testsAndMisc/linux_configuration/scripts/periodic_background/hosts/guard
Krzysztof kuhy Rudnicki 66c4698194
Some checks are pending
Pre-commit checks / pre-commit (push) Waiting to run
feat: migrate hosts-guard and shutdown-schedule-guard to guard-lib
Replaces the bespoke chattr/bind-mount/systemd-watcher implementations for
/etc/hosts and /etc/shutdown-schedule.conf with the new shared guard-lib
(~/guard-lib, guardctl), so screen-locker and steam-backlog-enforcer's new
block-gaming feature stop maintaining parallel copies of the same
tamper-resistance mechanism.

- pacman_wrapper.sh: pre/post hook fallbacks now call guard-lib's generic
  unlock-all/relock-all scripts (covers every registered guard instance,
  not just /etc/hosts)
- setup_midnight_shutdown.sh: installs/updates its guarded config via
  guardctl file-guard instead of hand-rolled chattr + systemd unit
  generation; the schedule ratchet logic (block-if-more-lenient) stays
  bespoke since guardctl's generic unlock can't represent it
- new hosts/guard/plugins/nsswitch-plugin.sh, resolved-plugin.sh

Also fixes, at user's request even though pre-existing: 3 shellcheck
SC2329 false positives in pacman_wrapper.sh (functions invoked indirectly
by name, not actually dead) and 1 SC2001 style warning (echo|sed VM-name
extraction replaced with parameter expansion, verified equivalent output).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AFNiYQQgSLAkiBXswyimPq
2026-07-04 11:54:08 +02:00
..
pacman-hooks refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
plugins feat: migrate hosts-guard and shutdown-schedule-guard to guard-lib 2026-07-04 11:54:08 +02:00
psychological refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
enforce-hosts.sh refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
enforce-nsswitch.sh refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
enforce-resolved.sh refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
hosts-bind-mount.service refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
hosts-guard.path refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
hosts-guard.service refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
install_pacman_hooks.sh refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
nsswitch-guard.path refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
nsswitch-guard.service refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
README_FOR_LLM.md refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
README.md refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
resolved-guard.path refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
resolved-guard.service refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00
setup_hosts_guard.sh refactor(linux_configuration): move remaining dirs + scripts/ to meta/ 2026-05-15 00:53:01 +02:00

Hosts Guard Components

This directory contains templates for hardening /etc/hosts against impulsive tampering by adding friction, NOT providing absolute security against a determined root user.

Components:

  1. enforce-hosts.sh Idempotent script that: compares /etc/hosts with canonical copy at /usr/local/share/locked-hosts and restores if different; reapplies immutable attribute.
  2. systemd units (to be installed under /etc/systemd/system):
    • hosts-guard.service (oneshot enforcement)
    • hosts-guard.path (triggers on PathChanged=/etc/hosts)
    • hosts-bind-mount.service (bind mounts /etc/hosts read-only after boot)
  3. psychological/ directory scripts that add delay + journaling before allowing a maintenance/unlock operation.
  4. pacman hooks automatically unlock/re-lock /etc/hosts around package transactions so pacman never fails due to the read-only bind mount.

Install Flow (suggested):

  1. After generating /etc/hosts via your existing hosts/install.sh, copy it to /usr/local/share/locked-hosts.
  2. Install enforce-hosts.sh to /usr/local/sbin/ (chmod 755).
  3. Place units and enable: systemctl daemon-reload systemctl enable --now hosts-guard.path systemctl enable --now hosts-bind-mount.service
  4. (Optional) Use psychological/unlock-hosts.sh as the ONLY sanctioned way to modify hosts (it removes protections temporarily, launches an editor after a delay, and re-enforces on close).
  5. Make pacman automatic (recommended): ./install_pacman_hooks.sh This installs hooks under /etc/pacman.d/hooks that:
    • PreTransaction: temporarily disable guard and make /etc/hosts writable
    • PostTransaction: re-run enforcement and re-enable guard (bind mount + path watcher)

Limitations:

  • A root user can still disable units, remount, remove attributes.
  • Purpose is to interrupt habit loops and create intentional friction.