More changes than we can count

Containerfile

@@ -1,7 +1,17 @@
+# Based on Calcite
 FROM ghcr.io/charles8191/calcite/9
-ARG LIBREWOLF_VERSION=132.0-1
-COPY scap.sh /scap.sh
-RUN sed -i 's,rockylinux.org,github.com/charles8191/netherite,g' /usr/lib/os-release && \
+# Adding configuration files
+ADD net-privacy.conf /usr/lib/NetworkManager/conf.d/30-net-privacy.conf
+ADD chrony.conf /etc/chrony.conf
+ADD tunables.conf /usr/lib/sysctl.d/tunables.conf
+RUN \
+set -x && \
+# Install mimalloc
+curl --create-dirs -Lo /usr/lib64/libmimalloc-secure.so https://github.com/charles8191/mimalloc-secure/raw/refs/heads/main/libmimalloc-secure.so && \
+chmod +x /usr/lib64/libmimalloc-secure.so && \
+echo "/usr/lib64/libmimalloc-secure.so" > /etc/ld.so.preload && \
+# Branding
+sed -i 's,rockylinux.org,github.com/charles8191/netherite,g' /usr/lib/os-release && \
 sed -i 's,Rocky Linux,Netherite,g' /usr/lib/os-release && \
 sed -i 's,Rocky,Netherite,g' /usr/lib/os-release && \
 sed -i 's,rockylinux,netherite,g' /usr/lib/os-release && \
@@ -11,17 +21,18 @@ sed -i 's,ID_LIKE="rhel centos fedora",ID_LIKE="rhel centos fedora rocky",g' /us
 sed -i 's,BUG_REPORT_URL,JUNK_BUG_REPORT_URL,g' /usr/lib/os-release && \
 sed -i 's,ROCKY_SUPPORT_PRODUCT,JUNK_ROCKY_SUPPORT_PRODUCT,g' /usr/lib/os-release && \
 sed -i 's,REDHAT_SUPPORT_PRODUCT,JUNK_REDHAT_SUPPORT_PRODUCT,g' /usr/lib/os-release && \
+# LibreWolf
 curl --create-dirs -Lo /pubkey.gpg https://repo.librewolf.net/pubkey.gpg && \
 rpm --import /pubkey.gpg && \
 rm -vf /pubkey.gpg && \
+curl -fsSL https://repo.librewolf.net/librewolf.repo | tee /etc/yum.repos.d/librewolf.repo && \
+dnf swap firefox librewolf -y && \
+# firewalld (breaks the kickstart if not present)
 dnf install firewalld -y && \
-dnf swap firefox https://repo.librewolf.net/pool/librewolf-${LIBREWOLF_VERSION}-linux-x86_64-rpm.rpm -y && \
-curl --create-dirs -Lo /usr/lib/libhardened_malloc.so https://github.com/charles8191/hardened_malloc/raw/refs/heads/main/libhardened_malloc.so && \
-chmod +x /usr/lib/libhardened_malloc.so && \
-echo "/usr/lib/libhardened_malloc.so" > /etc/ld.so.preload && \
-curl --create-dirs -Lo /etc/chrony.conf https://github.com/GrapheneOS/infrastructure/raw/refs/heads/main/chrony.conf && \
-curl --create-dirs -Lo /usr/local/lib/sysctl.d/local.conf https://github.com/GrapheneOS/infrastructure/raw/refs/heads/main/sysctl.d/local.conf && \
-curl --create-dirs -Lo /usr/lib/NetworkManager/conf.d/30-nm-privacy.conf https://github.com/divestedcg/Brace/raw/refs/heads/master/brace/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf && \
-(bash /scap.sh || true) && \
+# SCAP
+dnf install openscap openscap-scanner scap-security-guide -y && \
+oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_anssi_bp28_minimal --fix-type bash /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml > /scap.sh && \
+(bash /scap.sh || true) && 
 rm -vf /scap.sh && \
-dnf clean all
+# Clean
+dnf clean all

README.md

@@ -10,12 +10,13 @@ Netherite is a secure & private operating system based on [Calcite](https://gith
 
 ## Features
 
-- [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) from GrapheneOS using [hardened_malloc binary](https://github.com/charles8191/hardened_malloc)
-- Mostly ANSSI-BP-028 Minimal compliant (because it is a solid base for adding extra security)
+- [mimalloc](https://github.com/microsoft/mimalloc) (secure mode) using [mimalloc-secure binary](https://github.com/charles8191/mimalloc-secure)
+- Some remediations from ANSSI-BP-028 Minimal
 - [LibreWolf](https://librewolf.net/) instead of Firefox
-- [Some configuration files from GrapheneOS infrastructure](https://github.com/GrapheneOS/infrastructure)
+- Custom chrony config
+- Custom kernel tunables
 - Modified `os-release` file
-- [Enhanced NetworkManager privacy](https://github.com/divestedcg/Brace/blob/master/brace/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf) from Brace
+- Enhanced NetworkManager privacy
 
 ## Installation
 

chrony.conf

@@ -0,0 +1,11 @@
+pool pool.ntp.org
+pool time.cloudflare.com
+pool time.google.com
+pool time.windows.com
+pool nts.ntp.se
+pool time.esa.int
+pool ntp.time.nl
+minsources 2
+driftfile /var/lib/chrony/drift
+makestep 0.1 3
+rtcsync

net-privacy.conf

@@ -0,0 +1,9 @@
+[connection]
+ipv6.ip6-privacy=2
+
+[connection-mac-randomization]
+ethernet.cloned-mac-address=stable
+wifi.cloned-mac-address=random
+
+[connectivity]
+uri=