9.0 KiB
Pacman Wrapper Security System - LLM Reference Guide
For AI assistants: This document explains the pacman wrapper architecture so you can make correct modifications.
System Purpose
Intercept all pacman commands to:
- Block installation of restricted packages (browsers, games, etc.)
- Require challenges for greylisted packages
- Enforce hosts file sharing on VirtualBox VMs
- Auto-setup maintenance services if missing
- Handle stale database locks gracefully
Architecture Overview
┌─────────────────────────────────────────────────────────────────────┐
│ PACMAN WRAPPER │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ User runs: pacman -S firefox │
│ ↓ │
│ /usr/bin/pacman (symlink) → pacman_wrapper.sh │
│ ↓ │
│ 1. Verify policy file integrity (SHA256) │
│ 2. Check if package matches blocked keywords │
│ 3. Check if package requires challenge (greylist) │
│ 4. Run hosts-guard pre-unlock hook │
│ 5. Execute real pacman: /usr/bin/pacman.orig │
│ 6. Run hosts-guard post-relock hook │
│ 7. Remove any blocked packages that slipped through │
│ 8. Enforce VirtualBox hosts if vbox detected │
│ │
└─────────────────────────────────────────────────────────────────────┘
File Locations
| File | Purpose |
|---|---|
/usr/bin/pacman |
Symlink to wrapper |
/usr/bin/pacman.orig |
Real pacman binary |
pacman_wrapper.sh |
Main wrapper script (823 lines) |
install_pacman_wrapper.sh |
Installer script |
pacman_blocked_keywords.txt |
Substrings that cause blocking |
pacman_whitelist.txt |
Exact names that bypass blocking |
pacman_greylist.txt |
Packages requiring challenge |
words.txt |
Word scramble challenge dictionary |
/var/lib/pacman-wrapper/policy.sha256 |
Integrity checksums |
Policy Files Explained
pacman_blocked_keywords.txt
# Lines starting with # are comments
# Any package containing these substrings is BLOCKED
firefox
brave
chromium
youtube
stremio
If user tries pacman -S firefox-developer-edition, it's blocked because it contains "firefox".
pacman_whitelist.txt
# Exact package names that bypass keyword blocking
minizip # Contains nothing bad but might match a pattern
python-requests # Safe despite containing blocked substrings
pacman_greylist.txt
# Packages requiring word scramble challenge
# Currently empty - add packages here for challenge requirement
Hardcoded Security Checks
These checks are in the script itself and cannot be bypassed by editing policy files:
VirtualBox Check
function is_virtualbox_package() {
local pkg_lower="${1,,}"
[[ $pkg_lower == *"virtualbox"* || $pkg_lower == *"vbox"* ]]
}
- Detects any package with "virtualbox" or "vbox" in name
- Requires word scramble challenge (7-letter words, 120s timeout)
- Auto-enforces hosts file sharing on all VMs after install
Steam Check
function is_steam_package() {
[[ $1 == "steam" ]]
}
- Only exact match "steam" (not steam-native-runtime etc.)
- Weekend only - blocked Monday through Friday 4PM
- Requires word scramble challenge (5-letter words, 60s timeout)
Word Scramble Challenge
Used for Steam, VirtualBox, and greylisted packages:
Challenge: Words with 5 letters
Here are 160 random words. Remember them:
APPLE BRAVE CHAIR DANCE ...
One of those words has been scrambled to: ELPPA
Unscramble the word to proceed (you have 60 seconds):
Parameters vary by package type:
| Package Type | Word Length | Words Shown | Timeout | Initial Delay |
|---|---|---|---|---|
| Steam | 5 | 160 | 60s | 0-20s |
| VirtualBox | 7 | 150 | 120s | 0-45s |
| Greylist | 6 | 120 | 90s | 0-30s |
Integrity Verification
On every invocation, the wrapper verifies policy files haven't been tampered with:
verify_policy_integrity() {
# Reads /var/lib/pacman-wrapper/policy.sha256
# Compares SHA256 of each policy file
# If mismatch: BLOCKS all operations
}
If tampering detected:
SECURITY WARNING: Policy file integrity check failed!
CRITICAL: Policy files have been tampered with!
Wrapper operation DENIED. Please reinstall using: sudo install_pacman_wrapper.sh
Hosts Integration
The wrapper integrates with the hosts guard system:
pre_unlock_hosts() {
# Called before any transaction (-S, -U, -R)
/usr/local/share/hosts-guard/pacman-pre-unlock-hosts.sh
}
post_relock_hosts() {
# Called after transaction completes
/usr/local/share/hosts-guard/pacman-post-relock-hosts.sh
}
This allows package installations to modify /etc/hosts temporarily (e.g., for network setup) while maintaining protection.
Common Tasks
Adding a Blocked Package
- Edit
pacman_blocked_keywords.txt:
echo "newkeyword" >> pacman_blocked_keywords.txt
- Reinstall wrapper to update checksums:
sudo ./install_pacman_wrapper.sh
Whitelisting a Package
If a legitimate package is being blocked (e.g., python-firefox-sync blocked by "firefox" keyword):
- Edit
pacman_whitelist.txt:
echo "python-firefox-sync" >> pacman_whitelist.txt
- Reinstall wrapper:
sudo ./install_pacman_wrapper.sh
Adding a Challenge Requirement
- Edit
pacman_greylist.txt:
echo "suspicious-package" >> pacman_greylist.txt
- Reinstall wrapper.
Bypassing the Wrapper (Emergency)
If wrapper is broken and you need real pacman:
sudo /usr/bin/pacman.orig -S package
Warning: This bypasses all security checks.
Post-Transaction Cleanup
After every transaction, the wrapper:
- Scans installed packages for blocked keywords
- Removes any that match (shouldn't happen normally)
- Scans for greylisted packages and removes them
- Checks if VirtualBox is installed and enforces hosts
remove_installed_blocked_packages() {
mapfile -t installed_names < <("$PACMAN_BIN" -Qq)
for name in "${installed_names[@]}"; do
if is_blocked_package_name "$name"; then
pacman -Rns --noconfirm "$name"
fi
done
}
Stale Lock Handling
If /var/lib/pacman/db.lck exists but no pacman is running:
- Interactive: Prompts user to remove (15s timeout)
- Non-interactive (
--noconfirm): Auto-removes if lock is >10 minutes old - If another pacman is actually running: Blocks with error
Maintenance Auto-Setup
On first run, wrapper checks if periodic maintenance services exist:
ensure_periodic_maintenance() {
# Checks: periodic-system-maintenance.timer
# periodic-system-startup.service
# hosts-file-monitor.service
# If missing: runs setup_periodic_system.sh
}
Known Gaps (TODO)
- ❌
google-chromeandgoogle-chrome-stablenot in blocked list - ❌ No automatic LeechBlock installation when browsers detected
- ❌ User can download and install
.deb/.tar.gzmanually - ❌ AUR packages bypass wrapper (yay/paru call pacman internally)
Debugging
Check if wrapper is installed
ls -la /usr/bin/pacman
# Should show: /usr/bin/pacman -> /path/to/pacman_wrapper.sh
ls -la /usr/bin/pacman.orig
# Should exist and be the real binary
Test policy integrity
cat /var/lib/pacman-wrapper/policy.sha256
sha256sum /path/to/pacman_blocked_keywords.txt
# Hashes should match
Verbose mode
The wrapper outputs colored status messages to stderr. To see them:
pacman -S package 2>&1 | cat
DO NOT
- ❌ Edit policy files without reinstalling wrapper (breaks integrity check)
- ❌ Remove
/usr/bin/pacman.orig(breaks all pacman operations) - ❌ Symlink pacman to something other than the wrapper
- ❌ Clear
/var/lib/pacman-wrapper/without understanding consequences