fix: Switch to space-separated sources.conf format

- Change from colon to space separation to avoid URL parsing issues
- Update sources.conf format: TYPE NAME URL VERSION BUILD_FUNCTION [EXTRA]
- Implement awk-based parsing for reliable field extraction
- Fix firmware package list (remove unavailable linux-firmware-marvell)

initramfs/etc/security/access.conf

@@ -0,0 +1,125 @@
+# Login access control table.
+#
+# Comment line must start with "#", no space at front.
+# Order of lines is important.
+#
+# When someone logs in, the table is scanned for the first entry that
+# matches the (user, host) combination, or, in case of non-networked
+# logins, the first entry that matches the (user, tty) combination.  The
+# permissions field of that table entry determines whether the login will
+# be accepted or refused.
+#
+# Format of the login access control table is three fields separated by a
+# ":" character:
+#
+# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
+# module, you can change the field separation character to be
+# '|'. This is useful for configurations where you are trying to use
+# pam_access with X applications that provide PAM_TTY values that are
+# the display variable like "host:0".]
+#
+# 	permission:users:origins
+#
+# The first field should be a "+" (access granted) or "-" (access denied)
+# character.
+#
+# The second field should be a list of one or more login names, group
+# names, or ALL (always matches). A pattern of the form user@host is
+# matched when the login name matches the "user" part, and when the
+# "host" part matches the local machine name.
+#
+# The third field should be a list of one or more tty names (for
+# non-networked logins), host names, domain names (begin with "."), host
+# addresses, internet network numbers (end with "."), ALL (always
+# matches), NONE (matches no tty on non-networked logins) or
+# LOCAL (matches any string that does not contain a "." character).
+#
+# You can use @netgroupname in host or user patterns; this even works
+# for @usergroup@@hostgroup patterns.
+#
+# The EXCEPT operator makes it possible to write very compact rules.
+#
+# The group file is searched only when a name does not match that of the
+# logged-in user. Both the user's primary group is matched, as well as
+# groups in which users are explicitly listed.
+# To avoid problems with accounts, which have the same name as a group,
+# you can use brackets around group names '(group)' to differentiate.
+# In this case, you should also set the "nodefgroup" option.
+#
+# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
+# "/dev" (e.g. tty1 or vc/1)
+#
+##############################################################################
+#
+# Disallow non-root logins on tty1
+#
+#-:ALL EXCEPT root:tty1
+#
+# Disallow console logins to all but a few accounts.
+#
+#-:ALL EXCEPT wheel shutdown sync:LOCAL
+#
+# Same, but make sure that really the group wheel and not the user
+# wheel is used (use nodefgroup argument, too):
+#
+#-:ALL EXCEPT (wheel) shutdown sync:LOCAL
+#
+# Disallow non-local logins to privileged accounts (group wheel).
+#
+#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
+#
+# Some accounts are not allowed to login from anywhere:
+#
+#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
+#
+# All other accounts are allowed to login from anywhere.
+#
+##############################################################################
+# All lines from here up to the end are building a more complex example.
+##############################################################################
+#
+# User "root" should be allowed to get access via cron .. tty5 tty6.
+#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+#
+# User "root" should be allowed to get access from hosts with ip addresses.
+#+:root:192.168.200.1 192.168.200.4 192.168.200.9
+#+:root:127.0.0.1
+#
+# User "root" should get access from network 192.168.201.
+# This term will be evaluated by string matching.
+# comment: It might be better to use network/netmask instead.
+#          The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
+#+:root:192.168.201.
+#
+# User "root" should be able to have access from domain.
+# Uses string matching also.
+#+:root:.foo.bar.org
+#
+# User "root" should be denied to get access from all other sources.
+#-:root:ALL
+#
+# User "foo" and members of netgroup "nis_group" should be
+# allowed to get access from all sources.
+# This will only work if netgroup service is available.
+#+:@nis_group foo:ALL
+#
+# User "john" should get access from ipv4 net/mask
+#+:john:127.0.0.0/24
+#
+# User "john" should get access from ipv4 as ipv6 net/mask
+#+:john:::ffff:127.0.0.0/127
+#
+# User "john" should get access from ipv6 host address
+#+:john:2001:4ca0:0:101::1
+#
+# User "john" should get access from ipv6 host address (same as above)
+#+:john:2001:4ca0:0:101:0:0:0:1
+#
+# User "john" should get access from ipv6 local link host address
+#+:john:fe80::de95:818c:1b55:7e42%eth0
+#
+# User "john" should get access from ipv6 net/mask
+#+:john:2001:4ca0:0:101::/64
+#
+# All other users should be denied to get access from all sources.
+#-:ALL:ALL

initramfs/etc/security/faillock.conf

@@ -0,0 +1,62 @@
+# Configuration for locking the user after multiple failed
+# authentication attempts.
+#
+# The directory where the user files with the failure records are kept.
+# The default is /var/run/faillock.
+# dir = /var/run/faillock
+#
+# Will log the user name into the system log if the user is not found.
+# Enabled if option is present.
+# audit
+#
+# Don't print informative messages.
+# Enabled if option is present.
+# silent
+#
+# Don't log informative messages via syslog.
+# Enabled if option is present.
+# no_log_info
+#
+# Only track failed user authentications attempts for local users
+# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
+# The `faillock` command will also no longer track user failed
+# authentication attempts. Enabling this option will prevent a
+# double-lockout scenario where a user is locked out locally and
+# in the centralized mechanism.
+# Enabled if option is present.
+# local_users_only
+#
+# Deny access if the number of consecutive authentication failures
+# for this user during the recent interval exceeds n tries.
+# The default is 3.
+# deny = 3
+#
+# The length of the interval during which the consecutive
+# authentication failures must happen for the user account
+# lock out is <replaceable>n</replaceable> seconds.
+# The default is 900 (15 minutes).
+# fail_interval = 900
+#
+# The access will be re-enabled after n seconds after the lock out.
+# The value 0 has the same meaning as value `never` - the access
+# will not be re-enabled without resetting the faillock
+# entries by the `faillock` command.
+# The default is 600 (10 minutes).
+# unlock_time = 600
+#
+# Root account can become locked as well as regular accounts.
+# Enabled if option is present.
+# even_deny_root
+#
+# This option implies the `even_deny_root` option.
+# Allow access after n seconds to root account after the
+# account is locked. In case the option is not specified
+# the value is the same as of the `unlock_time` option.
+# root_unlock_time = 900
+#
+# If a group name is specified with this option, members
+# of the group will be handled by this module the same as
+# the root account (the options `even_deny_root>` and
+# `root_unlock_time` will apply to them.
+# By default, the option is not set.
+# admin_group = <admin_group_name>

initramfs/etc/security/group.conf

@@ -0,0 +1,106 @@
+#
+# This is the configuration file for the pam_group module.
+#
+
+#
+# *** Please note that giving group membership on a session basis is
+# *** NOT inherently secure. If a user can create an executable that
+# *** is setgid a group that they are infrequently given membership
+# *** of, they can basically obtain group membership any time they
+# *** like. Example: games are allowed between the hours of 6pm and 6am
+# *** user joe logs in at 7pm writes a small C-program toplay.c that
+# *** invokes their favorite shell, compiles it and does
+# *** "chgrp play toplay; chmod g+s toplay". They are basically able
+# *** to play games any time... You have been warned. AGM
+#
+
+#
+# The syntax of the lines is as follows:
+#
+#       services;ttys;users;times;groups
+#
+# white space is ignored and lines maybe extended with '\\n' (escaped
+# newlines). From reading these comments, it is clear that
+# text following a '#' is ignored to the end of the line.
+#
+# the combination of individual users/terminals etc is a logic list
+# namely individual tokens that are optionally prefixed with '!' (logical
+# not) and separated with '&' (logical and) and '|' (logical or).
+#
+# services
+#       is a logic list of PAM service names that the rule applies to.
+#
+# ttys
+#       is a logic list of terminal names that this rule applies to.
+#
+# users
+#       is a logic list of users or a netgroup of users to whom this
+#       rule applies.
+#
+# NB. For these items the simple wildcard '*' may be used only once.
+#     With netgroups no wildcards or logic operators are allowed.
+#
+# times
+#       It is used to indicate "when" these groups are to be given to the
+#       user. The format here is a logic list of day/time-range
+#       entries the days are specified by a sequence of two character
+#       entries, MoTuSa for example is Monday Tuesday and Saturday. Note
+#       that repeated days are unset MoMo = no day, and MoWk = all weekdays
+#       bar Monday. The two character combinations accepted are
+#
+#               Mo Tu We Th Fr Sa Su Wk Wd Al
+#
+#       the last two being week-end days and all 7 days of the week
+#       respectively. As a final example, AlFr means all days except Friday.
+#
+#       Each day/time-range can be prefixed with a '!' to indicate "anything
+#       but"
+#
+#       The time-range part is two 24-hour times HHMM separated by a hyphen
+#       indicating the start and finish time (if the finish time is smaller
+#       than the start time it is deemed to apply on the following day).
+#
+# groups
+#	The (comma or space separated) list of groups that the user
+#	inherits membership of. These groups are added if the previous
+#	fields are satisfied by the user's request
+#
+# For a rule to be active, ALL of service+ttys+users must be satisfied
+# by the applying process.
+#
+
+#
+# Note, to get this to work as it is currently typed you need
+#
+# 1. to run an application as root
+# 2. add the following groups to the /etc/group file:
+#		floppy, play, sound
+#
+
+#
+# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
+# the user 'us' is given access to the floppy (through membership of
+# the floppy group)
+#
+
+#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
+
+#
+# another example: running 'xsh' on tty* (any ttyXXX device),
+# the user 'sword' is given access to games (through membership of
+# the sound and play group) after work hours.
+#
+
+#xsh; tty* ;sword;!Wk0900-1800;sound, play
+#xsh; tty* ;*;Al0900-1800;floppy
+
+#
+# yet another example: any member of the group 'admin' running
+# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev'
+#
+
+#xsh; tty* ;%admin;Al0000-2400;plugdev
+
+#
+# End of group.conf file
+#

initramfs/etc/security/limits.conf

@@ -0,0 +1,61 @@
+# /etc/security/limits.conf
+#
+#This file sets the resource limits for the users logged in via PAM.
+#It does not affect resource limits of the system services.
+#
+#Also note that configuration files in /etc/security/limits.d directory,
+#which are read in alphabetical order, override the settings in this
+#file in case the domain is the same or more specific.
+#That means, for example, that setting a limit for wildcard domain here
+#can be overridden with a wildcard setting in a config file in the
+#subdirectory, but a user specific setting here can be overridden only
+#with a user specific setting in the subdirectory.
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#@student        -       maxlogins       4
+
+# End of file

initramfs/etc/security/namespace.conf

@@ -0,0 +1,31 @@
+# /etc/security/namespace.conf
+#
+# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
+#
+# Uncommenting the following three lines will polyinstantiate
+# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
+# be polyinstantiated based on the MLS level part of the security context as well as user
+# name, Polyinstantion will not be performed for user root and adm for directories
+# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
+# The user name and context is appended to the instance prefix.
+#
+# Note that instance directories do not have to reside inside the
+# polyinstantiated directory. In the examples below, instances of /tmp
+# will be created in /tmp-inst directory, where as instances of /var/tmp
+# and users home directories will reside within the directories that
+# are being polyinstantiated.
+#
+# Instance parent directories must exist for the polyinstantiation
+# mechanism to work. By default, they should be created with the mode
+# of 000. pam_namespace module will enforce this mode unless it
+# is explicitly called with an argument to ignore the mode of the
+# instance parent. System administrators should use this argument with
+# caution, as it will reduce security and isolation achieved by
+# polyinstantiation. The parent directories (except $HOME) are created
+# at boot by pam_namespace_helper, but in a live system, system
+# administrators should create the parent directories before enabling
+# them here.
+#
+#/tmp     /tmp-inst/       	level      root,adm
+#/var/tmp /var/tmp/tmp-inst/   	level      root,adm
+#$HOME    $HOME/$USER.inst/     level

initramfs/etc/security/namespace.init

@@ -0,0 +1,25 @@
+#!/bin/sh
+# It receives polydir path as $1, the instance path as $2,
+# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+# and user name in $4.
+#
+# The following section will copy the contents of /etc/skel if this is a
+# newly created home directory.
+if [ "$3" = 1 ]; then
+        # This line will fix the labeling on all newly created directories
+        [ -x /sbin/restorecon ] && /sbin/restorecon "$1"
+        user="$4"
+        passwd=$(getent passwd "$user")
+        homedir=$(echo "$passwd" | cut -f6 -d":")
+        if [ "$1" = "$homedir" ]; then
+                gid=$(echo "$passwd" | cut -f4 -d":")
+                cp -rT /etc/skel "$homedir"
+                chown -R "$user":"$gid" "$homedir"
+                mask=$(sed -E -n 's/^UMASK[[:space:]]+([^#[:space:]]+).*/\1/p' /etc/login.defs)
+                mode=$(printf "%o" $((0777 & ~mask)))
+                chmod ${mode:-700} "$homedir"
+                [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
+        fi
+fi
+
+exit 0

initramfs/etc/security/pam_env.conf

@@ -0,0 +1,73 @@
+#
+# This is the configuration file for pam_env, a PAM module to load in
+# a configurable list of environment variables for a
+#
+# The original idea for this came from Andrew G. Morgan ...
+#<quote>
+#   Mmm. Perhaps you might like to write a pam_env module that reads a
+#   default environment from a file? I can see that as REALLY
+#   useful... Note it would be an "auth" module that returns PAM_IGNORE
+#   for the auth part and sets the environment returning PAM_SUCCESS in
+#   the setcred function...
+#</quote>
+#
+# What I wanted was the REMOTEHOST variable set, purely for selfish
+# reasons, and AGM didn't want it added to the SimpleApps login
+# program (which is where I added the patch). So, my first concern is
+# that variable, from there there are numerous others that might/would
+# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....
+#
+# Of course, these are a different kind of variable than REMOTEHOST in
+# that they are things that are likely to be configured by
+# administrators rather than set by logging in, how to treat them both
+# in the same config file?
+#
+# Here is my idea:
+#
+# Each line starts with the variable name, there are then two possible
+# options for each variable DEFAULT and OVERRIDE.
+# DEFAULT allows an administrator to set the value of the
+# variable  to some default value, if none is supplied then the empty
+# string is assumed. The OVERRIDE option tells pam_env that it should
+# enter in its value (overriding the default value) if there is one
+# to use. OVERRIDE is not used, "" is assumed and no override will be
+# done.
+#
+# VARIABLE   [DEFAULT=[value]]  [OVERRIDE=[value]]
+#
+# (Possibly non-existent) environment variables may be used in values
+# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
+# be used in values using the @{string} syntax. Both the $ and @
+# characters can be backslash escaped to be used as literal values
+# values can be delimited with "", escaped " not supported.
+# Note that many environment variables that you would like to use
+# may not be set by the time the module is called.
+# For example, HOME is used below several times, but
+# many PAM applications don't make it available by the time you need it.
+#
+#
+# First, some special variables
+#
+# Set the REMOTEHOST variable for any hosts that are remote, default
+# to "localhost" rather than not being set at all
+#REMOTEHOST	DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
+#
+# Set the DISPLAY variable if it seems reasonable
+#DISPLAY		DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
+#
+#
+#  Now some simple variables
+#
+#PAGER		DEFAULT=less
+#MANPAGER	DEFAULT=less
+#LESS		DEFAULT="M q e h15 z23 b80"
+#NNTPSERVER	DEFAULT=localhost
+#PATH		DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
+#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
+#
+# silly examples of escaped variables, just to show how they work.
+#
+#DOLLAR		DEFAULT=\$
+#DOLLARDOLLAR	DEFAULT=	OVERRIDE=\$${DOLLAR}
+#DOLLARPLUS	DEFAULT=\${REMOTEHOST}${REMOTEHOST}
+#ATSIGN		DEFAULT=""	OVERRIDE=\@

initramfs/etc/security/pwhistory.conf

@@ -0,0 +1,21 @@
+# Configuration for remembering the last passwords used by a user.
+#
+# Enable the debugging logs.
+# Enabled if option is present.
+# debug
+#
+# root account's passwords are also remembered.
+# Enabled if option is present.
+# enforce_for_root
+#
+# Number of passwords to remember.
+# The default is 10.
+# remember = 10
+#
+# Number of times to prompt for the password.
+# The default is 1.
+# retry = 1
+#
+# The file where the last passwords are kept.
+# The default is /etc/security/opasswd.
+# file = /etc/security/opasswd

initramfs/etc/security/time.conf

@@ -0,0 +1,65 @@
+# this is an example configuration file for the pam_time module. Its syntax
+# was initially based heavily on that of the shadow package (shadow-960129).
+#
+# the syntax of the lines is as follows:
+#
+#       services;ttys;users;times
+#
+# white space is ignored and lines maybe extended with '\\n' (escaped
+# newlines). As should be clear from reading these comments,
+# text following a '#' is ignored to the end of the line.
+#
+# the combination of individual users/terminals etc is a logic list
+# namely individual tokens that are optionally prefixed with '!' (logical
+# not) and separated with '&' (logical and) and '|' (logical or).
+#
+# services
+#	is a logic list of PAM service names that the rule applies to.
+#
+# ttys
+#	is a logic list of terminal names that this rule applies to.
+#
+# users
+#	is a logic list of users or a netgroup of users to whom this
+#	rule applies.
+#
+# NB. For these items the simple wildcard '*' may be used only once.
+#
+# times
+#	the format here is a logic list of day/time-range
+#	entries the days are specified by a sequence of two character
+#	entries, MoTuSa for example is Monday Tuesday and Saturday. Note
+#	that repeated days are unset MoMo = no day, and MoWk = all weekdays
+#	bar Monday. The two character combinations accepted are
+#
+#		Mo Tu We Th Fr Sa Su Wk Wd Al
+#
+#	the last two being week-end days and all 7 days of the week
+#	respectively. As a final example, AlFr means all days except Friday.
+#
+#	each day/time-range can be prefixed with a '!' to indicate "anything
+#	but"
+#
+#	The time-range part is two 24-hour times HHMM separated by a hyphen
+#	indicating the start and finish time (if the finish time is smaller
+#	than the start time it is deemed to apply on the following day).
+#
+# for a rule to be active, ALL of service+ttys+users must be satisfied
+# by the applying process.
+#
+
+#
+# Here is a simple example: running blank on tty* (any ttyXXX device),
+# the users 'you' and 'me' are denied service all of the time
+#
+
+#blank;tty* & !ttyp*;you|me;!Al0000-2400
+
+# Another silly example, user 'root' is denied xsh access
+# from pseudo terminals at the weekend and on mondays.
+
+#xsh;ttyp*;root;!WdMo0000-2400
+
+#
+# End of example file.
+#