-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: whitelist needed endpoints and block access to sudo #5485
Conversation
Ideas? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rusty-snake commented on Nov 26:
Error: fatal: unable to access 'https://github.com/netblue30/firejail/': Failed to connect to github.com port 443 after 12 ms: Connection refused
Ideas?
Try to move the harden-runner
step to after the actions/checkout
step on each job.
Ahh, we need to add allowed-endpoints: >
azure.archive.ubuntu.com:80
debian.org:80
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
www.debian.org:443
www.debian.org:80
yahoo.com:1025 And we can consider |
@rusty-snake commented on Nov 26:
Makes sense to me.
Why? Edit: Nevermind, I see now that there's a test that pings yahoo.com: firejail/test/sysutils/ping.exp Line 10 in 121749f
|
59f544e
to
bb8e373
Compare
Rebase, squashed and fixed profile-check workflow which was changed on accidental. Do not merge profile changes until this is merged.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nicely done; LGTM.
Suggestion for the commit message:
ci: whitelist needed endpoints and block access to sudo
Disable sudo for codeql-analysis.yml and profile-checks.yml.
@rusty-snake Thoughts on this? I'd change at least the PR title to make it clearer (which is also usually what |
Actually I don't have a strong opinion. |
Relevant lines from build_and_test[1]: endpoint called ip address:port 1.1.1.1:1025, domain: endpoint called ip address:port 54.185.253.63:43, domain: whois.pir.org. ##[error]StepSecurity Harden Runner: DNS resolution for domain dns.quad9.net. was blocked. This domain is not in the list of allowed-endpoints. ##[error]StepSecurity Harden Runner: DNS resolution for domain whois.pir.org. was blocked. This domain is not in the list of allowed-endpoints. The relevant tests were added in the following commits: * ef4409e ("added whois and dig profiles", 2018-08-30) * 1718982 ("more profile fixes/testing", 2023-01-19) Relates to #5439 #5485. [1] https://github.com/netblue30/firejail/actions/runs/4854586882/jobs/8652141329
No description provided.