feat: multiple securecore improvements

2025-11-01 19:07:52 +00:00 · 2024-08-26 09:45:20 -07:00
parent 185f539364
commit e41d963841
9 changed files with 64 additions and 55 deletions
--- a/files/system/usr/share/ublue-os/just/60-custom.just
+++ b/files/system/usr/share/ublue-os/just/60-custom.just
@@ -508,53 +508,54 @@ audit-secureblue:
    else
        print_status "$ENVIRONMENT_TEST_STRING" "$STATUS_WARNING"
    fi
-    
+
-    remotes="$(flatpak remotes -d)"
+    if command -v flatpak &> /dev/null
-    while read -r remote ; do
+        remotes="$(flatpak remotes -d)"
-        ref="$(cut -f 1 <<<"$remote")"
+        while read -r remote ; do
-        url="$(cut -f 3 <<< "$remote")"
+            ref="$(cut -f 1 <<<"$remote")"
-        subset="$(cut -f 5 <<< "$remote")"
+            url="$(cut -f 3 <<< "$remote")"
-        remote_string="Auditing flatpak remote $ref"
+            subset="$(cut -f 5 <<< "$remote")"
-        if [[ "$url" != "https://dl.flathub.org/repo/" && "$url" != "https://dl.flathub.org/beta-repo/" ]]; then
+            remote_string="Auditing flatpak remote $ref"
-            print_status "$remote_string" "$STATUS_FAILURE"
+            if [[ "$url" != "https://dl.flathub.org/repo/" && "$url" != "https://dl.flathub.org/beta-repo/" ]]; then
-            echo "> $ref is configured with an unknown url!"
+                print_status "$remote_string" "$STATUS_FAILURE"
-        elif [ "$subset" != "verified" ]; then
+                echo "> $ref is configured with an unknown url!"
-            print_status "$remote_string" "$STATUS_FAILURE"
+            elif [ "$subset" != "verified" ]; then
-            echo "> $ref is not a verified repo!"
+                print_status "$remote_string" "$STATUS_FAILURE"
-        else
+                echo "> $ref is not a verified repo!"
-            print_status "$remote_string" "$STATUS_SUCCESS"
+            else
-        fi
+                print_status "$remote_string" "$STATUS_SUCCESS"
-    done <<< "$remotes"
+            fi
-    
+        done <<< "$remotes"
-    declare -A flatpaks
+        
-    while read -r ref version; do
+        declare -A flatpaks
-        flatpaks+=(["${ref}"]="${ref}//${version}")
+        while read -r ref version; do
-    done <<<$(flatpak list | sort -k 1 | cut --fields 2,4)
+            flatpaks+=(["${ref}"]="${ref}//${version}")
-    for f in ${!flatpaks[@]}; do
+        done <<<$(flatpak list | sort -k 1 | cut --fields 2,4)
-        has_network=false
+        for f in ${!flatpaks[@]}; do
-        has_x11=false
+            has_network=false
-        fullref=${flatpaks["$f"]}
+            has_x11=false
-        permissions=$(flatpak info --show-permissions "$fullref")
+            fullref=${flatpaks["$f"]}
-        if hasPermission "$permissions" "shared" "network"; then
+            permissions=$(flatpak info --show-permissions "$fullref")
-            has_network=true
+            if hasPermission "$permissions" "shared" "network"; then
-        fi
+                has_network=true
-        if hasPermission "$permissions" "sockets" "x11" && ! hasPermission "$permissions" "sockets" "fallback-x11"  ]]; then
+            fi
-            has_x11=true
+            if hasPermission "$permissions" "sockets" "x11" && ! hasPermission "$permissions" "sockets" "fallback-x11"  ]]; then
-        fi
+                has_x11=true
-        flatpak_test_string="Auditing $f"
+            fi
-        if [[ ! $has_network == "true" && ! $has_x11 == "true" ]]; then
+            flatpak_test_string="Auditing $f"
-            print_status "$flatpak_test_string" "$STATUS_SUCCESS"
+            if [[ ! $has_network == "true" && ! $has_x11 == "true" ]]; then
-        elif [[ $has_x11 == "true" ]]; then
+                print_status "$flatpak_test_string" "$STATUS_SUCCESS"
-            print_status "$flatpak_test_string" "$STATUS_FAILURE"
+            elif [[ $has_x11 == "true" ]]; then
-        elif [[ $has_network == "true" ]]; then
+                print_status "$flatpak_test_string" "$STATUS_FAILURE"
-            print_status "$flatpak_test_string" "$STATUS_WARNING"
+            elif [[ $has_network == "true" ]]; then
-        fi
+                print_status "$flatpak_test_string" "$STATUS_WARNING"
-        if [[ $has_network == "true" ]]; then
+            fi
-            echo "> $f has network access!"
+            if [[ $has_network == "true" ]]; then
-        fi
+                echo "> $f has network access!"
-        if [[ $has_x11 == "true" ]]; then
+            fi
-            echo "> $f has x11 access!"
+            if [[ $has_x11 == "true" ]]; then
-        fi
+                echo "> $f has x11 access!"
-    
+            fi
-    done
+        done
    fi
--- a/recipes/securecore/recipe-securecore-main-userns.yml
+++ b/recipes/securecore/recipe-securecore-main-userns.yml
@@ -15,3 +15,4 @@ modules:
  - from-file: common/server-files.yml
  - from-file: common/common-scripts.yml
  - type: secureblue-signing
  - from-file: common/common-brew.yml
--- a/recipes/securecore/recipe-securecore-main.yml
+++ b/recipes/securecore/recipe-securecore-main.yml
@@ -15,4 +15,5 @@ modules:
  - from-file: common/server-files.yml
  - from-file: common/common-scripts.yml
  - from-file: common/disableuserns-scripts.yml
-  - type: secureblue-signing
+  - type: secureblue-signing
  - from-file: common/common-brew.yml
--- a/recipes/securecore/recipe-securecore-nvidia-userns.yml
+++ b/recipes/securecore/recipe-securecore-nvidia-userns.yml
@@ -14,4 +14,5 @@ modules:
  - from-file: common/common-files.yml
  - from-file: common/server-files.yml
  - from-file: common/common-scripts.yml
-  - type: secureblue-signing
+  - type: secureblue-signing
  - from-file: common/common-brew.yml
--- a/recipes/securecore/recipe-securecore-nvidia.yml
+++ b/recipes/securecore/recipe-securecore-nvidia.yml
@@ -15,4 +15,5 @@ modules:
  - from-file: common/server-files.yml
  - from-file: common/common-scripts.yml
  - from-file: common/disableuserns-scripts.yml
-  - type: secureblue-signing
+  - type: secureblue-signing
  - from-file: common/common-brew.yml
--- a/recipes/securecore/recipe-securecore-zfs-main-userns.yml
+++ b/recipes/securecore/recipe-securecore-zfs-main-userns.yml
@@ -15,3 +15,4 @@ modules:
  - from-file: common/server-files.yml
  - from-file: common/common-scripts.yml
  - type: secureblue-signing
  - from-file: common/common-brew.yml
--- a/recipes/securecore/recipe-securecore-zfs-main.yml
+++ b/recipes/securecore/recipe-securecore-zfs-main.yml
@@ -15,4 +15,5 @@ modules:
  - from-file: common/server-files.yml
  - from-file: common/common-scripts.yml
  - from-file: common/disableuserns-scripts.yml
-  - type: secureblue-signing
+  - type: secureblue-signing
  - from-file: common/common-brew.yml
--- a/recipes/securecore/recipe-securecore-zfs-nvidia-userns.yml
+++ b/recipes/securecore/recipe-securecore-zfs-nvidia-userns.yml
@@ -14,4 +14,5 @@ modules:
  - from-file: common/common-files.yml
  - from-file: common/server-files.yml
  - from-file: common/common-scripts.yml
-  - type: secureblue-signing
+  - type: secureblue-signing
  - from-file: common/common-brew.yml
--- a/recipes/securecore/recipe-securecore-zfs-nvidia.yml
+++ b/recipes/securecore/recipe-securecore-zfs-nvidia.yml
@@ -15,4 +15,5 @@ modules:
  - from-file: common/server-files.yml
  - from-file: common/common-scripts.yml
  - from-file: common/disableuserns-scripts.yml
-  - type: secureblue-signing
+  - type: secureblue-signing
  - from-file: common/common-brew.yml