From 86338660c4f02d5a696a336e7d61de374c8c882f Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Sun, 13 Apr 2025 13:24:08 +0530 Subject: [PATCH] feat: add new flag disable-sudo-and-containers --- action.yml | 6 +++++- src/cleanup.ts | 14 ++++++++++++++ src/interfaces.ts | 2 ++ src/policy-utils.ts | 4 ++++ src/setup.ts | 8 ++++++++ 5 files changed, 33 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index f29a2dc..d01a982 100644 --- a/action.yml +++ b/action.yml @@ -17,7 +17,11 @@ inputs: required: false default: "false" disable-sudo: - description: "Disable sudo access for the runner account" + description: "Disable sudo access for the runner account. Note: This parameter is deprecated. Please use disable-sudo-and-containers for enhanced security." + required: false + default: "false" + disable-sudo-and-containers: + description: "Disable sudo and container access for the runner account" required: false default: "false" disable-file-monitoring: diff --git a/src/cleanup.ts b/src/cleanup.ts index 07a4fb5..0934cc9 100644 --- a/src/cleanup.ts +++ b/src/cleanup.ts @@ -94,6 +94,20 @@ import { isGithubHosted } from "./tls-inspect"; } } + var disable_sudo_and_containers = process.env.disableSudoAndContainers; + if (disable_sudo_and_containers !== "true") { + try { + var journalLog = cp.execSync("sudo journalctl -u agent.service --lines=1000", { + encoding: "utf8", + maxBuffer: 1024 * 1024 * 10 // 10MB buffer + }); + console.log("agent.service log:"); + console.log(journalLog); + } catch (error) { + console.log("Warning: Could not fetch service logs:", error.message); + } + } + try { await common.addSummary(); } catch (exception) { diff --git a/src/interfaces.ts b/src/interfaces.ts index f9a8983..acb62cd 100644 --- a/src/interfaces.ts +++ b/src/interfaces.ts @@ -8,6 +8,7 @@ export interface Configuration { egress_policy: string; disable_telemetry: boolean; disable_sudo: boolean; + disable_sudo_and_containers: boolean; disable_file_monitoring: boolean; is_github_hosted: boolean; private: string; @@ -20,6 +21,7 @@ export interface PolicyResponse { policyName?: string; allowed_endpoints?: string[]; disable_sudo?: boolean; + disable_sudo_and_containers?: boolean; disable_file_monitoring?: boolean; disable_telemetry?: boolean; egress_policy?: string; diff --git a/src/policy-utils.ts b/src/policy-utils.ts index 6cb29dc..2551b78 100644 --- a/src/policy-utils.ts +++ b/src/policy-utils.ts @@ -56,6 +56,10 @@ export function mergeConfigs( localConfig.disable_sudo = remoteConfig.disable_sudo; } + if (remoteConfig.disable_sudo_and_containers !== undefined) { + localConfig.disable_sudo_and_containers = remoteConfig.disable_sudo_and_containers; + } + if (remoteConfig.disable_file_monitoring !== undefined) { localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring; } diff --git a/src/setup.ts b/src/setup.ts index ba40a99..535a346 100644 --- a/src/setup.ts +++ b/src/setup.ts @@ -62,6 +62,7 @@ interface MonitorResponse { egress_policy: core.getInput("egress-policy"), disable_telemetry: core.getBooleanInput("disable-telemetry"), disable_sudo: core.getBooleanInput("disable-sudo"), + disable_sudo_and_containers: core.getBooleanInput("disable-sudo-and-containers"), disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"), private: context?.payload?.repository?.private || false, is_github_hosted: isGithubHosted(), @@ -92,6 +93,13 @@ interface MonitorResponse { encoding: "utf8", } ); + fs.appendFileSync( + process.env.GITHUB_STATE, + `disableSudoAndContainers=${confg.disable_sudo_and_containers}${EOL}`, + { + encoding: "utf8", + } + ); core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`); if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {