scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-01 19:07:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: audit-secureblue: add recommendations to warnings (#566)

Browse Source
This commit is contained in:
spaceoden
2024-11-15 10:55:41 -08:00
committed by GitHub
parent b0373417c0
commit f8c909409f
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
files/justfiles/secureblue.just
View File

@@ -645,22 +645,32 @@ audit-secureblue:
if hasPermission "$permissions" "shared" "network"; then if hasPermission "$permissions" "shared" "network"; then
[[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING" [[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING"
warnings+=("> $f has network access!") warnings+=("> $f has network access!")
warnings+=("> To remove it use Flatseal or run:")
warnings+=("> 'flatpak override -u --unshare=network $f'")
fi fi
if hasPermission "$permissions" "sockets" "x11" && ! hasPermission "$permissions" "sockets" "fallback-x11"; then if hasPermission "$permissions" "sockets" "x11" && ! hasPermission "$permissions" "sockets" "fallback-x11"; then
status="$STATUS_FAILURE" status="$STATUS_FAILURE"
warnings+=("> $f has x11 access!") warnings+=("> $f has x11 access!")
warnings+=("> To remove it use Flatseal or run:")
warnings+=("> 'flatpak override -u --nosocket=x11 $f'")
fi fi
if hasPermission "$permissions" "sockets" "session-bus"; then if hasPermission "$permissions" "sockets" "session-bus"; then
[[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING" [[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING"
warnings+=("> $f has access to the D-Bus session bus!") warnings+=("> $f has access to the D-Bus session bus!")
warnings+=("> To remove it use Flatseal or run:")
warnings+=("> 'flatpak override -u --nosocket=session-bus $f'")
fi fi
if hasPermission "$permissions" "sockets" "system-bus"; then if hasPermission "$permissions" "sockets" "system-bus"; then
[[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING" [[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING"
warnings+=("> $f has access to the D-Bus system bus!") warnings+=("> $f has access to the D-Bus system bus!")
warnings+=("> To remove it use Flatseal or run:")
warnings+=("> 'flatpak override -u --nosocket=system-bus $f'")
fi fi
if ! hasPermission "$permissions" "LD_PRELOAD" .*"/libhardened_malloc.so"; then if ! hasPermission "$permissions" "LD_PRELOAD" .*"/libhardened_malloc.so"; then
status="$STATUS_FAILURE" status="$STATUS_FAILURE"
warnings+=("> $f is not requesting hardened_malloc!") warnings+=("> $f is not requesting hardened_malloc!")
warnings+=("> To enable it run:")
warnings+=("> 'flatpak override -u --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so $f'")
fi fi
if ! hasPermission "$permissions" "filesystems" "host-os:ro"; then if ! hasPermission "$permissions" "filesystems" "host-os:ro"; then
status="$STATUS_FAILURE" status="$STATUS_FAILURE"
@@ -670,14 +680,20 @@ audit-secureblue:
if [[ "$bluetooth_loaded" == "true" ]] && hasPermission "$permissions" "features" "bluetooth"; then if [[ "$bluetooth_loaded" == "true" ]] && hasPermission "$permissions" "features" "bluetooth"; then
status="$STATUS_FAILURE" status="$STATUS_FAILURE"
warnings+=("> $f has bluetooth access!") warnings+=("> $f has bluetooth access!")
warnings+=("> To remove it use Flatseal or run:")
warnings+=("> 'flatpak override -u --disallow=bluetooth $f'")
fi fi
if [[ "$ptrace_allowed" == "true" ]] && hasPermission "$permissions" "features" "devel"; then if [[ "$ptrace_allowed" == "true" ]] && hasPermission "$permissions" "features" "devel"; then
status="$STATUS_FAILURE" status="$STATUS_FAILURE"
warnings+=("> $f has ptrace access!") warnings+=("> $f has ptrace access!")
warnings+=("> To remove it use Flatseal or run:")
warnings+=("> 'flatpak override -u --disallow=devel $f'")
fi fi
if hasPermission "$permissions" "shared" "ipc"; then if hasPermission "$permissions" "shared" "ipc"; then
status="$STATUS_FAILURE" status="$STATUS_FAILURE"
warnings+=("> $f has inter-process communications access!") warnings+=("> $f has inter-process communications access!")
warnings+=("> To remove it use Flatseal or run:")
warnings+=("> 'flatpak override -u --unshare=ipc $f'")
fi fi
if hasPermission "$permissions" "devices" "all"; then if hasPermission "$permissions" "devices" "all"; then
[[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING" [[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING"