From b589045b0fde572b892b8fe9333e2148f6b28452 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 19:51:27 -0300 Subject: [PATCH 01/11] ci: use path whitelists instead of blacklists That is, replace `paths-ignore` with `paths`. This should reduce the number of unnecessary workflow executions and the frequency at which paths are changed. It also reduces the overall number of paths used. Also, add the missing ci/printenv.sh to the path whitelists. --- .github/workflows/build-extra.yml | 70 ++++++++++----------------- .github/workflows/build.yml | 63 +++++++++++++----------- .github/workflows/codeql-analysis.yml | 70 ++++++++++----------------- .github/workflows/profile-checks.yml | 2 + Makefile | 1 + 5 files changed, 90 insertions(+), 116 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 3fc71a299dd..f35a7d3d350 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -2,51 +2,33 @@ name: Build-extra CI on: push: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - 'contrib/syntax/**' - - 'contrib/vim/**' - - 'etc/**' - - 'src/man/*.in' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build.yml - - .github/workflows/codeql-analysis.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md - - COPYING - - README - - README.md - - RELNOTES - - SECURITY.md - - src/firecfg/firecfg.config + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/build-extra.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac pull_request: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - 'contrib/syntax/**' - - 'contrib/vim/**' - - 'etc/**' - - 'src/man/*.in' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build.yml - - .github/workflows/codeql-analysis.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md - - COPYING - - README - - README.md - - RELNOTES - - SECURITY.md - - src/firecfg/firecfg.config + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/build-extra.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 489ed433582..12df3876282 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,42 +1,49 @@ name: Build CI +# Note: Keep this list in sync with DISTFILES in ../../Makefile. on: push: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build-extra.yml - - .github/workflows/codeql-analysis.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md + paths: + - 'contrib/**' + - 'etc/**' + - 'm4/**' + - 'platform/**' + - 'src/**' + - 'test/**' + - .github/workflows/build.yml - COPYING + - Makefile - README - - README.md - RELNOTES - - SECURITY.md + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + - install.sh + - mkdeb.sh + - mketc.sh pull_request: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build-extra.yml - - .github/workflows/codeql-analysis.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md + paths: + - 'contrib/**' + - 'etc/**' + - 'm4/**' + - 'platform/**' + - 'src/**' + - 'test/**' + - .github/workflows/build.yml - COPYING + - Makefile - README - - README.md - RELNOTES - - SECURITY.md + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + - install.sh + - mkdeb.sh + - mketc.sh permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 344090cfde8..a4c4a1146ac 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -7,51 +7,33 @@ name: "CodeQL" on: push: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - 'contrib/syntax/**' - - 'contrib/vim/**' - - 'etc/**' - - 'src/man/*.txt' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build-extra.yml - - .github/workflows/build.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md - - COPYING - - README - - README.md - - RELNOTES - - SECURITY.md - - src/firecfg/firecfg.config + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/codeql-analysis.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac pull_request: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - 'contrib/syntax/**' - - 'contrib/vim/**' - - 'etc/**' - - 'src/man/*.txt' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build-extra.yml - - .github/workflows/build.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md - - COPYING - - README - - README.md - - RELNOTES - - SECURITY.md - - src/firecfg/firecfg.config + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/codeql-analysis.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac schedule: - cron: '0 7 * * 2' diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index c440127683a..4768c91a172 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml @@ -6,6 +6,7 @@ on: - 'ci/check/profiles/**' - 'etc/**' - .github/workflows/profile-checks.yml + - ci/printenv.sh - contrib/sort.py - src/firecfg/firecfg.config pull_request: @@ -13,6 +14,7 @@ on: - 'ci/check/profiles/**' - 'etc/**' - .github/workflows/profile-checks.yml + - ci/printenv.sh - contrib/sort.py - src/firecfg/firecfg.config diff --git a/Makefile b/Makefile index 043c491c66b..450b8a0b450 100644 --- a/Makefile +++ b/Makefile @@ -299,6 +299,7 @@ uninstall: config.mk rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." +# Note: Keep this list in sync with `paths` in .github/workflows/build.yml. DISTFILES = \ COPYING \ Makefile \ From 2f1b352e4e4fcc9c44fa618dfaf7e04b6f972caf Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 22:30:29 -0300 Subject: [PATCH 02/11] ci: rename profile-checks.yml to check-profiles.yml --- .../workflows/{profile-checks.yml => check-profiles.yml} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename .github/workflows/{profile-checks.yml => check-profiles.yml} (92%) diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/check-profiles.yml similarity index 92% rename from .github/workflows/profile-checks.yml rename to .github/workflows/check-profiles.yml index 4768c91a172..5167516e829 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/check-profiles.yml @@ -1,11 +1,11 @@ -name: Profile Checks +name: Check-Profiles on: push: paths: - 'ci/check/profiles/**' - 'etc/**' - - .github/workflows/profile-checks.yml + - .github/workflows/check-profiles.yml - ci/printenv.sh - contrib/sort.py - src/firecfg/firecfg.config @@ -13,7 +13,7 @@ on: paths: - 'ci/check/profiles/**' - 'etc/**' - - .github/workflows/profile-checks.yml + - .github/workflows/check-profiles.yml - ci/printenv.sh - contrib/sort.py - src/firecfg/firecfg.config From 5995a69e2c654b7dd6452acdabbfedd8510fd58a Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 04:27:32 -0300 Subject: [PATCH 03/11] ci: trim comments in codeql-analysis.yml Note: When generating a new workflow, the permissions do not have comments anymore. --- .github/workflows/codeql-analysis.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a4c4a1146ac..bb43f7d5031 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,9 +1,4 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL" +name: CodeQL on: push: @@ -43,9 +38,9 @@ permissions: # added using https://github.com/step-security/secure-workflows jobs: analyze: permissions: - actions: read # for github/codeql-action/init to get workflow details - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/autobuild to send a status report + actions: read + contents: read + security-events: write name: Analyze runs-on: ubuntu-latest @@ -82,10 +77,6 @@ jobs: uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 with: languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) From 8d53acbbb26928da60b215c71de90293ec70fbe6 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 04:28:03 -0300 Subject: [PATCH 04/11] ci: move codeql python job into its own workflow Only run the CodeQL Python analysis if a .py file is changed. --- .github/workflows/check-python.yml | 53 +++++++++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 12 +----- 2 files changed, 54 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/check-python.yml diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml new file mode 100644 index 00000000000..91b87650f51 --- /dev/null +++ b/.github/workflows/check-python.yml @@ -0,0 +1,53 @@ +name: Check-Python + +on: + push: + paths: + - '**.py' + - .github/workflows/check-python.yml + pull_request: + paths: + - '**.py' + - .github/workflows/check-python.yml + schedule: + - cron: '0 7 * * 2' + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + codeql-python: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + uploads.github.com:443 + + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + + - name: print env + run: ./ci/printenv.sh + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 + with: + languages: python + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bb43f7d5031..c16fd732c26 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -44,14 +44,6 @@ jobs: name: Analyze runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - language: [ 'cpp', 'python' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed - steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 @@ -60,10 +52,8 @@ jobs: egress-policy: block allowed-endpoints: > api.github.com:443 - files.pythonhosted.org:443 github.com:443 objects.githubusercontent.com:443 - pypi.org:443 uploads.github.com:443 - name: Checkout repository @@ -76,7 +66,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 with: - languages: ${{ matrix.language }} + languages: cpp # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) From 29f7a9461080871b83ecb2bfdce242a9266abbab Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 19:28:54 -0300 Subject: [PATCH 05/11] ci: remove "CI" from workflow names All of the current workflows are used for CI. --- .github/workflows/build-extra.yml | 2 +- .github/workflows/build.yml | 2 +- README.md | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index f35a7d3d350..b6e8e902bfc 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -1,4 +1,4 @@ -name: Build-extra CI +name: Build-extra on: push: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 12df3876282..c898c34f544 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,4 @@ -name: Build CI +name: Build # Note: Keep this list in sync with DISTFILES in ../../Makefile. on: diff --git a/README.md b/README.md index 78130445198..1e3ce7564ce 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # Firejail -[![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) -[![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) -[![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) +[![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) +[![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild) +[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) Firejail is a SUID sandbox program that reduces the risk of security breaches From 82d28795a78fd0786fb833ebf7d3b4fe9c86d390 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 19:42:33 -0300 Subject: [PATCH 06/11] ci: split build and test into separate workflows Testing takes significantly longer than building, so this makes the default build check faster. --- .github/workflows/build.yml | 27 +---------- .github/workflows/test.yml | 96 +++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+), 26 deletions(-) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c898c34f544..1c5fb5f6d27 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -49,27 +49,18 @@ permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: - build_and_test: + build: runs-on: ubuntu-22.04 - env: - SHELL: /bin/bash steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 with: egress-policy: block allowed-endpoints: > - 1.1.1.1:1025 azure.archive.ubuntu.com:80 - debian.org:80 - dns.quad9.net:53 github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - whois.pir.org:43 - www.debian.org:443 - www.debian.org:80 - yahoo.com:1025 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - name: update package information run: sudo apt-get update -qy @@ -91,19 +82,3 @@ jobs: run: sudo make install - name: print firejail version run: command -V firejail && firejail --version - - run: make lab-setup - - run: make test-seccomp-extra - - run: make test-firecfg - - run: make test-capabilities - - run: make test-apparmor - - run: make test-appimage - - run: make test-chroot - - run: make test-sysutils - - run: make test-private-etc - - run: make test-profiles - - run: make test-fcopy - - run: make test-fnetfilter - - run: make test-fs - - run: make test-utils - - run: make test-environment - - run: make test-network diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000000..83c9a578a25 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,96 @@ +name: Test + +on: + push: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - 'test/**' + - .github/workflows/test.yml + - Makefile + - config.mk.in + - config.sh.in + - configure + - configure.ac + - src/firecfg/firecfg.config + pull_request: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - 'test/**' + - .github/workflows/test.yml + - Makefile + - config.mk.in + - config.sh.in + - configure + - configure.ac + - src/firecfg/firecfg.config + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + test: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + 1.1.1.1:1025 + azure.archive.ubuntu.com:80 + debian.org:80 + dns.quad9.net:53 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + whois.pir.org:43 + www.debian.org:443 + www.debian.org:80 + yahoo.com:1025 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois + bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-seccomp-extra + - run: make test-firecfg + - run: make test-capabilities + - run: make test-apparmor + - run: make test-appimage + - run: make test-chroot + - run: make test-sysutils + - run: make test-private-etc + - run: make test-profiles + - run: make test-fcopy + - run: make test-fnetfilter + - run: make test-fs + - run: make test-utils + - run: make test-environment + - run: make test-network From 500d8f2d6921f0d715d9e478e4fd10d6fe1f086f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 22:52:30 -0300 Subject: [PATCH 07/11] ci: run make in parallel where applicable Do so when the output of the given job is not important. For example, when the output of another job can be used for debugging build-related issues. --- .github/workflows/codeql-analysis.yml | 18 ++++-------------- .github/workflows/test.yml | 2 +- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c16fd732c26..b4a5b55ddea 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -68,21 +68,11 @@ jobs: with: languages: cpp - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@5b6282e01c62d02e720b81eb8a51204f527c3624 + - name: configure + run: ./configure - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release + - name: make + run: make -j "$(nproc)" - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 83c9a578a25..e716c32cfa0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -73,7 +73,7 @@ jobs: --enable-analyzer --enable-apparmor --enable-selinux || (cat config.log; exit 1) - name: make - run: make + run: make -j "$(nproc)" - name: make install run: sudo make install - name: print firejail version From 1c9af28611489dc3387cb44b20d0ab261b2053b0 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 16 Aug 2023 03:04:42 -0300 Subject: [PATCH 08/11] ci: move main code checks into new check-c.yml Move scan-build, cppcheck and CodeQL (cpp). This is similar to build-extra.yml, but for jobs that check for issues in the code rather than checking for build failures. Note: As this deletes codeql-analysis.yml, its configuration also has to be deleted in the GitHub web UI to prevent it from warning about the file being missing: * Security -> Code scanning -> Tool status -> (Setup Types) CodeQL -> (Configurations) language:python -> Delete configuration Misc: The above was clarified by @topimiettinen[1]. [1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643 --- .github/workflows/build-extra.yml | 79 ------------- .github/workflows/check-c.yml | 159 ++++++++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 78 ------------- README.md | 2 +- 4 files changed, 160 insertions(+), 158 deletions(-) create mode 100644 .github/workflows/check-c.yml delete mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index b6e8e902bfc..b538fde68a0 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -68,82 +68,3 @@ jobs: run: sudo make install - name: print version run: command -V firejail && firejail --version - scan-build: - runs-on: ubuntu-22.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install clang-tools-14 and dependencies - run: > - sudo apt-get install -qy - clang-tools-14 libapparmor-dev libselinux1-dev - - name: print env - run: ./ci/printenv.sh - - name: configure - run: > - CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor - --enable-selinux - || (cat config.log; exit 1) - - name: scan-build - run: scan-build-14 --status-bugs make - cppcheck: - runs-on: ubuntu-22.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - run: cppcheck --version - - name: cppcheck - run: > - cppcheck -q --force --error-exitcode=1 --enable=warning,performance - -i src/firejail/checkcfg.c -i src/firejail/main.c . - # new cppcheck version currently chokes on checkcfg.c and main.c, therefore - # scan all files also with older cppcheck version from ubuntu 20.04. - cppcheck_old: - runs-on: ubuntu-20.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpad.net:80 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - run: cppcheck --version - - name: cppcheck - run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml new file mode 100644 index 00000000000..472238ff01d --- /dev/null +++ b/.github/workflows/check-c.yml @@ -0,0 +1,159 @@ +name: Check-C + +on: + push: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/check-c.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + pull_request: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/check-c.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + schedule: + - cron: '0 7 * * 2' + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + scan-build: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install clang-tools-14 and dependencies + run: > + sudo apt-get install -qy + clang-tools-14 libapparmor-dev libselinux1-dev + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor + --enable-selinux + || (cat config.log; exit 1) + - name: scan-build + run: scan-build-14 --status-bugs make + + cppcheck: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install cppcheck + run: sudo apt-get install -qy cppcheck + - run: cppcheck --version + - name: cppcheck + run: > + cppcheck -q --force --error-exitcode=1 --enable=warning,performance + -i src/firejail/checkcfg.c -i src/firejail/main.c . + + # new cppcheck version currently chokes on checkcfg.c and main.c, therefore + # scan all files also with older cppcheck version from ubuntu 20.04. + cppcheck_old: + runs-on: ubuntu-20.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpad.net:80 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install cppcheck + run: sudo apt-get install -qy cppcheck + - run: cppcheck --version + - name: cppcheck + run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . + + codeql-cpp: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + uploads.github.com:443 + + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + + - name: print env + run: ./ci/printenv.sh + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 + with: + languages: cpp + + - name: configure + run: ./configure + + - name: make + run: make -j "$(nproc)" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index b4a5b55ddea..00000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,78 +0,0 @@ -name: CodeQL - -on: - push: - paths: - - 'm4/**' - - 'src/**.c' - - 'src/**.h' - - 'src/**.mk' - - 'src/**Makefile' - - .github/workflows/codeql-analysis.yml - - Makefile - - ci/printenv.sh - - config.mk.in - - config.sh.in - - configure - - configure.ac - pull_request: - paths: - - 'm4/**' - - 'src/**.c' - - 'src/**.h' - - 'src/**.mk' - - 'src/**Makefile' - - .github/workflows/codeql-analysis.yml - - Makefile - - ci/printenv.sh - - config.mk.in - - config.sh.in - - configure - - configure.ac - schedule: - - cron: '0 7 * * 2' - -permissions: # added using https://github.com/step-security/secure-workflows - contents: read - -jobs: - analyze: - permissions: - actions: read - contents: read - security-events: write - name: Analyze - runs-on: ubuntu-latest - - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - uploads.github.com:443 - - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - - name: print env - run: ./ci/printenv.sh - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 - with: - languages: cpp - - - name: configure - run: ./configure - - - name: make - run: make -j "$(nproc)" - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 diff --git a/README.md b/README.md index 1e3ce7564ce..1a797cfbc3a 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) [![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild) -[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) +[![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C) [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) Firejail is a SUID sandbox program that reduces the risk of security breaches From 5639359664827406c7bf12f3bc3dcc734119284c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 22:36:31 -0300 Subject: [PATCH 09/11] docs: add missing CI badges to README.md --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 1a797cfbc3a..c5113780848 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,12 @@ [![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) [![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild) +[![Build-extra](https://github.com/netblue30/firejail/workflows/Build-extra/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild-extra) +[![Test](https://github.com/netblue30/firejail/workflows/Test/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ATest) [![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C) +[![Check-Profiles](https://github.com/netblue30/firejail/workflows/Check-Profiles/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Profiles) +[![Check-Python](https://github.com/netblue30/firejail/workflows/Check-Python/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Python) +[![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell) [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) Firejail is a SUID sandbox program that reduces the risk of security breaches From 23a289a666b158714b9edde72d4a7dadef9ba6af Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 15 Aug 2023 23:23:28 -0300 Subject: [PATCH 10/11] ci: split test jobs for faster checks Considering the most recent runs, this reduces the total amount of time it takes to run the tests from about 9-10 minutes to about 3 minutes. Note: Which jobs are split is mostly determined by how long each test takes. For example, this is the time each test step took in a run of `build_and_test` (10m17s total for the job) on commit bfcf8bc31 ("Merge pull request #5956 from kmk3/build-fix-dep-syntax", 2023-08-14)[1]: * 17s test-seccomp-extra * 1s test-firecfg * 16s test-capabilities * 6s test-apparmor * 10s test-appimage * 10s test-chroot * 41s test-sysutils * 24s test-private-etc * 40s test-profiles * 4s test-fcopy * 2s test-fnetfilter * 98s test-fs * 103s test-utils * 57s test-environment * 69s test-network [1]: https://github.com/netblue30/firejail/actions/runs/5860927500/job/15890009169 --- .github/workflows/test.yml | 183 ++++++++++++++++++++++++++++++++++--- 1 file changed, 169 insertions(+), 14 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e716c32cfa0..771e7ce4cf4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -35,8 +35,175 @@ on: permissions: # added using https://github.com/step-security/secure-workflows contents: read +# +# Faster tests +# + jobs: - test: + test-main: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make -j "$(nproc)" + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-seccomp-extra + - run: make test-firecfg + - run: make test-capabilities + - run: make test-apparmor + - run: make test-appimage + - run: make test-chroot + - run: make test-fcopy + +# +# Slower tests +# + + test-fs: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make -j "$(nproc)" + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-private-etc + - run: make test-fs + + test-environment: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make -j "$(nproc)" + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-environment + - run: make test-profiles + + test-utils: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + debian.org:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + www.debian.org:443 + www.debian.org:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make -j "$(nproc)" + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-utils + + test-network: runs-on: ubuntu-22.04 env: SHELL: /bin/bash @@ -79,18 +246,6 @@ jobs: - name: print firejail version run: command -V firejail && firejail --version - run: make lab-setup - - run: make test-seccomp-extra - - run: make test-firecfg - - run: make test-capabilities - - run: make test-apparmor - - run: make test-appimage - - run: make test-chroot - - run: make test-sysutils - - run: make test-private-etc - - run: make test-profiles - - run: make test-fcopy - run: make test-fnetfilter - - run: make test-fs - - run: make test-utils - - run: make test-environment + - run: make test-sysutils - run: make test-network From b4346f0f198c89403465d648919ce0d49e087223 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 19 Aug 2023 16:18:37 -0300 Subject: [PATCH 11/11] ci: document the intended purpose of each workflow --- .github/workflows/build-extra.yml | 2 ++ .github/workflows/build.yml | 3 +++ .github/workflows/check-c.yml | 2 ++ .github/workflows/check-profiles.yml | 2 ++ .github/workflows/check-python.yml | 2 ++ .github/workflows/codespell.yml | 2 ++ .github/workflows/test.yml | 2 ++ 7 files changed, 15 insertions(+) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index b538fde68a0..1629733aef5 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -1,3 +1,5 @@ +# Builds the project with alternative tools. + name: Build-extra on: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1c5fb5f6d27..d923f8b2b58 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,6 @@ +# Checks that `make dist` works and builds the project with the default +# configuration. + name: Build # Note: Keep this list in sync with DISTFILES in ../../Makefile. diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 472238ff01d..d8751ddc712 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -1,3 +1,5 @@ +# Checks for potential issues in the source code. + name: Check-C on: diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 5167516e829..193cfcb9f58 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml @@ -1,3 +1,5 @@ +# Lints and checks for potential issues in the profiles. + name: Check-Profiles on: diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 91b87650f51..50ddf566918 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -1,3 +1,5 @@ +# Lints and checks for potential issues in Python files. + name: Check-Python on: diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index e39755dbdfc..4eacfb244cb 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -1,3 +1,5 @@ +# Checks the spelling on all non-third-party files. + name: Codespell on: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 771e7ce4cf4..0b679c1c8d0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,3 +1,5 @@ +# Checks that the tests are passing. + name: Test on: