Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: whitelist needed endpoints and block access to sudo #5485

Merged
merged 1 commit into from
Nov 27, 2022
Merged

ci: whitelist needed endpoints and block access to sudo #5485

merged 1 commit into from
Nov 27, 2022

Conversation

rusty-snake
Copy link
Collaborator

No description provided.

@rusty-snake
Copy link
Collaborator Author 

Error: fatal: unable to access 'https://github.com/netblue30/firejail/': Failed to connect to github.com port 443 after 12 ms: Connection refused

Ideas?

kmk3
kmk3 reviewed Nov 26, 2022
View reviewed changes
Copy link
Collaborator

@kmk3 kmk3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rusty-snake commented on Nov 26:

Error: fatal: unable to access 'https://github.com/netblue30/firejail/': Failed to connect to github.com port 443 after 12 ms: Connection refused

Ideas?

Try to move the harden-runner step to after the actions/checkout step on each job.

@rusty-snake
Copy link
Collaborator Author

Ahh, we need to add

    allowed-endpoints: >
      azure.archive.ubuntu.com:80
      debian.org:80
      github.com:443
      packages.microsoft.com:443
      ppa.launchpadcontent.net:443
      www.debian.org:443
      www.debian.org:80
      yahoo.com:1025

And we can consider disable-sudo: true for some jobs.

@kmk3
Copy link
Collaborator

kmk3 commented Nov 26, 2022
edited
Loading

@rusty-snake commented on Nov 26:

Ahh, we need to add

    allowed-endpoints: >
      azure.archive.ubuntu.com:80
      debian.org:80
      github.com:443
      packages.microsoft.com:443
      ppa.launchpadcontent.net:443
      www.debian.org:443
      www.debian.org:80

Makes sense to me.

      yahoo.com:1025

Why?

Edit: Nevermind, I see now that there's a test that pings yahoo.com:

firejail/test/sysutils/ping.exp

Line 10 in 121749f

send -- "ping -c 3 yahoo.com\r"

@rusty-snake
Copy link
Collaborator Author

rusty-snake commented Nov 26, 2022
edited
Loading

Rebase, squashed and fixed profile-check workflow which was changed on accidental. Do not merge profile changes until this is merged.

I think I change the build_and_test back to audit for now because block seems to make problems with the netfilter tests. edit: Seems to run fine.

@rusty-snake rusty-snake marked this pull request as ready for review November 26, 2022 20:40
kmk3
kmk3 approved these changes Nov 26, 2022
View reviewed changes
Copy link
Collaborator

@kmk3 kmk3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nicely done; LGTM.

Suggestion for the commit message:

ci: whitelist needed endpoints and block access to sudo

Disable sudo for codeql-analysis.yml and profile-checks.yml.

@rusty-snake rusty-snake merged commit 56ba1d2 into master Nov 27, 2022
@rusty-snake rusty-snake deleted the egress-policy-block branch November 27, 2022 08:12
@kmk3
Copy link
Collaborator

kmk3 commented Nov 27, 2022

Suggestion for the commit message:

ci: whitelist needed endpoints and block access to sudo

Disable sudo for codeql-analysis.yml and profile-checks.yml.

@rusty-snake Thoughts on this?

I'd change at least the PR title to make it clearer (which is also usually what
goes in the RELNOTES).

@rusty-snake
Copy link
Collaborator Author

Actually I don't have a strong opinion.

@kmk3 kmk3 changed the title Workflows: Change egress-policy to block ci: whitelist needed endpoints and block access to sudo Nov 27, 2022
kmk3 added a commit that referenced this pull request Nov 28, 2022
@kmk3
RELNOTES: add ci and docs items
32e7c3a 
Relates to #5189 #5349 #5439 #5485.
kmk3 added a commit that referenced this pull request May 3, 2023
@kmk3
ci: allow endpoints used in tests
a2c8a5f 
Relevant lines from build_and_test[1]:

    endpoint called ip address:port 1.1.1.1:1025, domain:
    endpoint called ip address:port 54.185.253.63:43, domain: whois.pir.org.
    ##[error]StepSecurity Harden Runner: DNS resolution for domain dns.quad9.net. was blocked. This domain is not in the list of allowed-endpoints.
    ##[error]StepSecurity Harden Runner: DNS resolution for domain whois.pir.org. was blocked. This domain is not in the list of allowed-endpoints.

The relevant tests were added in the following commits:

* ef4409e ("added whois and dig profiles", 2018-08-30)
* 1718982 ("more profile fixes/testing", 2023-01-19)

Relates to #5439 #5485.

[1] https://github.com/netblue30/firejail/actions/runs/4854586882/jobs/8652141329
@kmk3 kmk3 mentioned this pull request May 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@topimiettinen topimiettinen topimiettinen approved these changes

@kmk3 kmk3 kmk3 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Release 0.9.72
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rusty-snake @kmk3 @topimiettinen