feat: Add flatpak auditing to audit-secureblue (#377)

* increase spacing on print_status * Merged audit-flatpak into audit-secureblue * print flatpak remote success --------- Co-authored-by: qoijjj <129108030+qoijjj@users.noreply.github.com>
2025-11-02 11:28:06 +00:00 · 2024-08-21 16:22:11 -04:00
parent aaf3e4d344
commit 51ad84b1ad
1 changed files with 68 additions and 5 deletions
--- a/files/system/usr/share/ublue-os/just/60-custom.just
+++ b/files/system/usr/share/ublue-os/just/60-custom.just
@@ -343,7 +343,21 @@ audit-secureblue:
        formatted_status=$(printf "%*s" $(( (7 + ${#status}) / 2 )) "$status")
        formatted_status=$(printf "%-7s" "$formatted_status")

-        printf "%-50s [ \033[%dm%s\033[0m ]\n" "$check_name"... "$color_code" "$formatted_status"
+        printf "%-64s [ \033[%dm%s\033[0m ]\n" "$check_name"... "$color_code" "$formatted_status"
+    }
+
+    hasPermission() {
+        local permissions=$1
+        local prefix=$2
+        local query=$3
+        local line=$(grep "^${prefix}=" <<< "$permissions" | sed -e "s/^${prefix}=//" -e "s/#.*//")
+        IFS=';' read -r -a list <<< "$line"
+        for p in ${list[@]}; do
+            if [[ "$p" == "$query" ]]; then
+                return
+            fi
+        done
+        return 1
    }

    KARGS=$(rpm-ostree kargs)
@@ -492,3 +506,52 @@ audit-secureblue:
        print_status "$ENVIRONMENT_TEST_STRING" "WARNING"
    fi
    
+    remotes="$(flatpak remotes -d)"
+    while read -r remote ; do
+        ref="$(cut -f 1 <<<"$remote")"
+        url="$(cut -f 3 <<< "$remote")"
+        subset="$(cut -f 5 <<< "$remote")"
+        remote_string="Auditing flatpak remote $ref"
+        if [[ "$url" != "https://dl.flathub.org/repo/" && "$url" != "https://dl.flathub.org/beta-repo/" ]]; then
+            print_status "$remote_string" "FAIL"
+            echo "> $ref is configured with an unknown url!"
+        elif [ "$subset" != "verified" ]; then
+            print_status "$remote_string" "FAIL"
+            echo "> $ref is not a verified repo!"
+        else
+            print_status "$remote_string" "SUCCESS"
+        fi
+    done <<< "$remotes"
+    
+    declare -A flatpaks
+    while read -r ref version; do
+        flatpaks+=(["${ref}"]="${ref}//${version}")
+    done <<<$(flatpak list | sort -k 1 | cut --fields 2,4)
+    for f in ${!flatpaks[@]}; do
+        has_network=false
+        has_x11=false
+        fullref=${flatpaks["$f"]}
+        permissions=$(flatpak info --show-permissions "$fullref")
+        if hasPermission "$permissions" "shared" "network"; then
+            has_network=true
+        fi
+        if hasPermission "$permissions" "sockets" "x11" && ! hasPermission "$permissions" "sockets" "fallback-x11"  ]]; then
+            has_x11=true
+        fi
+        flatpak_test_string="Auditing $f"
+        if [[ ! $has_network == "true" && ! $has_x11 == "true" ]]; then
+            print_status "$flatpak_test_string" "SUCCESS"
+        elif [[ $has_x11 == "true" ]]; then
+            print_status "$flatpak_test_string" "FAIL"
+        elif [[ $has_network == "true" ]]; then
+            print_status "$flatpak_test_string" "WARNING"
+        fi
+        if [[ $has_network == "true" ]]; then
+            echo "> $f has network access!"
+        fi
+        if [[ $has_x11 == "true" ]]; then
+            echo "> $f has x11 access!"
+        fi
+    
+    done
+