Add Profile Checks

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-10-26 15:24:21 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-10-29 11:00:06 +0200
commit: 0aa66649efa11e9c3c4d341f8a42f2eef8e942de (patch)
tree: 0fb38be7b45d5c1b91197372795829779363c40c
parent: Sort src/firecfg/firecfg.config (diff)
download: firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.gz
firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.zst
firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.zip
6 files changed, 51 insertions, 21 deletions
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
new file mode 100644
index 000000000..951a8b8cf
--- /dev/null
+++ b/.github/workflows/profile-checks.yml
@@ -0,0 +1,31 @@
+name: Profile Checks
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+jobs:
+  profile-checks:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: sort.py
+      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: private-etc-always-required.sh
+      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: sort-disable-programs.sh
+      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
+    - name: sort-firecfg.config.sh
+      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
deleted file mode 100644
index cfa40d2d2..000000000
--- a/.github/workflows/sort.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-name: sort.py
-on:
-  push:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-  pull_request:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-jobs:
-  profile-sort:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: check profiles
-      run: ./contrib/sort.py etc/*/{*.inc,*.profile}
diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh
new file mode 100755
index 000000000..892b15aa4
--- /dev/null
+++ b/ci/check/profiles/private-etc-always-required.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
+error=0
+while IFS=: read -r profile private_etc; do
+        for required in "${ALWAYS_REQUIRED[@]}"; do
+                if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then
+                        printf '%s misses %s\n' "$profile" "$required" >&2
+                        error=1
+                fi
+        done
+done < <(grep "^private-etc " "$@")
+exit "$error"
diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh
new file mode 100755
index 000000000..d81ee75d7
--- /dev/null
+++ b/ci/check/profiles/sort-disable-programs.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +5 "$1" | LC_ALL=C sort -c -u
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh
new file mode 100755
index 000000000..17a595350
--- /dev/null
+++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py
new file mode 120000
index 000000000..e1f3f5f16
--- /dev/null
+++ b/ci/check/profiles/sort.py
@@ -0,0 +1 @@
+../../../contrib/sort.py
+\ No newline at end of file
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-10-26 15:24:21 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-10-29 11:00:06 +0200
commit	0aa66649efa11e9c3c4d341f8a42f2eef8e942de (patch)
tree	0fb38be7b45d5c1b91197372795829779363c40c
parent	Sort src/firecfg/firecfg.config (diff)
download	firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.gz firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.zst firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.zip

diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml new file mode 100644 index 000000000..951a8b8cf --- /dev/null +++ b/.github/workflows/profile-checks.yml
@@ -0,0 +1,31 @@
		1	name: Profile Checks
		2
		3	on:
		4	push:
		5	branches: [ master ]
		6	paths:
		7	- 'etc/**'
		8	- 'ci/check/profiles/**'
		9	- 'src/firecfg/firecfg.config'
		10	- 'contrib/sort.py'
		11	pull_request:
		12	branches: [ master ]
		13	paths:
		14	- 'etc/**'
		15	- 'ci/check/profiles/**'
		16	- 'src/firecfg/firecfg.config'
		17	- 'contrib/sort.py'
		18
		19	jobs:
		20	profile-checks:
		21	runs-on: ubuntu-20.04
		22	steps:
		23	- uses: actions/checkout@v2
		24	- name: sort.py
		25	run: ./ci/check/profiles/sort.py etc/inc/.inc etc/{profile-a-l,profile-m-z}/.profile
		26	- name: private-etc-always-required.sh
		27	run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/.inc etc/{profile-a-l,profile-m-z}/.profile
		28	- name: sort-disable-programs.sh
		29	run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
		30	- name: sort-firecfg.config.sh
		31	run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config


diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml deleted file mode 100644 index cfa40d2d2..000000000 --- a/.github/workflows/sort.yml +++ /dev/null
@@ -1,21 +0,0 @@
1	name: sort.py
2
3	on:
4	push:
5	branches: [ master ]
6	paths:
7	- 'etc/**'
8	- 'contrib/sort.py'
9	pull_request:
10	branches: [ master ]
11	paths:
12	- 'etc/**'
13	- 'contrib/sort.py'
14
15	jobs:
16	profile-sort:
17	runs-on: ubuntu-20.04
18	steps:
19	- uses: actions/checkout@v2
20	- name: check profiles
21	run: ./contrib/sort.py etc//{.inc,*.profile}


diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh new file mode 100755 index 000000000..892b15aa4 --- /dev/null +++ b/ci/check/profiles/private-etc-always-required.sh
@@ -0,0 +1,15 @@
		1	#!/bin/bash
		2
		3	ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
		4
		5	error=0
		6	while IFS=: read -r profile private_etc; do
		7	for required in "${ALWAYS_REQUIRED[@]}"; do
		8	if grep -q -v -E "( \|,)$required(,\|$)" <<<"$private_etc"; then
		9	printf '%s misses %s\n' "$profile" "$required" >&2
		10	error=1
		11	fi
		12	done
		13	done < <(grep "^private-etc " "$@")
		14
		15	exit "$error"


diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh new file mode 100755 index 000000000..d81ee75d7 --- /dev/null +++ b/ci/check/profiles/sort-disable-programs.sh
@@ -0,0 +1,2 @@
		1	#!/bin/sh
		2	tail -n +5 "$1" \| LC_ALL=C sort -c -u


diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh new file mode 100755 index 000000000..17a595350 --- /dev/null +++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -0,0 +1,2 @@
		1	#!/bin/sh
		2	tail -n +4 "$1" \| sed 's/^# /#/' \| LC_ALL=C sort -c -d


diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py new file mode 120000 index 000000000..e1f3f5f16 --- /dev/null +++ b/ci/check/profiles/sort.py
@@ -0,0 +1 @@
			../../../contrib/sort.py \ No newline at end of file