scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-04 04:18:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: harden-flatpak: add optional parameter to apply it to specific app (#567)

Browse Source
This commit is contained in:
spaceoden
2024-11-17 15:57:24 -08:00
committed by GitHub
parent ee71b84dcd
commit 2e990be137
1 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
files/justfiles/secureblue.just
View File

@@ -79,18 +79,20 @@ remove-kargs-hardening:
--delete-if-present="ia32_emulation=0" --delete-if-present="ia32_emulation=0"
echo "Hardening kargs removed." echo "Hardening kargs removed."
# Harden flatpaks by preloading hardened_malloc (highest supported hwcap) # Harden flatpaks by preloading hardened_malloc (highest supported hwcap). When called with a flatpak application ID as an argument, applies the overrides to that application instead of globally.
harden-flatpak: harden-flatpak FLATPAK="":
#!/usr/bin/bash #!/usr/bin/bash
flatpak override --user --filesystem=host-os:ro var1={{ FLATPAK }}
flatpak_id="${var1:-}"
flatpak override --user --filesystem=host-os:ro $flatpak_id
uarches="$(/usr/lib64/ld-linux-x86-64.so.2 --help | grep '(supported, searched)' | cut -d'v' -f2)" uarches="$(/usr/lib64/ld-linux-x86-64.so.2 --help | grep '(supported, searched)' | cut -d'v' -f2)"
bestuarch="${uarches:0:1}" bestuarch="${uarches:0:1}"
if [ -z "$bestuarch" ] ; then if [ -z "$bestuarch" ] ; then
echo "No microarchitecture support detected. Using default x86-64-v1 architecture." echo "No microarchitecture support detected. Using default x86-64-v1 architecture${flatpak_id:+" for $flatpak_id's malloc"}."
flatpak override --user --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so flatpak override --user --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so $flatpak_id
else else
echo "x86-64-v$bestuarch support detected. Using x86-64-v$bestuarch microarchitecture." echo "x86-64-v$bestuarch support detected. Using x86-64-v$bestuarch microarchitecture${flatpak_id:+" for $flatpak_id's malloc"}."
flatpak override --user --env=LD_PRELOAD=/var/run/host/usr/lib64/glibc-hwcaps/x86-64-v"$bestuarch"/libhardened_malloc.so flatpak override --user --env=LD_PRELOAD=/var/run/host/usr/lib64/glibc-hwcaps/x86-64-v"$bestuarch"/libhardened_malloc.so $flatpak_id
fi fi
# Toggle the cups service on/off # Toggle the cups service on/off
@@ -670,7 +672,7 @@ audit-secureblue:
status="$STATUS_FAILURE" status="$STATUS_FAILURE"
warnings+=("> $f is not requesting hardened_malloc!") warnings+=("> $f is not requesting hardened_malloc!")
warnings+=("> To enable it run:") warnings+=("> To enable it run:")
warnings+=("> 'flatpak override -u --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so $f'") warnings+=("> 'ujust harden-flatpak $f'")
fi fi
if ! hasPermission "$permissions" "filesystems" "host-os:ro"; then if ! hasPermission "$permissions" "filesystems" "host-os:ro"; then
status="$STATUS_FAILURE" status="$STATUS_FAILURE"