diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-10-26 15:24:21 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-10-29 11:00:06 +0200 |
commit | 0aa66649efa11e9c3c4d341f8a42f2eef8e942de (patch) | |
tree | 0fb38be7b45d5c1b91197372795829779363c40c | |
parent | Sort src/firecfg/firecfg.config (diff) | |
download | firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.gz firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.zst firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.zip |
Add Profile Checks
-rw-r--r-- | .github/workflows/profile-checks.yml | 31 | ||||
-rw-r--r-- | .github/workflows/sort.yml | 21 | ||||
-rwxr-xr-x | ci/check/profiles/private-etc-always-required.sh | 15 | ||||
-rwxr-xr-x | ci/check/profiles/sort-disable-programs.sh | 2 | ||||
-rwxr-xr-x | ci/check/profiles/sort-firecfg.config.sh | 2 | ||||
l--------- | ci/check/profiles/sort.py | 1 |
6 files changed, 51 insertions, 21 deletions
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml new file mode 100644 index 000000000..951a8b8cf --- /dev/null +++ b/.github/workflows/profile-checks.yml | |||
@@ -0,0 +1,31 @@ | |||
1 | name: Profile Checks | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | branches: [ master ] | ||
6 | paths: | ||
7 | - 'etc/**' | ||
8 | - 'ci/check/profiles/**' | ||
9 | - 'src/firecfg/firecfg.config' | ||
10 | - 'contrib/sort.py' | ||
11 | pull_request: | ||
12 | branches: [ master ] | ||
13 | paths: | ||
14 | - 'etc/**' | ||
15 | - 'ci/check/profiles/**' | ||
16 | - 'src/firecfg/firecfg.config' | ||
17 | - 'contrib/sort.py' | ||
18 | |||
19 | jobs: | ||
20 | profile-checks: | ||
21 | runs-on: ubuntu-20.04 | ||
22 | steps: | ||
23 | - uses: actions/checkout@v2 | ||
24 | - name: sort.py | ||
25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | ||
26 | - name: private-etc-always-required.sh | ||
27 | run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | ||
28 | - name: sort-disable-programs.sh | ||
29 | run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc | ||
30 | - name: sort-firecfg.config.sh | ||
31 | run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config | ||
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml deleted file mode 100644 index cfa40d2d2..000000000 --- a/.github/workflows/sort.yml +++ /dev/null | |||
@@ -1,21 +0,0 @@ | |||
1 | name: sort.py | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | branches: [ master ] | ||
6 | paths: | ||
7 | - 'etc/**' | ||
8 | - 'contrib/sort.py' | ||
9 | pull_request: | ||
10 | branches: [ master ] | ||
11 | paths: | ||
12 | - 'etc/**' | ||
13 | - 'contrib/sort.py' | ||
14 | |||
15 | jobs: | ||
16 | profile-sort: | ||
17 | runs-on: ubuntu-20.04 | ||
18 | steps: | ||
19 | - uses: actions/checkout@v2 | ||
20 | - name: check profiles | ||
21 | run: ./contrib/sort.py etc/*/{*.inc,*.profile} | ||
diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh new file mode 100755 index 000000000..892b15aa4 --- /dev/null +++ b/ci/check/profiles/private-etc-always-required.sh | |||
@@ -0,0 +1,15 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload) | ||
4 | |||
5 | error=0 | ||
6 | while IFS=: read -r profile private_etc; do | ||
7 | for required in "${ALWAYS_REQUIRED[@]}"; do | ||
8 | if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then | ||
9 | printf '%s misses %s\n' "$profile" "$required" >&2 | ||
10 | error=1 | ||
11 | fi | ||
12 | done | ||
13 | done < <(grep "^private-etc " "$@") | ||
14 | |||
15 | exit "$error" | ||
diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh new file mode 100755 index 000000000..d81ee75d7 --- /dev/null +++ b/ci/check/profiles/sort-disable-programs.sh | |||
@@ -0,0 +1,2 @@ | |||
1 | #!/bin/sh | ||
2 | tail -n +5 "$1" | LC_ALL=C sort -c -u | ||
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh new file mode 100755 index 000000000..17a595350 --- /dev/null +++ b/ci/check/profiles/sort-firecfg.config.sh | |||
@@ -0,0 +1,2 @@ | |||
1 | #!/bin/sh | ||
2 | tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d | ||
diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py new file mode 120000 index 000000000..e1f3f5f16 --- /dev/null +++ b/ci/check/profiles/sort.py | |||
@@ -0,0 +1 @@ | |||
../../../contrib/sort.py \ No newline at end of file | |||