diff --git a/src/slash-bedrock/libexec/brl-apply b/src/slash-bedrock/libexec/brl-apply index ef789210..b17e4413 100755 --- a/src/slash-bedrock/libexec/brl-apply +++ b/src/slash-bedrock/libexec/brl-apply @@ -56,42 +56,6 @@ fi # lock after brl-repair above, as it locks lock -# Configure crossfs. Items below reference crossfs, and so this should be done -# early. -cfg_crossfs "/proc/1/root/bedrock/strata/bedrock/bedrock/cross" - -# configure etcfs -for stratum in $(/bedrock/bin/brl list -ei); do - root="$(stratum_root "${stratum}")" - cfg_etcfs "/proc/1/root${root}/etc" -done - -# Configure cross firmware. -if [ -w /sys/module/firmware_class/parameters/path ] && [ -d /bedrock/cross/firmware ]; then - printf "/bedrock/cross/firmware" >/sys/module/firmware_class/parameters/path -fi - -# Specify commands which should automatically be restricted in an easily parsed -# format for strat. -mkdir -p /bedrock/run/restricted_cmds/ -for cmd in $(cfg_values "restriction" "restrict"); do - touch "/bedrock/run/restricted_cmds/${cmd}" -done -if echo /bedrock/run/restricted_cmds/* >/dev/null 2>&1; then - for file in /bedrock/run/restricted_cmds/*; do - found=false - for cmd in $(cfg_values "restriction" "restrict"); do - if [ "$(basename "${file}")" = "${cmd}" ]; then - found=true - break - fi - done - if ! "${found}"; then - rm "${file}" - fi - done -fi - # Various fields below manage the timezone. Timezone information should not be # read from /usr/share/zoneinfo because: # - It is a local file and different strata could have differing values, which @@ -267,6 +231,42 @@ Defaults secure_path="$(cfg_envvar "PATH")" Defaults env_keep+="BEDROCK_RESTRICT" EOF +# Configure crossfs. Items below reference crossfs, and so this should be done +# early. However, not too early; it requires /bedrock/run/profile. +cfg_crossfs "/proc/1/root/bedrock/strata/bedrock/bedrock/cross" + +# configure etcfs +for stratum in $(/bedrock/bin/brl list -ei); do + root="$(stratum_root "${stratum}")" + cfg_etcfs "/proc/1/root${root}/etc" +done + +# Configure cross firmware. +if [ -w /sys/module/firmware_class/parameters/path ] && [ -d /bedrock/cross/firmware ]; then + printf "/bedrock/cross/firmware" >/sys/module/firmware_class/parameters/path +fi + +# Specify commands which should automatically be restricted in an easily parsed +# format for strat. +mkdir -p /bedrock/run/restricted_cmds/ +for cmd in $(cfg_values "restriction" "restrict"); do + touch "/bedrock/run/restricted_cmds/${cmd}" +done +if echo /bedrock/run/restricted_cmds/* >/dev/null 2>&1; then + for file in /bedrock/run/restricted_cmds/*; do + found=false + for cmd in $(cfg_values "restriction" "restrict"); do + if [ "$(basename "${file}")" = "${cmd}" ]; then + found=true + break + fi + done + if ! "${found}"; then + rm "${file}" + fi + done +fi + # Setup xorg.conf configuration if [ -d /bedrock/cross/fonts ]; then (