feat: refactor flatpak audit for readability and extensibility (#414)

* refactored flatpak audit to be more extensible * fixed old typo * added warning string array for flatpak audit
2025-12-24 14:27:01 +00:00 · 2024-08-30 18:28:56 -04:00
parent 79471e2141
commit b5f5d2afa0
1 changed files with 12 additions and 18 deletions
--- a/files/system/usr/share/ublue-os/just/70-secureblue.just
+++ b/files/system/usr/share/ublue-os/just/70-secureblue.just
@@ -559,30 +559,24 @@ audit-secureblue:
            flatpaks+=(["${ref}"]="${ref}//${version}")
        done <<<$(flatpak list | sort -k 1 | cut --fields 2,4)
        for f in ${!flatpaks[@]}; do
-            has_network=false
-            has_x11=false
+            warnings=()
+            status="$STATUS_SUCCESS"
            fullref=${flatpaks["$f"]}
            permissions=$(flatpak info --show-permissions "$fullref")
+
            if hasPermission "$permissions" "shared" "network"; then
-                has_network=true
+                [[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING"
+                warnings+=("> $f has network access!")
            fi
-            if hasPermission "$permissions" "sockets" "x11" && ! hasPermission "$permissions" "sockets" "fallback-x11"  ]]; then
-                has_x11=true
+            if hasPermission "$permissions" "sockets" "x11" && ! hasPermission "$permissions" "sockets" "fallback-x11"; then
+                status="$STATUS_FAILURE"
+                warnings+=("> $f has x11 access!")
            fi
            flatpak_test_string="Auditing $f"
-            if [[ ! $has_network == "true" && ! $has_x11 == "true" ]]; then
-                print_status "$flatpak_test_string" "$STATUS_SUCCESS"
-            elif [[ $has_x11 == "true" ]]; then
-                print_status "$flatpak_test_string" "$STATUS_FAILURE"
-            elif [[ $has_network == "true" ]]; then
-                print_status "$flatpak_test_string" "$STATUS_WARNING"
-            fi
-            if [[ $has_network == "true" ]]; then
-                echo "> $f has network access!"
-            fi
-            if [[ $has_x11 == "true" ]]; then
-                echo "> $f has x11 access!"
-            fi
+            print_status "$flatpak_test_string" "$status"
+            for warning in "${warnings[@]}"; do
+                echo "$warning"
+            done
        done
    fi