scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-01 19:07:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: audit-secureblue: check for filesystem=host:ro and device=all (#535)

Browse Source
This commit is contained in:
spaceoden
2024-11-11 17:04:12 +00:00
committed by GitHub
parent 290d1ec895
commit d376dd0180
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
files/system/usr/share/ublue-os/just/70-secureblue.just
View File

@@ -652,6 +652,11 @@ audit-secureblue:
status="$STATUS_FAILURE"
warnings+=("> $f is not using hardened_malloc!")
fi
if ! hasPermission "$permissions" "filesystems" "host-os:ro"; then
status="$STATUS_FAILURE"
warnings+=("> $f is missing host-os:ro permission,
> which is needed to load hardened_malloc!")
fi
if [[ "$bluetooth_loaded" == "true" ]] && hasPermission "$permissions" "features" "bluetooth"; then
status="$STATUS_FAILURE"
warnings+=("> $f has bluetooth access!")
@@ -664,6 +669,12 @@ audit-secureblue:
status="$STATUS_FAILURE"
warnings+=("> $f has inter-process communications access!")
fi
if hasPermission "$permissions" "devices" "all"; then
[[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING"
warnings+=("> $f has device=all permission,
> granting access to GPU, input devices, raw USB, and virtualization,
> and introducing a vector for sandbox escapes!")
fi
flatpak_test_string="Auditing $f"
print_status "$flatpak_test_string" "$status"
for warning in "${warnings[@]}"; do