransient = false\nEOF\n        ;;\nesac\n\n# systemd-remount-fs masking: only relevant in verity mode (where the\n# composefs/remount-fs interop bug surfaces). The \"yes\" path uses the\n# upstream-default mount sequence and does not need the mask.\nif [[ \"$MODE\" == \"verity\" && \"$MASK_REMOUNT\" =~ ^(true|TRUE|1|yes|YES)$ ]]; then\n    log \"[40-composefs-verity] masking systemd-remount-fs.service (composefs/remount interop bug)\"\n    install -d -m 0755 /etc/systemd/system\n    ln -sf /dev/null /etc/systemd/system/systemd-remount-fs.service\nfi\n\nlog \"[40-composefs-verity] composefs mode=${MODE} configured\"\n"
     },
     {
       "path": "automation\\40-flatpak-bake.sh",
 
@@ -1,5 +1,5 @@
 {
-  "generated_at": "2026-05-05T19:57:42.253464",
+  "generated_at": "2026-05-05T20:36:53.037914",
   "source_directory": "tools",
   "entries": [
     {
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "generated_at": "2026-05-05T19:57:42.242965",`
	`2`	`+ "generated_at": "2026-05-05T20:36:53.027050",`
`3`	`3`	`"source_directory": "automation",`
`4`	`4`	`"entries": [`
`5`	`5`	`{`
`@@ -249,10 +249,10 @@`
`249`	`249`	`},`
`250`	`250`	`{`
`251`	`251`	`"path": "automation\\40-composefs-verity.sh",`
`252`		`- "last_modified": "2026-05-05T11:50:50.098680",`
	`252`	`+ "last_modified": "2026-05-05T20:01:09.596044",`
`253`	`253`	`"title": "40-composefs-verity.sh",`
`254`	`254`	`"type": "source_code",`
`255`		- "full_content": "#!/usr/bin/env bash\n# 40-composefs-verity.sh - promote composefs from default (yes) to verity mode\n# Tamper-evident root. Requires ext4 or btrfs target FS (NOT xfs).\nset -euo pipefail\nsource \"$(dirname \"${BASH_SOURCE[0]}\")/lib/common.sh\"\n\nconf=/usr/lib/ostree/prepare-root.conf\nif [[ -f \"$conf\" ]]; then\n log \"backing up existing $conf -> ${conf}.orig\"\n cp -a \"$conf\" \"${conf}.orig\"\nfi\n\ncat > \"$conf\" <<'EOF'\n# 'MiOS': composefs in verity mode. Tamper-evident root.\n# Target filesystems must support fsverity (ext4, btrfs). XFS is NOT supported.\n[composefs]\nenabled = verity\n\n[root]\ntransient = false\n\n[etc]\ntransient = false\nEOF\n\n# Mask systemd-remount-fs (known-broken with composefs on F42+)\nlog \"masking systemd-remount-fs.service (composefs interop bug)\"\nln -sf /dev/null /etc/systemd/system/systemd-remount-fs.service\n\nlog \"composefs verity mode configured\""
	`255`	+ "full_content": "#!/usr/bin/env bash\n# 40-composefs-verity.sh -- render /usr/lib/ostree/prepare-root.conf based\n# on the operator-tunable [security].composefs_mode knob in mios.toml.\n#\n# SSOT: usr/share/mios/mios.toml [security].composefs_mode\n# (resolved through the documented overlay chain by lib/packages.sh\n# + this script's local _read_mios_scalar awk helper).\n#\n# Modes:\n# verity -- composefs in fs-verity mode (tamper-evident root). Default.\n# Requires ext4 or btrfs. Also masks systemd-remount-fs.service\n# (known-broken on Fedora 42+ with composefs) when\n# [security].mask_systemd_remount_fs = true.\n# yes -- composefs enabled without verity. Works on XFS too.\n# off -- skip prepare-root.conf rewrite entirely; honor base image.\n#\n# See usr/share/mios/mios.toml [security] prose for the full rationale.\nset -euo pipefail\nSCRIPT_DIR=\"$(cd \"$(dirname \"${BASH_SOURCE[0]}\")\" && pwd)\"\n# shellcheck source=lib/common.sh\nsource \"${SCRIPT_DIR}/lib/common.sh\"\n# shellcheck source=lib/packages.sh\n# Pulled in for _resolve_mios_toml; the same TOML overlay chain that\n# packages.sh uses is what we want for [security] too.\nsource \"${SCRIPT_DIR}/lib/packages.sh\"\n\n# _read_mios_scalar <table> <key> -- read a top-level scalar from the\n# [<table>] block of the resolved mios.toml. Strips quotes and inline\n# comments. Returns empty string when the key is absent.\n_read_mios_scalar() {\n local table=\"$1\" key=\"$2\" toml_path\n toml_path=\"$(_resolve_mios_toml 2>/dev/null \|\| true)\"\n [[ -n \"$toml_path\" && -f \"$toml_path\" ]] \|\| return 0\n awk -v table=\"$table\" -v key=\"$key\" '\n /^\\[/ {\n in_section = 0\n line = $0\n sub(/^\\[/, \"\", line); sub(/\\][[:space:]]$/, \"\", line)\n gsub(/[[:space:]]/, \"\", line)\n if (line == table) in_section = 1\n next\n }\n in_section {\n if (match($0, \"^[[:space:]]\" key \"[[:space:]]=\")) {\n value = $0\n sub(/^[^=]=[[:space:]]/, \"\", value)\n sub(/[[:space:]]#.$/, \"\", value)\n gsub(/^[[:space:]]+\|[[:space:]]+$/, \"\", value)\n gsub(/^\"\|\"$/, \"\", value)\n print value\n exit 0\n }\n }\n ' \"$toml_path\"\n}\n\nMODE=\"$(_read_mios_scalar security composefs_mode)\"\nMODE=\"${MODE:-verity}\"\nMASK_REMOUNT=\"$(_read_mios_scalar security mask_systemd_remount_fs)\"\nMASK_REMOUNT=\"${MASK_REMOUNT:-true}\"\n\ncase \"$MODE\" in\n verity\|yes\|off) ;;\n )\n warn \"[40-composefs-verity] unknown composefs_mode='${MODE}', falling back to 'verity'\"\n MODE=\"verity\"\n ;;\nesac\n\nif [[ \"$MODE\" == \"off\" ]]; then\n log \"[40-composefs-verity] composefs_mode=off -- honoring base image's prepare-root.conf\"\n exit 0\nfi\n\nconf=/usr/lib/ostree/prepare-root.conf\nif [[ -f \"$conf\" ]]; then\n log \"[40-composefs-verity] backing up existing $conf -> ${conf}.orig\"\n cp -a \"$conf\" \"${conf}.orig\"\nfi\n\n# Render the table according to the requested mode. The [root] / [etc]\n# transient = false stanzas are independent of verity vs yes -- they\n# enforce immutable / non-tmpfs root and /etc on every composefs path.\nlog \"[40-composefs-verity] writing $conf with composefs mode=${MODE}\"\ncase \"$MODE\" in\n verity)\n cat > \"$conf\" <<'EOF'\n# 'MiOS': composefs in verity mode. Tamper-evident root.\n# Target filesystems must support fsverity (ext4, btrfs). XFS is NOT supported.\n# SSOT: mios.toml [security].composefs_mode = \"verity\".\n[composefs]\nenabled = verity\n\n[root]\ntransient = false\n\n[etc]\ntransient = false\nEOF\n ;;\n yes)\n cat > \"$conf\" <<'EOF'\n# 'MiOS': composefs enabled (no verity). Read-only /usr without the\n# fs-verity cryptographic chain -- works on every composefs-capable\n# filesystem (ext4, btrfs, XFS). Default upstream FCOS / bootc posture.\n# SSOT: mios.toml [security].composefs_mode = \"yes\".\n[composefs]\nenabled = yes\n\n[root]\ntransient = false\n\n[etc]\ntransient = false\nEOF\n ;;\nesac\n\n# systemd-remount-fs masking: only relevant in verity mode (where the\n# composefs/remount-fs interop bug surfaces). The \"yes\" path uses the\n# upstream-default mount sequence and does not need the mask.\nif [[ \"$MODE\" == \"verity\" && \"$MASK_REMOUNT\" =~ ^(true\|TRUE\|1\|yes\|YES)$ ]]; then\n log \"[40-composefs-verity] masking systemd-remount-fs.service (composefs/remount interop bug)\"\n install -d -m 0755 /etc/systemd/system\n ln -sf /dev/null /etc/systemd/system/systemd-remount-fs.service\nfi\n\nlog \"[40-composefs-verity] composefs mode=${MODE} configured\"\n"
`256`	`256`	`},`
`257`	`257`	`{`
`258`	`258`	`"path": "automation\\40-flatpak-bake.sh",`