feat: add new flag disable-sudo-and-containers

2026-06-05 15:08:19 +00:00 · 2025-04-13 13:24:08 +05:30 · 2025-04-13 13:24:08 +05:30 · 86338660c4
commit 86338660c4
parent 617de1d11d
5 changed files with 33 additions and 1 deletions
--- a/action.yml
+++ b/action.yml
@ -17,7 +17,11 @@ inputs:
    required: false
    default: "false"
  disable-sudo:
-    description: "Disable sudo access for the runner account"
+    description: "Disable sudo access for the runner account. Note: This parameter is deprecated. Please use disable-sudo-and-containers for enhanced security."
+    required: false
+    default: "false"
+  disable-sudo-and-containers:
+    description: "Disable sudo and container access for the runner account"
    required: false
    default: "false"
  disable-file-monitoring:
--- a/src/cleanup.ts
+++ b/src/cleanup.ts
@ -94,6 +94,20 @@ import { isGithubHosted } from "./tls-inspect";
    }
  }

+  var disable_sudo_and_containers = process.env.disableSudoAndContainers;
+  if (disable_sudo_and_containers !== "true") {
+    try {
+      var journalLog = cp.execSync("sudo journalctl -u agent.service --lines=1000", {
+        encoding: "utf8",
+        maxBuffer: 1024 * 1024 * 10 // 10MB buffer
+      });
+      console.log("agent.service log:");
+      console.log(journalLog);
+    } catch (error) {
+      console.log("Warning: Could not fetch service logs:", error.message);
+    }
+  }
+
  try {
    await common.addSummary();
  } catch (exception) {
--- a/src/interfaces.ts
+++ b/src/interfaces.ts
@ -8,6 +8,7 @@ export interface Configuration {
  egress_policy: string;
  disable_telemetry: boolean;
  disable_sudo: boolean;
+  disable_sudo_and_containers: boolean;
  disable_file_monitoring: boolean;
  is_github_hosted: boolean;
  private: string;
@ -20,6 +21,7 @@ export interface PolicyResponse {
  policyName?: string;
  allowed_endpoints?: string[];
  disable_sudo?: boolean;
+  disable_sudo_and_containers?: boolean;
  disable_file_monitoring?: boolean;
  disable_telemetry?: boolean;
  egress_policy?: string;
--- a/src/policy-utils.ts
+++ b/src/policy-utils.ts
@ -56,6 +56,10 @@ export function mergeConfigs(
    localConfig.disable_sudo = remoteConfig.disable_sudo;
  }

+  if (remoteConfig.disable_sudo_and_containers !== undefined) {
+    localConfig.disable_sudo_and_containers = remoteConfig.disable_sudo_and_containers;
+  }
+
  if (remoteConfig.disable_file_monitoring !== undefined) {
    localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
  }
--- a/src/setup.ts
+++ b/src/setup.ts
@ -62,6 +62,7 @@ interface MonitorResponse {
      egress_policy: core.getInput("egress-policy"),
      disable_telemetry: core.getBooleanInput("disable-telemetry"),
      disable_sudo: core.getBooleanInput("disable-sudo"),
+      disable_sudo_and_containers: core.getBooleanInput("disable-sudo-and-containers"),
      disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
      private: context?.payload?.repository?.private || false,
      is_github_hosted: isGithubHosted(),
@ -92,6 +93,13 @@ interface MonitorResponse {
        encoding: "utf8",
      }
    );
+    fs.appendFileSync(
+      process.env.GITHUB_STATE,
+      `disableSudoAndContainers=${confg.disable_sudo_and_containers}${EOL}`,
+      {
+        encoding: "utf8",
+      }
+    );
    core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`);

    if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {