From 8333bcf2f52333d36ee69b8313b710fdfcd559ac Mon Sep 17 00:00:00 2001
From: Rubiginosa <89671549+Rubiginosa@users.noreply.github.com>
Date: Tue, 10 Sep 2024 13:33:14 -0400
Subject: [PATCH] feat: add check for hardened_malloc flatpak preload (#412)

* updated has_permission to use regex matching

* added flatpak check for hardened_malloc

* changed hasPermission to maintain old behavior for strings
---
 files/system/usr/share/ublue-os/just/70-secureblue.just | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/files/system/usr/share/ublue-os/just/70-secureblue.just b/files/system/usr/share/ublue-os/just/70-secureblue.just
index 6437a08..b73edc6 100644
--- a/files/system/usr/share/ublue-os/just/70-secureblue.just
+++ b/files/system/usr/share/ublue-os/just/70-secureblue.just
@@ -356,7 +356,7 @@ audit-secureblue:
         local line=$(grep "^${prefix}=" <<< "$permissions" | sed -e "s/^${prefix}=//" -e "s/#.*//")
         IFS=';' read -r -a list <<< "$line"
         for p in ${list[@]}; do
-            if [[ "$p" == "$query" ]]; then
+            if [[ "$p" =~ ^$query$ ]]; then
                 return
             fi
         done
@@ -572,6 +572,10 @@ audit-secureblue:
                 status="$STATUS_FAILURE"
                 warnings+=("> $f has x11 access!")
             fi
+            if ! hasPermission "$permissions" "LD_PRELOAD" .*"/libhardened_malloc.so"; then
+                status="$STATUS_FAILURE"
+                warnings+=("> $f is not using hardened_malloc!")
+            fi
             flatpak_test_string="Auditing $f"
             print_status "$flatpak_test_string" "$status"
             for warning in "${warnings[@]}"; do