diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2022-11-26 17:22:03 +0000 |
|---|---|---|
| committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2022-11-26 21:28:18 +0100 |
| commit | bb8e3730ef8b4bca94201c9994b1158938f987b5 (patch) | |
| tree | d135f63fbe2a5d262f5eff50fbf637ce637a9159 | |
| parent | Workflows: Change egress-policy to block (diff) | |
| download | firejail-egress-policy-block.tar.gz firejail-egress-policy-block.tar.zst firejail-egress-policy-block.zip | |
Workflows: Change egress-policy to blockegress-policy-block
| -rw-r--r-- | .github/workflows/build-extra.yml | 24 | ||||
| -rw-r--r-- | .github/workflows/build.yml | 12 | ||||
| -rw-r--r-- | .github/workflows/codeql-analysis.yml | 7 | ||||
| -rw-r--r-- | .github/workflows/profile-checks.yml | 3 |
4 files changed, 35 insertions, 11 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index e9ec436a4..a7745b83a 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
| @@ -52,8 +52,10 @@ jobs: | |||
| 52 | - name: Harden Runner | 52 | - name: Harden Runner |
| 53 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 53 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 54 | with: | 54 | with: |
| 55 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 55 | egress-policy: block |
| 56 | 56 | allowed-endpoints: > | |
| 57 | azure.archive.ubuntu.com:80 | ||
| 58 | github.com:443 | ||
| 57 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 59 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
| 58 | - name: install dependencies | 60 | - name: install dependencies |
| 59 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 61 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
| @@ -71,8 +73,10 @@ jobs: | |||
| 71 | - name: Harden Runner | 73 | - name: Harden Runner |
| 72 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 74 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 73 | with: | 75 | with: |
| 74 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 76 | egress-policy: block |
| 75 | 77 | allowed-endpoints: > | |
| 78 | azure.archive.ubuntu.com:80 | ||
| 79 | github.com:443 | ||
| 76 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 80 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
| 77 | - name: install clang-tools-14 and dependencies | 81 | - name: install clang-tools-14 and dependencies |
| 78 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 82 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
| @@ -86,8 +90,10 @@ jobs: | |||
| 86 | - name: Harden Runner | 90 | - name: Harden Runner |
| 87 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 91 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 88 | with: | 92 | with: |
| 89 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 93 | egress-policy: block |
| 90 | 94 | allowed-endpoints: > | |
| 95 | azure.archive.ubuntu.com:80 | ||
| 96 | github.com:443 | ||
| 91 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 97 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
| 92 | - name: install cppcheck | 98 | - name: install cppcheck |
| 93 | run: sudo apt-get install cppcheck | 99 | run: sudo apt-get install cppcheck |
| @@ -101,8 +107,10 @@ jobs: | |||
| 101 | - name: Harden Runner | 107 | - name: Harden Runner |
| 102 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 108 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 103 | with: | 109 | with: |
| 104 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 110 | egress-policy: block |
| 105 | 111 | allowed-endpoints: > | |
| 112 | azure.archive.ubuntu.com:80 | ||
| 113 | github.com:443 | ||
| 106 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 114 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
| 107 | - name: install cppcheck | 115 | - name: install cppcheck |
| 108 | run: sudo apt-get install cppcheck | 116 | run: sudo apt-get install cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3119f59b9..3e556b78d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
| @@ -44,8 +44,16 @@ jobs: | |||
| 44 | - name: Harden Runner | 44 | - name: Harden Runner |
| 45 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 45 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 46 | with: | 46 | with: |
| 47 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 47 | egress-policy: block |
| 48 | 48 | allowed-endpoints: > | |
| 49 | azure.archive.ubuntu.com:80 | ||
| 50 | debian.org:80 | ||
| 51 | github.com:443 | ||
| 52 | packages.microsoft.com:443 | ||
| 53 | ppa.launchpadcontent.net:443 | ||
| 54 | www.debian.org:443 | ||
| 55 | www.debian.org:80 | ||
| 56 | yahoo.com:1025 | ||
| 49 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 57 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
| 50 | - name: update package information | 58 | - name: update package information |
| 51 | run: sudo apt-get update | 59 | run: sudo apt-get update |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ad19c9530..dc3211b08 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
| @@ -72,7 +72,12 @@ jobs: | |||
| 72 | - name: Harden Runner | 72 | - name: Harden Runner |
| 73 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 73 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 74 | with: | 74 | with: |
| 75 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 75 | disable-sudo: true |
| 76 | egress-policy: block | ||
| 77 | allowed-endpoints: > | ||
| 78 | api.github.com:443 | ||
| 79 | github.com:443 | ||
| 80 | uploads.github.com:443 | ||
| 76 | 81 | ||
| 77 | - name: Checkout repository | 82 | - name: Checkout repository |
| 78 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 83 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index f6a9336b8..a6a784762 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
| @@ -26,7 +26,10 @@ jobs: | |||
| 26 | - name: Harden Runner | 26 | - name: Harden Runner |
| 27 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 27 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 28 | with: | 28 | with: |
| 29 | disable-sudo: true | ||
| 29 | egress-policy: block | 30 | egress-policy: block |
| 31 | allowed-endpoints: > | ||
| 32 | github.com:443 | ||
| 30 | 33 | ||
| 31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 34 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
| 32 | - name: sort.py | 35 | - name: sort.py |