Add Profile Checks

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-10-26 15:24:21 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-10-29 11:00:06 +0200
commit: 0aa66649efa11e9c3c4d341f8a42f2eef8e942de (patch)
tree: 0fb38be7b45d5c1b91197372795829779363c40c /ci/check/profiles
parent: Sort src/firecfg/firecfg.config (diff)
download: firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.gz
firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.zst
firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.zip
4 files changed, 20 insertions, 0 deletions
diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh
new file mode 100755
index 000000000..892b15aa4
--- /dev/null
+++ b/ci/check/profiles/private-etc-always-required.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
+error=0
+while IFS=: read -r profile private_etc; do
+        for required in "${ALWAYS_REQUIRED[@]}"; do
+                if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then
+                        printf '%s misses %s\n' "$profile" "$required" >&2
+                        error=1
+                fi
+        done
+done < <(grep "^private-etc " "$@")
+exit "$error"
diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh
new file mode 100755
index 000000000..d81ee75d7
--- /dev/null
+++ b/ci/check/profiles/sort-disable-programs.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +5 "$1" | LC_ALL=C sort -c -u
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh
new file mode 100755
index 000000000..17a595350
--- /dev/null
+++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py
new file mode 120000
index 000000000..e1f3f5f16
--- /dev/null
+++ b/ci/check/profiles/sort.py
@@ -0,0 +1 @@
+../../../contrib/sort.py
+\ No newline at end of file
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-10-26 15:24:21 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-10-29 11:00:06 +0200
commit	0aa66649efa11e9c3c4d341f8a42f2eef8e942de (patch)
tree	0fb38be7b45d5c1b91197372795829779363c40c /ci/check/profiles
parent	Sort src/firecfg/firecfg.config (diff)
download	firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.gz firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.tar.zst firejail-0aa66649efa11e9c3c4d341f8a42f2eef8e942de.zip

diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh new file mode 100755 index 000000000..892b15aa4 --- /dev/null +++ b/ci/check/profiles/private-etc-always-required.sh
@@ -0,0 +1,15 @@
	1	#!/bin/bash
	2
	3	ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
	4
	5	error=0
	6	while IFS=: read -r profile private_etc; do
	7	for required in "${ALWAYS_REQUIRED[@]}"; do
	8	if grep -q -v -E "( \|,)$required(,\|$)" <<<"$private_etc"; then
	9	printf '%s misses %s\n' "$profile" "$required" >&2
	10	error=1
	11	fi
	12	done
	13	done < <(grep "^private-etc " "$@")
	14
	15	exit "$error"


diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh new file mode 100755 index 000000000..d81ee75d7 --- /dev/null +++ b/ci/check/profiles/sort-disable-programs.sh
@@ -0,0 +1,2 @@
	1	#!/bin/sh
	2	tail -n +5 "$1" \| LC_ALL=C sort -c -u


diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh new file mode 100755 index 000000000..17a595350 --- /dev/null +++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -0,0 +1,2 @@
	1	#!/bin/sh
	2	tail -n +4 "$1" \| sed 's/^# /#/' \| LC_ALL=C sort -c -d


diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py new file mode 120000 index 000000000..e1f3f5f16 --- /dev/null +++ b/ci/check/profiles/sort.py
@@ -0,0 +1 @@
		../../../contrib/sort.py \ No newline at end of file