diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2022-11-27 09:12:31 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-27 09:12:31 +0100 |
commit | 56ba1d2271ff21d1104943162704c662c7c9004f (patch) | |
tree | d135f63fbe2a5d262f5eff50fbf637ce637a9159 | |
parent | Workflows: Change egress-policy to block (diff) | |
download | firejail-56ba1d2271ff21d1104943162704c662c7c9004f.tar.gz firejail-56ba1d2271ff21d1104943162704c662c7c9004f.tar.zst firejail-56ba1d2271ff21d1104943162704c662c7c9004f.zip |
Workflows: Change egress-policy to block (#5485)
-rw-r--r-- | .github/workflows/build-extra.yml | 24 | ||||
-rw-r--r-- | .github/workflows/build.yml | 12 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 7 | ||||
-rw-r--r-- | .github/workflows/profile-checks.yml | 3 |
4 files changed, 35 insertions, 11 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index e9ec436a4..a7745b83a 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -52,8 +52,10 @@ jobs: | |||
52 | - name: Harden Runner | 52 | - name: Harden Runner |
53 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 53 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
54 | with: | 54 | with: |
55 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 55 | egress-policy: block |
56 | 56 | allowed-endpoints: > | |
57 | azure.archive.ubuntu.com:80 | ||
58 | github.com:443 | ||
57 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 59 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
58 | - name: install dependencies | 60 | - name: install dependencies |
59 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 61 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
@@ -71,8 +73,10 @@ jobs: | |||
71 | - name: Harden Runner | 73 | - name: Harden Runner |
72 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 74 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
73 | with: | 75 | with: |
74 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 76 | egress-policy: block |
75 | 77 | allowed-endpoints: > | |
78 | azure.archive.ubuntu.com:80 | ||
79 | github.com:443 | ||
76 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 80 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
77 | - name: install clang-tools-14 and dependencies | 81 | - name: install clang-tools-14 and dependencies |
78 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 82 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
@@ -86,8 +90,10 @@ jobs: | |||
86 | - name: Harden Runner | 90 | - name: Harden Runner |
87 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 91 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
88 | with: | 92 | with: |
89 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 93 | egress-policy: block |
90 | 94 | allowed-endpoints: > | |
95 | azure.archive.ubuntu.com:80 | ||
96 | github.com:443 | ||
91 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 97 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
92 | - name: install cppcheck | 98 | - name: install cppcheck |
93 | run: sudo apt-get install cppcheck | 99 | run: sudo apt-get install cppcheck |
@@ -101,8 +107,10 @@ jobs: | |||
101 | - name: Harden Runner | 107 | - name: Harden Runner |
102 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 108 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
103 | with: | 109 | with: |
104 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 110 | egress-policy: block |
105 | 111 | allowed-endpoints: > | |
112 | azure.archive.ubuntu.com:80 | ||
113 | github.com:443 | ||
106 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 114 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
107 | - name: install cppcheck | 115 | - name: install cppcheck |
108 | run: sudo apt-get install cppcheck | 116 | run: sudo apt-get install cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3119f59b9..3e556b78d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -44,8 +44,16 @@ jobs: | |||
44 | - name: Harden Runner | 44 | - name: Harden Runner |
45 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 45 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
46 | with: | 46 | with: |
47 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 47 | egress-policy: block |
48 | 48 | allowed-endpoints: > | |
49 | azure.archive.ubuntu.com:80 | ||
50 | debian.org:80 | ||
51 | github.com:443 | ||
52 | packages.microsoft.com:443 | ||
53 | ppa.launchpadcontent.net:443 | ||
54 | www.debian.org:443 | ||
55 | www.debian.org:80 | ||
56 | yahoo.com:1025 | ||
49 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 57 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
50 | - name: update package information | 58 | - name: update package information |
51 | run: sudo apt-get update | 59 | run: sudo apt-get update |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ad19c9530..dc3211b08 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -72,7 +72,12 @@ jobs: | |||
72 | - name: Harden Runner | 72 | - name: Harden Runner |
73 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 73 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
74 | with: | 74 | with: |
75 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 75 | disable-sudo: true |
76 | egress-policy: block | ||
77 | allowed-endpoints: > | ||
78 | api.github.com:443 | ||
79 | github.com:443 | ||
80 | uploads.github.com:443 | ||
76 | 81 | ||
77 | - name: Checkout repository | 82 | - name: Checkout repository |
78 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 83 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index f6a9336b8..a6a784762 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -26,7 +26,10 @@ jobs: | |||
26 | - name: Harden Runner | 26 | - name: Harden Runner |
27 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | 27 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
28 | with: | 28 | with: |
29 | disable-sudo: true | ||
29 | egress-policy: block | 30 | egress-policy: block |
31 | allowed-endpoints: > | ||
32 | github.com:443 | ||
30 | 33 | ||
31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 34 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
32 | - name: sort.py | 35 | - name: sort.py |