diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 153 | ||||
-rw-r--r-- | .github/workflows/build.yml | 95 | ||||
-rw-r--r-- | .github/workflows/check-c.yml | 161 | ||||
-rw-r--r-- | .github/workflows/check-profiles.yml (renamed from .github/workflows/profile-checks.yml) | 10 | ||||
-rw-r--r-- | .github/workflows/check-python.yml | 55 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 125 | ||||
-rw-r--r-- | .github/workflows/codespell.yml | 2 | ||||
-rw-r--r-- | .github/workflows/test.yml | 253 | ||||
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | README.md | 11 |
10 files changed, 556 insertions, 310 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 3fc71a299..1629733ae 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -1,52 +1,36 @@ | |||
1 | name: Build-extra CI | 1 | # Builds the project with alternative tools. |
2 | |||
3 | name: Build-extra | ||
2 | 4 | ||
3 | on: | 5 | on: |
4 | push: | 6 | push: |
5 | paths-ignore: | 7 | paths: |
6 | - '.github/ISSUE_TEMPLATE/*' | 8 | - 'm4/**' |
7 | - 'contrib/syntax/**' | 9 | - 'src/**.c' |
8 | - 'contrib/vim/**' | 10 | - 'src/**.h' |
9 | - 'etc/**' | 11 | - 'src/**.mk' |
10 | - 'src/man/*.in' | 12 | - 'src/**Makefile' |
11 | - .git-blame-ignore-revs | 13 | - .github/workflows/build-extra.yml |
12 | - .github/dependabot.yml | 14 | - Makefile |
13 | - .github/pull_request_template.md | 15 | - ci/printenv.sh |
14 | - .github/workflows/build.yml | 16 | - config.mk.in |
15 | - .github/workflows/codeql-analysis.yml | 17 | - config.sh.in |
16 | - .github/workflows/codespell.yml | 18 | - configure |
17 | - .github/workflows/profile-checks.yml | 19 | - configure.ac |
18 | - .gitignore | ||
19 | - .gitlab-ci.yml | ||
20 | - CONTRIBUTING.md | ||
21 | - COPYING | ||
22 | - README | ||
23 | - README.md | ||
24 | - RELNOTES | ||
25 | - SECURITY.md | ||
26 | - src/firecfg/firecfg.config | ||
27 | pull_request: | 20 | pull_request: |
28 | paths-ignore: | 21 | paths: |
29 | - '.github/ISSUE_TEMPLATE/*' | 22 | - 'm4/**' |
30 | - 'contrib/syntax/**' | 23 | - 'src/**.c' |
31 | - 'contrib/vim/**' | 24 | - 'src/**.h' |
32 | - 'etc/**' | 25 | - 'src/**.mk' |
33 | - 'src/man/*.in' | 26 | - 'src/**Makefile' |
34 | - .git-blame-ignore-revs | 27 | - .github/workflows/build-extra.yml |
35 | - .github/dependabot.yml | 28 | - Makefile |
36 | - .github/pull_request_template.md | 29 | - ci/printenv.sh |
37 | - .github/workflows/build.yml | 30 | - config.mk.in |
38 | - .github/workflows/codeql-analysis.yml | 31 | - config.sh.in |
39 | - .github/workflows/codespell.yml | 32 | - configure |
40 | - .github/workflows/profile-checks.yml | 33 | - configure.ac |
41 | - .gitignore | ||
42 | - .gitlab-ci.yml | ||
43 | - CONTRIBUTING.md | ||
44 | - COPYING | ||
45 | - README | ||
46 | - README.md | ||
47 | - RELNOTES | ||
48 | - SECURITY.md | ||
49 | - src/firecfg/firecfg.config | ||
50 | 34 | ||
51 | permissions: # added using https://github.com/step-security/secure-workflows | 35 | permissions: # added using https://github.com/step-security/secure-workflows |
52 | contents: read | 36 | contents: read |
@@ -86,82 +70,3 @@ jobs: | |||
86 | run: sudo make install | 70 | run: sudo make install |
87 | - name: print version | 71 | - name: print version |
88 | run: command -V firejail && firejail --version | 72 | run: command -V firejail && firejail --version |
89 | scan-build: | ||
90 | runs-on: ubuntu-22.04 | ||
91 | steps: | ||
92 | - name: Harden Runner | ||
93 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
94 | with: | ||
95 | egress-policy: block | ||
96 | allowed-endpoints: > | ||
97 | archive.ubuntu.com:80 | ||
98 | azure.archive.ubuntu.com:80 | ||
99 | github.com:443 | ||
100 | packages.microsoft.com:443 | ||
101 | ppa.launchpadcontent.net:443 | ||
102 | security.ubuntu.com:80 | ||
103 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
104 | - name: update package information | ||
105 | run: sudo apt-get update -qy | ||
106 | - name: install clang-tools-14 and dependencies | ||
107 | run: > | ||
108 | sudo apt-get install -qy | ||
109 | clang-tools-14 libapparmor-dev libselinux1-dev | ||
110 | - name: print env | ||
111 | run: ./ci/printenv.sh | ||
112 | - name: configure | ||
113 | run: > | ||
114 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
115 | --enable-selinux | ||
116 | || (cat config.log; exit 1) | ||
117 | - name: scan-build | ||
118 | run: scan-build-14 --status-bugs make | ||
119 | cppcheck: | ||
120 | runs-on: ubuntu-22.04 | ||
121 | steps: | ||
122 | - name: Harden Runner | ||
123 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
124 | with: | ||
125 | egress-policy: block | ||
126 | allowed-endpoints: > | ||
127 | archive.ubuntu.com:80 | ||
128 | azure.archive.ubuntu.com:80 | ||
129 | github.com:443 | ||
130 | packages.microsoft.com:443 | ||
131 | ppa.launchpadcontent.net:443 | ||
132 | security.ubuntu.com:80 | ||
133 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
134 | - name: update package information | ||
135 | run: sudo apt-get update -qy | ||
136 | - name: install cppcheck | ||
137 | run: sudo apt-get install -qy cppcheck | ||
138 | - run: cppcheck --version | ||
139 | - name: cppcheck | ||
140 | run: > | ||
141 | cppcheck -q --force --error-exitcode=1 --enable=warning,performance | ||
142 | -i src/firejail/checkcfg.c -i src/firejail/main.c . | ||
143 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore | ||
144 | # scan all files also with older cppcheck version from ubuntu 20.04. | ||
145 | cppcheck_old: | ||
146 | runs-on: ubuntu-20.04 | ||
147 | steps: | ||
148 | - name: Harden Runner | ||
149 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
150 | with: | ||
151 | egress-policy: block | ||
152 | allowed-endpoints: > | ||
153 | archive.ubuntu.com:80 | ||
154 | azure.archive.ubuntu.com:80 | ||
155 | github.com:443 | ||
156 | packages.microsoft.com:443 | ||
157 | ppa.launchpad.net:80 | ||
158 | ppa.launchpadcontent.net:443 | ||
159 | security.ubuntu.com:80 | ||
160 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
161 | - name: update package information | ||
162 | run: sudo apt-get update -qy | ||
163 | - name: install cppcheck | ||
164 | run: sudo apt-get install -qy cppcheck | ||
165 | - run: cppcheck --version | ||
166 | - name: cppcheck | ||
167 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 489ed4335..d923f8b2b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -1,68 +1,69 @@ | |||
1 | name: Build CI | 1 | # Checks that `make dist` works and builds the project with the default |
2 | # configuration. | ||
2 | 3 | ||
4 | name: Build | ||
5 | |||
6 | # Note: Keep this list in sync with DISTFILES in ../../Makefile. | ||
3 | on: | 7 | on: |
4 | push: | 8 | push: |
5 | paths-ignore: | 9 | paths: |
6 | - '.github/ISSUE_TEMPLATE/*' | 10 | - 'contrib/**' |
7 | - .git-blame-ignore-revs | 11 | - 'etc/**' |
8 | - .github/dependabot.yml | 12 | - 'm4/**' |
9 | - .github/pull_request_template.md | 13 | - 'platform/**' |
10 | - .github/workflows/build-extra.yml | 14 | - 'src/**' |
11 | - .github/workflows/codeql-analysis.yml | 15 | - 'test/**' |
12 | - .github/workflows/codespell.yml | 16 | - .github/workflows/build.yml |
13 | - .github/workflows/profile-checks.yml | ||
14 | - .gitignore | ||
15 | - .gitlab-ci.yml | ||
16 | - CONTRIBUTING.md | ||
17 | - COPYING | 17 | - COPYING |
18 | - Makefile | ||
18 | - README | 19 | - README |
19 | - README.md | ||
20 | - RELNOTES | 20 | - RELNOTES |
21 | - SECURITY.md | 21 | - ci/printenv.sh |
22 | - config.mk.in | ||
23 | - config.sh.in | ||
24 | - configure | ||
25 | - configure.ac | ||
26 | - install.sh | ||
27 | - mkdeb.sh | ||
28 | - mketc.sh | ||
22 | pull_request: | 29 | pull_request: |
23 | paths-ignore: | 30 | paths: |
24 | - '.github/ISSUE_TEMPLATE/*' | 31 | - 'contrib/**' |
25 | - .git-blame-ignore-revs | 32 | - 'etc/**' |
26 | - .github/dependabot.yml | 33 | - 'm4/**' |
27 | - .github/pull_request_template.md | 34 | - 'platform/**' |
28 | - .github/workflows/build-extra.yml | 35 | - 'src/**' |
29 | - .github/workflows/codeql-analysis.yml | 36 | - 'test/**' |
30 | - .github/workflows/codespell.yml | 37 | - .github/workflows/build.yml |
31 | - .github/workflows/profile-checks.yml | ||
32 | - .gitignore | ||
33 | - .gitlab-ci.yml | ||
34 | - CONTRIBUTING.md | ||
35 | - COPYING | 38 | - COPYING |
39 | - Makefile | ||
36 | - README | 40 | - README |
37 | - README.md | ||
38 | - RELNOTES | 41 | - RELNOTES |
39 | - SECURITY.md | 42 | - ci/printenv.sh |
43 | - config.mk.in | ||
44 | - config.sh.in | ||
45 | - configure | ||
46 | - configure.ac | ||
47 | - install.sh | ||
48 | - mkdeb.sh | ||
49 | - mketc.sh | ||
40 | 50 | ||
41 | permissions: # added using https://github.com/step-security/secure-workflows | 51 | permissions: # added using https://github.com/step-security/secure-workflows |
42 | contents: read | 52 | contents: read |
43 | 53 | ||
44 | jobs: | 54 | jobs: |
45 | build_and_test: | 55 | build: |
46 | runs-on: ubuntu-22.04 | 56 | runs-on: ubuntu-22.04 |
47 | env: | ||
48 | SHELL: /bin/bash | ||
49 | steps: | 57 | steps: |
50 | - name: Harden Runner | 58 | - name: Harden Runner |
51 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | 59 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
52 | with: | 60 | with: |
53 | egress-policy: block | 61 | egress-policy: block |
54 | allowed-endpoints: > | 62 | allowed-endpoints: > |
55 | 1.1.1.1:1025 | ||
56 | azure.archive.ubuntu.com:80 | 63 | azure.archive.ubuntu.com:80 |
57 | debian.org:80 | ||
58 | dns.quad9.net:53 | ||
59 | github.com:443 | 64 | github.com:443 |
60 | packages.microsoft.com:443 | 65 | packages.microsoft.com:443 |
61 | ppa.launchpadcontent.net:443 | 66 | ppa.launchpadcontent.net:443 |
62 | whois.pir.org:43 | ||
63 | www.debian.org:443 | ||
64 | www.debian.org:80 | ||
65 | yahoo.com:1025 | ||
66 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | 67 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
67 | - name: update package information | 68 | - name: update package information |
68 | run: sudo apt-get update -qy | 69 | run: sudo apt-get update -qy |
@@ -84,19 +85,3 @@ jobs: | |||
84 | run: sudo make install | 85 | run: sudo make install |
85 | - name: print firejail version | 86 | - name: print firejail version |
86 | run: command -V firejail && firejail --version | 87 | run: command -V firejail && firejail --version |
87 | - run: make lab-setup | ||
88 | - run: make test-seccomp-extra | ||
89 | - run: make test-firecfg | ||
90 | - run: make test-capabilities | ||
91 | - run: make test-apparmor | ||
92 | - run: make test-appimage | ||
93 | - run: make test-chroot | ||
94 | - run: make test-sysutils | ||
95 | - run: make test-private-etc | ||
96 | - run: make test-profiles | ||
97 | - run: make test-fcopy | ||
98 | - run: make test-fnetfilter | ||
99 | - run: make test-fs | ||
100 | - run: make test-utils | ||
101 | - run: make test-environment | ||
102 | - run: make test-network | ||
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml new file mode 100644 index 000000000..d8751ddc7 --- /dev/null +++ b/.github/workflows/check-c.yml | |||
@@ -0,0 +1,161 @@ | |||
1 | # Checks for potential issues in the source code. | ||
2 | |||
3 | name: Check-C | ||
4 | |||
5 | on: | ||
6 | push: | ||
7 | paths: | ||
8 | - 'm4/**' | ||
9 | - 'src/**.c' | ||
10 | - 'src/**.h' | ||
11 | - 'src/**.mk' | ||
12 | - 'src/**Makefile' | ||
13 | - .github/workflows/check-c.yml | ||
14 | - Makefile | ||
15 | - ci/printenv.sh | ||
16 | - config.mk.in | ||
17 | - config.sh.in | ||
18 | - configure | ||
19 | - configure.ac | ||
20 | pull_request: | ||
21 | paths: | ||
22 | - 'm4/**' | ||
23 | - 'src/**.c' | ||
24 | - 'src/**.h' | ||
25 | - 'src/**.mk' | ||
26 | - 'src/**Makefile' | ||
27 | - .github/workflows/check-c.yml | ||
28 | - Makefile | ||
29 | - ci/printenv.sh | ||
30 | - config.mk.in | ||
31 | - config.sh.in | ||
32 | - configure | ||
33 | - configure.ac | ||
34 | schedule: | ||
35 | - cron: '0 7 * * 2' | ||
36 | |||
37 | permissions: # added using https://github.com/step-security/secure-workflows | ||
38 | contents: read | ||
39 | |||
40 | jobs: | ||
41 | scan-build: | ||
42 | runs-on: ubuntu-22.04 | ||
43 | steps: | ||
44 | - name: Harden Runner | ||
45 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
46 | with: | ||
47 | egress-policy: block | ||
48 | allowed-endpoints: > | ||
49 | archive.ubuntu.com:80 | ||
50 | azure.archive.ubuntu.com:80 | ||
51 | github.com:443 | ||
52 | packages.microsoft.com:443 | ||
53 | ppa.launchpadcontent.net:443 | ||
54 | security.ubuntu.com:80 | ||
55 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
56 | - name: update package information | ||
57 | run: sudo apt-get update -qy | ||
58 | - name: install clang-tools-14 and dependencies | ||
59 | run: > | ||
60 | sudo apt-get install -qy | ||
61 | clang-tools-14 libapparmor-dev libselinux1-dev | ||
62 | - name: print env | ||
63 | run: ./ci/printenv.sh | ||
64 | - name: configure | ||
65 | run: > | ||
66 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
67 | --enable-selinux | ||
68 | || (cat config.log; exit 1) | ||
69 | - name: scan-build | ||
70 | run: scan-build-14 --status-bugs make | ||
71 | |||
72 | cppcheck: | ||
73 | runs-on: ubuntu-22.04 | ||
74 | steps: | ||
75 | - name: Harden Runner | ||
76 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
77 | with: | ||
78 | egress-policy: block | ||
79 | allowed-endpoints: > | ||
80 | archive.ubuntu.com:80 | ||
81 | azure.archive.ubuntu.com:80 | ||
82 | github.com:443 | ||
83 | packages.microsoft.com:443 | ||
84 | ppa.launchpadcontent.net:443 | ||
85 | security.ubuntu.com:80 | ||
86 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
87 | - name: update package information | ||
88 | run: sudo apt-get update -qy | ||
89 | - name: install cppcheck | ||
90 | run: sudo apt-get install -qy cppcheck | ||
91 | - run: cppcheck --version | ||
92 | - name: cppcheck | ||
93 | run: > | ||
94 | cppcheck -q --force --error-exitcode=1 --enable=warning,performance | ||
95 | -i src/firejail/checkcfg.c -i src/firejail/main.c . | ||
96 | |||
97 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore | ||
98 | # scan all files also with older cppcheck version from ubuntu 20.04. | ||
99 | cppcheck_old: | ||
100 | runs-on: ubuntu-20.04 | ||
101 | steps: | ||
102 | - name: Harden Runner | ||
103 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
104 | with: | ||
105 | egress-policy: block | ||
106 | allowed-endpoints: > | ||
107 | archive.ubuntu.com:80 | ||
108 | azure.archive.ubuntu.com:80 | ||
109 | github.com:443 | ||
110 | packages.microsoft.com:443 | ||
111 | ppa.launchpad.net:80 | ||
112 | ppa.launchpadcontent.net:443 | ||
113 | security.ubuntu.com:80 | ||
114 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
115 | - name: update package information | ||
116 | run: sudo apt-get update -qy | ||
117 | - name: install cppcheck | ||
118 | run: sudo apt-get install -qy cppcheck | ||
119 | - run: cppcheck --version | ||
120 | - name: cppcheck | ||
121 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
122 | |||
123 | codeql-cpp: | ||
124 | permissions: | ||
125 | actions: read | ||
126 | contents: read | ||
127 | security-events: write | ||
128 | runs-on: ubuntu-latest | ||
129 | |||
130 | steps: | ||
131 | - name: Harden Runner | ||
132 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
133 | with: | ||
134 | disable-sudo: true | ||
135 | egress-policy: block | ||
136 | allowed-endpoints: > | ||
137 | api.github.com:443 | ||
138 | github.com:443 | ||
139 | objects.githubusercontent.com:443 | ||
140 | uploads.github.com:443 | ||
141 | |||
142 | - name: Checkout repository | ||
143 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
144 | |||
145 | - name: print env | ||
146 | run: ./ci/printenv.sh | ||
147 | |||
148 | # Initializes the CodeQL tools for scanning. | ||
149 | - name: Initialize CodeQL | ||
150 | uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
151 | with: | ||
152 | languages: cpp | ||
153 | |||
154 | - name: configure | ||
155 | run: ./configure | ||
156 | |||
157 | - name: make | ||
158 | run: make -j "$(nproc)" | ||
159 | |||
160 | - name: Perform CodeQL Analysis | ||
161 | uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/check-profiles.yml index c44012768..193cfcb9f 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/check-profiles.yml | |||
@@ -1,18 +1,22 @@ | |||
1 | name: Profile Checks | 1 | # Lints and checks for potential issues in the profiles. |
2 | |||
3 | name: Check-Profiles | ||
2 | 4 | ||
3 | on: | 5 | on: |
4 | push: | 6 | push: |
5 | paths: | 7 | paths: |
6 | - 'ci/check/profiles/**' | 8 | - 'ci/check/profiles/**' |
7 | - 'etc/**' | 9 | - 'etc/**' |
8 | - .github/workflows/profile-checks.yml | 10 | - .github/workflows/check-profiles.yml |
11 | - ci/printenv.sh | ||
9 | - contrib/sort.py | 12 | - contrib/sort.py |
10 | - src/firecfg/firecfg.config | 13 | - src/firecfg/firecfg.config |
11 | pull_request: | 14 | pull_request: |
12 | paths: | 15 | paths: |
13 | - 'ci/check/profiles/**' | 16 | - 'ci/check/profiles/**' |
14 | - 'etc/**' | 17 | - 'etc/**' |
15 | - .github/workflows/profile-checks.yml | 18 | - .github/workflows/check-profiles.yml |
19 | - ci/printenv.sh | ||
16 | - contrib/sort.py | 20 | - contrib/sort.py |
17 | - src/firecfg/firecfg.config | 21 | - src/firecfg/firecfg.config |
18 | 22 | ||
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml new file mode 100644 index 000000000..50ddf5669 --- /dev/null +++ b/.github/workflows/check-python.yml | |||
@@ -0,0 +1,55 @@ | |||
1 | # Lints and checks for potential issues in Python files. | ||
2 | |||
3 | name: Check-Python | ||
4 | |||
5 | on: | ||
6 | push: | ||
7 | paths: | ||
8 | - '**.py' | ||
9 | - .github/workflows/check-python.yml | ||
10 | pull_request: | ||
11 | paths: | ||
12 | - '**.py' | ||
13 | - .github/workflows/check-python.yml | ||
14 | schedule: | ||
15 | - cron: '0 7 * * 2' | ||
16 | |||
17 | permissions: # added using https://github.com/step-security/secure-workflows | ||
18 | contents: read | ||
19 | |||
20 | jobs: | ||
21 | codeql-python: | ||
22 | permissions: | ||
23 | actions: read | ||
24 | contents: read | ||
25 | security-events: write | ||
26 | runs-on: ubuntu-latest | ||
27 | |||
28 | steps: | ||
29 | - name: Harden Runner | ||
30 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
31 | with: | ||
32 | disable-sudo: true | ||
33 | egress-policy: block | ||
34 | allowed-endpoints: > | ||
35 | api.github.com:443 | ||
36 | files.pythonhosted.org:443 | ||
37 | github.com:443 | ||
38 | objects.githubusercontent.com:443 | ||
39 | pypi.org:443 | ||
40 | uploads.github.com:443 | ||
41 | |||
42 | - name: Checkout repository | ||
43 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
44 | |||
45 | - name: print env | ||
46 | run: ./ci/printenv.sh | ||
47 | |||
48 | # Initializes the CodeQL tools for scanning. | ||
49 | - name: Initialize CodeQL | ||
50 | uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | ||
51 | with: | ||
52 | languages: python | ||
53 | |||
54 | - name: Perform CodeQL Analysis | ||
55 | uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | ||
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 344090cfd..000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null | |||
@@ -1,125 +0,0 @@ | |||
1 | # For most projects, this workflow file will not need changing; you simply need | ||
2 | # to commit it to your repository. | ||
3 | # | ||
4 | # You may wish to alter this file to override the set of languages analyzed, | ||
5 | # or to provide custom queries or build logic. | ||
6 | name: "CodeQL" | ||
7 | |||
8 | on: | ||
9 | push: | ||
10 | paths-ignore: | ||
11 | - '.github/ISSUE_TEMPLATE/*' | ||
12 | - 'contrib/syntax/**' | ||
13 | - 'contrib/vim/**' | ||
14 | - 'etc/**' | ||
15 | - 'src/man/*.txt' | ||
16 | - .git-blame-ignore-revs | ||
17 | - .github/dependabot.yml | ||
18 | - .github/pull_request_template.md | ||
19 | - .github/workflows/build-extra.yml | ||
20 | - .github/workflows/build.yml | ||
21 | - .github/workflows/codespell.yml | ||
22 | - .github/workflows/profile-checks.yml | ||
23 | - .gitignore | ||
24 | - .gitlab-ci.yml | ||
25 | - CONTRIBUTING.md | ||
26 | - COPYING | ||
27 | - README | ||
28 | - README.md | ||
29 | - RELNOTES | ||
30 | - SECURITY.md | ||
31 | - src/firecfg/firecfg.config | ||
32 | pull_request: | ||
33 | paths-ignore: | ||
34 | - '.github/ISSUE_TEMPLATE/*' | ||
35 | - 'contrib/syntax/**' | ||
36 | - 'contrib/vim/**' | ||
37 | - 'etc/**' | ||
38 | - 'src/man/*.txt' | ||
39 | - .git-blame-ignore-revs | ||
40 | - .github/dependabot.yml | ||
41 | - .github/pull_request_template.md | ||
42 | - .github/workflows/build-extra.yml | ||
43 | - .github/workflows/build.yml | ||
44 | - .github/workflows/codespell.yml | ||
45 | - .github/workflows/profile-checks.yml | ||
46 | - .gitignore | ||
47 | - .gitlab-ci.yml | ||
48 | - CONTRIBUTING.md | ||
49 | - COPYING | ||
50 | - README | ||
51 | - README.md | ||
52 | - RELNOTES | ||
53 | - SECURITY.md | ||
54 | - src/firecfg/firecfg.config | ||
55 | schedule: | ||
56 | - cron: '0 7 * * 2' | ||
57 | |||
58 | permissions: # added using https://github.com/step-security/secure-workflows | ||
59 | contents: read | ||
60 | |||
61 | jobs: | ||
62 | analyze: | ||
63 | permissions: | ||
64 | actions: read # for github/codeql-action/init to get workflow details | ||
65 | contents: read # for actions/checkout to fetch code | ||
66 | security-events: write # for github/codeql-action/autobuild to send a status report | ||
67 | name: Analyze | ||
68 | runs-on: ubuntu-latest | ||
69 | |||
70 | strategy: | ||
71 | fail-fast: false | ||
72 | matrix: | ||
73 | language: [ 'cpp', 'python' ] | ||
74 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] | ||
75 | # Learn more: | ||
76 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed | ||
77 | |||
78 | steps: | ||
79 | - name: Harden Runner | ||
80 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
81 | with: | ||
82 | disable-sudo: true | ||
83 | egress-policy: block | ||
84 | allowed-endpoints: > | ||
85 | api.github.com:443 | ||
86 | files.pythonhosted.org:443 | ||
87 | github.com:443 | ||
88 | objects.githubusercontent.com:443 | ||
89 | pypi.org:443 | ||
90 | uploads.github.com:443 | ||
91 | |||
92 | - name: Checkout repository | ||
93 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
94 | |||
95 | - name: print env | ||
96 | run: ./ci/printenv.sh | ||
97 | |||
98 | # Initializes the CodeQL tools for scanning. | ||
99 | - name: Initialize CodeQL | ||
100 | uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
101 | with: | ||
102 | languages: ${{ matrix.language }} | ||
103 | # If you wish to specify custom queries, you can do so here or in a config file. | ||
104 | # By default, queries listed here will override any specified in a config file. | ||
105 | # Prefix the list here with "+" to use these queries and those in the config file. | ||
106 | # queries: ./path/to/local/query, your-org/your-repo/queries@main | ||
107 | |||
108 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | ||
109 | # If this step fails, then you should remove it and run the build manually (see below) | ||
110 | - name: Autobuild | ||
111 | uses: github/codeql-action/autobuild@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
112 | |||
113 | # ℹ️ Command-line programs to run using the OS shell. | ||
114 | # 📚 https://git.io/JvXDl | ||
115 | |||
116 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines | ||
117 | # and modify them (or add more) to build your code if your project | ||
118 | # uses a compiled language | ||
119 | |||
120 | #- run: | | ||
121 | # make bootstrap | ||
122 | # make release | ||
123 | |||
124 | - name: Perform CodeQL Analysis | ||
125 | uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index e39755dbd..4eacfb244 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
@@ -1,3 +1,5 @@ | |||
1 | # Checks the spelling on all non-third-party files. | ||
2 | |||
1 | name: Codespell | 3 | name: Codespell |
2 | 4 | ||
3 | on: | 5 | on: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..0b679c1c8 --- /dev/null +++ b/.github/workflows/test.yml | |||
@@ -0,0 +1,253 @@ | |||
1 | # Checks that the tests are passing. | ||
2 | |||
3 | name: Test | ||
4 | |||
5 | on: | ||
6 | push: | ||
7 | paths: | ||
8 | - 'm4/**' | ||
9 | - 'src/**.c' | ||
10 | - 'src/**.h' | ||
11 | - 'src/**.mk' | ||
12 | - 'src/**Makefile' | ||
13 | - 'test/**' | ||
14 | - .github/workflows/test.yml | ||
15 | - Makefile | ||
16 | - config.mk.in | ||
17 | - config.sh.in | ||
18 | - configure | ||
19 | - configure.ac | ||
20 | - src/firecfg/firecfg.config | ||
21 | pull_request: | ||
22 | paths: | ||
23 | - 'm4/**' | ||
24 | - 'src/**.c' | ||
25 | - 'src/**.h' | ||
26 | - 'src/**.mk' | ||
27 | - 'src/**Makefile' | ||
28 | - 'test/**' | ||
29 | - .github/workflows/test.yml | ||
30 | - Makefile | ||
31 | - config.mk.in | ||
32 | - config.sh.in | ||
33 | - configure | ||
34 | - configure.ac | ||
35 | - src/firecfg/firecfg.config | ||
36 | |||
37 | permissions: # added using https://github.com/step-security/secure-workflows | ||
38 | contents: read | ||
39 | |||
40 | # | ||
41 | # Faster tests | ||
42 | # | ||
43 | |||
44 | jobs: | ||
45 | test-main: | ||
46 | runs-on: ubuntu-22.04 | ||
47 | env: | ||
48 | SHELL: /bin/bash | ||
49 | steps: | ||
50 | - name: Harden Runner | ||
51 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
52 | with: | ||
53 | egress-policy: block | ||
54 | allowed-endpoints: > | ||
55 | azure.archive.ubuntu.com:80 | ||
56 | github.com:443 | ||
57 | packages.microsoft.com:443 | ||
58 | ppa.launchpadcontent.net:443 | ||
59 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
60 | - name: update package information | ||
61 | run: sudo apt-get update -qy | ||
62 | - name: install dependencies | ||
63 | run: > | ||
64 | sudo apt-get install -qy | ||
65 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils | ||
66 | - name: print env | ||
67 | run: ./ci/printenv.sh | ||
68 | - name: configure | ||
69 | run: > | ||
70 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings | ||
71 | --enable-analyzer --enable-apparmor --enable-selinux | ||
72 | || (cat config.log; exit 1) | ||
73 | - name: make | ||
74 | run: make -j "$(nproc)" | ||
75 | - name: make install | ||
76 | run: sudo make install | ||
77 | - name: print firejail version | ||
78 | run: command -V firejail && firejail --version | ||
79 | - run: make lab-setup | ||
80 | - run: make test-seccomp-extra | ||
81 | - run: make test-firecfg | ||
82 | - run: make test-capabilities | ||
83 | - run: make test-apparmor | ||
84 | - run: make test-appimage | ||
85 | - run: make test-chroot | ||
86 | - run: make test-fcopy | ||
87 | |||
88 | # | ||
89 | # Slower tests | ||
90 | # | ||
91 | |||
92 | test-fs: | ||
93 | runs-on: ubuntu-22.04 | ||
94 | env: | ||
95 | SHELL: /bin/bash | ||
96 | steps: | ||
97 | - name: Harden Runner | ||
98 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
99 | with: | ||
100 | egress-policy: block | ||
101 | allowed-endpoints: > | ||
102 | azure.archive.ubuntu.com:80 | ||
103 | github.com:443 | ||
104 | packages.microsoft.com:443 | ||
105 | ppa.launchpadcontent.net:443 | ||
106 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
107 | - name: update package information | ||
108 | run: sudo apt-get update -qy | ||
109 | - name: install dependencies | ||
110 | run: > | ||
111 | sudo apt-get install -qy | ||
112 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils | ||
113 | - name: print env | ||
114 | run: ./ci/printenv.sh | ||
115 | - name: configure | ||
116 | run: > | ||
117 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings | ||
118 | --enable-analyzer --enable-apparmor --enable-selinux | ||
119 | || (cat config.log; exit 1) | ||
120 | - name: make | ||
121 | run: make -j "$(nproc)" | ||
122 | - name: make install | ||
123 | run: sudo make install | ||
124 | - name: print firejail version | ||
125 | run: command -V firejail && firejail --version | ||
126 | - run: make lab-setup | ||
127 | - run: make test-private-etc | ||
128 | - run: make test-fs | ||
129 | |||
130 | test-environment: | ||
131 | runs-on: ubuntu-22.04 | ||
132 | env: | ||
133 | SHELL: /bin/bash | ||
134 | steps: | ||
135 | - name: Harden Runner | ||
136 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
137 | with: | ||
138 | egress-policy: block | ||
139 | allowed-endpoints: > | ||
140 | azure.archive.ubuntu.com:80 | ||
141 | github.com:443 | ||
142 | packages.microsoft.com:443 | ||
143 | ppa.launchpadcontent.net:443 | ||
144 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
145 | - name: update package information | ||
146 | run: sudo apt-get update -qy | ||
147 | - name: install dependencies | ||
148 | run: > | ||
149 | sudo apt-get install -qy | ||
150 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils | ||
151 | - name: print env | ||
152 | run: ./ci/printenv.sh | ||
153 | - name: configure | ||
154 | run: > | ||
155 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings | ||
156 | --enable-analyzer --enable-apparmor --enable-selinux | ||
157 | || (cat config.log; exit 1) | ||
158 | - name: make | ||
159 | run: make -j "$(nproc)" | ||
160 | - name: make install | ||
161 | run: sudo make install | ||
162 | - name: print firejail version | ||
163 | run: command -V firejail && firejail --version | ||
164 | - run: make lab-setup | ||
165 | - run: make test-environment | ||
166 | - run: make test-profiles | ||
167 | |||
168 | test-utils: | ||
169 | runs-on: ubuntu-22.04 | ||
170 | env: | ||
171 | SHELL: /bin/bash | ||
172 | steps: | ||
173 | - name: Harden Runner | ||
174 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
175 | with: | ||
176 | egress-policy: block | ||
177 | allowed-endpoints: > | ||
178 | azure.archive.ubuntu.com:80 | ||
179 | debian.org:80 | ||
180 | github.com:443 | ||
181 | packages.microsoft.com:443 | ||
182 | ppa.launchpadcontent.net:443 | ||
183 | www.debian.org:443 | ||
184 | www.debian.org:80 | ||
185 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
186 | - name: update package information | ||
187 | run: sudo apt-get update -qy | ||
188 | - name: install dependencies | ||
189 | run: > | ||
190 | sudo apt-get install -qy | ||
191 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils | ||
192 | - name: print env | ||
193 | run: ./ci/printenv.sh | ||
194 | - name: configure | ||
195 | run: > | ||
196 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings | ||
197 | --enable-analyzer --enable-apparmor --enable-selinux | ||
198 | || (cat config.log; exit 1) | ||
199 | - name: make | ||
200 | run: make -j "$(nproc)" | ||
201 | - name: make install | ||
202 | run: sudo make install | ||
203 | - name: print firejail version | ||
204 | run: command -V firejail && firejail --version | ||
205 | - run: make lab-setup | ||
206 | - run: make test-utils | ||
207 | |||
208 | test-network: | ||
209 | runs-on: ubuntu-22.04 | ||
210 | env: | ||
211 | SHELL: /bin/bash | ||
212 | steps: | ||
213 | - name: Harden Runner | ||
214 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
215 | with: | ||
216 | egress-policy: block | ||
217 | allowed-endpoints: > | ||
218 | 1.1.1.1:1025 | ||
219 | azure.archive.ubuntu.com:80 | ||
220 | debian.org:80 | ||
221 | dns.quad9.net:53 | ||
222 | github.com:443 | ||
223 | packages.microsoft.com:443 | ||
224 | ppa.launchpadcontent.net:443 | ||
225 | whois.pir.org:43 | ||
226 | www.debian.org:443 | ||
227 | www.debian.org:80 | ||
228 | yahoo.com:1025 | ||
229 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
230 | - name: update package information | ||
231 | run: sudo apt-get update -qy | ||
232 | - name: install dependencies | ||
233 | run: > | ||
234 | sudo apt-get install -qy | ||
235 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois | ||
236 | bridge-utils | ||
237 | - name: print env | ||
238 | run: ./ci/printenv.sh | ||
239 | - name: configure | ||
240 | run: > | ||
241 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings | ||
242 | --enable-analyzer --enable-apparmor --enable-selinux | ||
243 | || (cat config.log; exit 1) | ||
244 | - name: make | ||
245 | run: make -j "$(nproc)" | ||
246 | - name: make install | ||
247 | run: sudo make install | ||
248 | - name: print firejail version | ||
249 | run: command -V firejail && firejail --version | ||
250 | - run: make lab-setup | ||
251 | - run: make test-fnetfilter | ||
252 | - run: make test-sysutils | ||
253 | - run: make test-network | ||
@@ -299,6 +299,7 @@ uninstall: config.mk | |||
299 | rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang | 299 | rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang |
300 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 300 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
301 | 301 | ||
302 | # Note: Keep this list in sync with `paths` in .github/workflows/build.yml. | ||
302 | DISTFILES = \ | 303 | DISTFILES = \ |
303 | COPYING \ | 304 | COPYING \ |
304 | Makefile \ | 305 | Makefile \ |
@@ -1,8 +1,13 @@ | |||
1 | # Firejail | 1 | # Firejail |
2 | 2 | ||
3 | [![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) | 3 | [![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) |
4 | [![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) | 4 | [![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild) |
5 | [![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) | 5 | [![Build-extra](https://github.com/netblue30/firejail/workflows/Build-extra/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild-extra) |
6 | [![Test](https://github.com/netblue30/firejail/workflows/Test/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ATest) | ||
7 | [![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C) | ||
8 | [![Check-Profiles](https://github.com/netblue30/firejail/workflows/Check-Profiles/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Profiles) | ||
9 | [![Check-Python](https://github.com/netblue30/firejail/workflows/Check-Python/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Python) | ||
10 | [![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell) | ||
6 | [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | 11 | [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) |
7 | 12 | ||
8 | Firejail is a SUID sandbox program that reduces the risk of security breaches | 13 | Firejail is a SUID sandbox program that reduces the risk of security breaches |