Add automated CI checks and git hooks #2739
Comments
|
I had a similar idea a few days ago and started to write it in rust, but I'm actually thinking if it's still necessary if you prominently recommend the profile.template for it (e.g. use GH pull request templates (and provieder there a checklist), CONTRIBUTIN.md, manpage (see my comment in the add template issue)), because it will never be possible to check it with human inteliegenz (e.g. EDIT: The most review comments are ordering (which can prevent with the profile.template and/or GH pull request templates with checklist) and the second most are special thing that can only found with human intelligence. |
|
I agree for the most part - I wonder though how is this GH pull request template supposed to work. Is it difficult to implement? |
|
Its a issue template but for pull request, see https://help.github.com/en/articles/about-issue-and-pull-request-templates. |
|
With this script you get alphabetical sorted #!/usr/bin/env python3
from sys import argv
with open(argv[1], "r") as profile:
for line in profile:
if line[:11] == "private-etc":
print("private-etc", ",".join(sorted(line[12:-1].split(","),
key=lambda s: s.casefold())))
elif line[:11] == "private-bin":
print("private-bin", ",".join(sorted(line[12:-1].split(","),
key=lambda s: s.casefold())))Or if you prever to use a shell: echo "alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl" | sed "s/,/\n/g" | sort - | awk '{printf $1 ","}END{print ""}' |
|
note that |
|
@jose1711 thanks. The last character is |
|
ok, but what if |
|
@jose1711 Most profiles end with a newline, but you're right that we have to consider the missing of it. New version, with support for automatic fixing several profiles. Issues:
TODOs:
|
|
@rusty-snake Can't track the item right now (you referred to my fork of your sort.py script), but if you like to integrate sorting caps.{drop,keep} and seccomp.{drop,keep}, go right ahead. You did a great job creating that tool. The better it can cover this wide array of firejail options, the more changes there are this gets into CI. My personal little profile regression tester caught the first one just a few minutes ago 😄. Cheers! |
|
@glitsj16 I already add caps.{drop,keep} and seccomp.{drop,keep}. All supported options are: private-bin, private-etc, private-lib, seccomp.drop, seccomp.keep, caps.drop, caps.keep, protocol. |
* add contrib/sort.py and .github/pull_request_temp… * Add usage to sort.py * Install sort.py if contrib-install is set * sort.py: 0644 -> 0755 * Update sort.py * Update pull_request_template.md * Remove checkboxes from PR-Template * Update sort.py * Add examples to sort.py * Update pull_request_template.md Fix path to sort.py, it depend on the distro. * Update pull_request_template.md * Update pull_request_template.md add hint about template
|
Is there anything else we want to do here? |
|
@rusty-snake Is fetching the program binary with checking, if the program runs and kill it afterwards possible? |
|
You mean checking if firejail runs? The are a lot of test under test. |
|
@rusty-snake Does this include checking meaningful shell options as well? I dont see according shell commands for firejail execution in the |
|
in the travis.yml is |
It would be nice to have automated checks for things that tend to repeat in new profile submissions:
firecfg.section,disable-programs.incand similar files being sortedThe text was updated successfully, but these errors were encountered: