feat: rewrite audit script in Python#960
Conversation
|
Maybe it's smart to put This way, path needs to be called fully for binary to execute & users will rely on Also, this way, any |
|
I think the flatpak order could still be made deterministic—and that it might be worth the effort, especially running repeated tests or comparing across installations. Not familiar with the specifics in python, but having the output thread wait on each of the checking threads in order should work. |
|
Thanks for the feedback, I put the script in I see that Codacy is flagging the use of the |
This comment was marked as resolved.
This comment was marked as resolved.
RoyalOughtness
force-pushed
the
staging
branch
4 times, most recently
from
235b1d0 to
787a6e8
Compare
The new Python script is a standalone executable in /usr/bin/audit-secureblue. It currently carries out the same checks as the old bash audit script, but is faster and more modular. Each check is a generator that accepts some state (an associative array that can be used to pass information between checks) and yields a sequence of reports and recommendations, which are handled by the audit runner. Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Also simplify implementation of async flatpak permissions checks. Signed-off-by: Daniel Hast <[email protected]>
The security issue is only a concern with untrusted inputs, and we only call subprocess with trusted inputs. Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
Signed-off-by: Daniel Hast <[email protected]>
5 participants
The new Python script currently carries out the same checks as the old bash audit script (with a few minor enhancements, like checking for
libhardened_malloc-light.soin a couple places), plus one additional check for MAC randomization. It is more modular and significantly faster: on my system with lots of flatpaks installed, the bash script typically takes about 20 seconds to run, while the Python script takes about 9 seconds.Flatpak permission checks can be skipped by passing the
--skip flatpakoption. Note: the bash script seems to have only checked one version of each flatpak in cases where multiple versions are installed—I think this was an error, though in practice it typically just affects runtimes, which aren't visible in Flatseal anyway and are unlikely to fail the permission checks.Implementation details: Each check is a generator (optionally asynchronous) that optionally accepts some state (an associative array that can be used to pass information between checks) and yields a sequence of reports (the lines that are shown under the "Audit" heading with a "success/warning/failure" status) and recommendations (printed at the end), which are handled by an audit runner. A decorator
@auditis used to queue up generators to be run by the default audit runner. The file can also be imported as a Python module for use in other code—it doesn't run any audits automatically if imported.