From e7eb21314d43238665f3edeff9f276afe331ce06 Mon Sep 17 00:00:00 2001 From: imprakharshukla Date: Fri, 6 Nov 2020 01:09:07 +0530 Subject: [PATCH 1/2] Upgraded Ubuntu & Ubuntu-Xfce --- .gitignore | 1 + Installer/Ubuntu/ubuntu-xfce.sh | 167 +++++++++++++++++++++++--------- Installer/Ubuntu/ubuntu.sh | 154 ++++++++++++++++++++--------- 3 files changed, 231 insertions(+), 91 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..723ef36f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea \ No newline at end of file diff --git a/Installer/Ubuntu/ubuntu-xfce.sh b/Installer/Ubuntu/ubuntu-xfce.sh index a71e2c12..1f545db5 100644 --- a/Installer/Ubuntu/ubuntu-xfce.sh +++ b/Installer/Ubuntu/ubuntu-xfce.sh @@ -1,44 +1,107 @@ #!/data/data/com.termux/files/usr/bin/bash -pkg install wget -y -folder=ubuntu-fs -dlink="https://raw.githubusercontent.com/AndronixApp/AndronixOrigin/master/APT" -if [ -d "$folder" ]; then - first=1 - echo "skipping downloading" -fi -tarball="ubuntu-rootfs.tar.xz" -if [ "$first" != 1 ];then - if [ ! -f $tarball ]; then - echo "Download Rootfs, this may take a while base on your internet speed." - case `dpkg --print-architecture` in - aarch64) - archurl="arm64" ;; - arm) - archurl="armhf" ;; - amd64) - archurl="amd64" ;; - x86_64) - archurl="amd64" ;; - i*86) - archurl="i386" ;; - x86) - archurl="i386" ;; - *) - echo "unknown architecture"; exit 1 ;; - esac - wget "https://github.com/Techriz/AndronixOrigin/blob/master/Rootfs/Ubuntu/${archurl}/ubuntu-rootfs-${archurl}.tar.xz?raw=true" -O $tarball + +# Variables +BLUE="\e[34m" # Blue Color +GREEN="\e[32m" # Red Color +NO_COLOR="\e[39m" # No Color +isFsPresent=0 # Handles if the tarball is downloaded or skipped (overridden by -f) +distroName="Ubuntu" # Name of the concerned distro +name="ubuntu" # Name of the concerned distro +rootfsFolder=$name-fs # RootFS folder name +bindsFolder=$name-fs # Bind folder name +dlink="https://raw.githubusercontent.com/AndronixApp/AndronixOrigin/master/APT" # Download Link +tarball="${name}-rootfs.tar.xz" +folderSize=$(stat -c%s $rootfsFolder) + +# Function used for sending updates to Andronix App +function sendUpdates() { + message=$(echo "$1" | sed 's/ /\\ /g') + am broadcast --user 0 -a app.andronix.PROGRESS --es app.andronix.PROGRESS_STATUS "$message" >/dev/null +} + +#Welcome +echo " + ___ __ _ + / | ____ ____/ / _____ ____ ____ (_) _ __ + / /| | / __ \ / __ / / ___/ / __ \ / __ \ / / | |/_/ + / ___ | / / / // /_/ / / / / /_/ / / / / / / / _> < +/_/ |_|/_/ /_/ \__,_/ /_/ \____/ /_/ /_/ /_/ /_/|_| + " + +echo -e "\n${BLUE}Welcome to the Andronix ${distroName} installer.${NO_COLOR}" +echo -e "Join Andronix ${BLUE}Discord${NO_COLOR} @ https://chat.andronix.app (giveaways too ;)" +echo -e "Read our ${BLUE}Documentation${NO_COLOR} @ https://docs.andronix.app \n\n" + +sendUpdates "Script Detected" + +sleep 1 + +# Getting the -f (force download flag) +while getopts "f" OPTION; do + # shellcheck disable=SC2220 + case $OPTION in + f) + echo -e "\nForcing the download..." + rm -rf $rootfsFolder + rm -rf $bindsFolder + isFsPresent=0 + ;; + esac +done + +# Installing basic termux packages +pkg install wget -y + +# Checking if the rootfsFolder is present +if [ -d "$rootfsFolder" ] && [ "$folderSize" -gt 6000 ]; then + isFsPresent=1 + echo -e "\nRoot Files System already present. Skipping download..." fi - cur=`pwd` - mkdir -p "$folder" - cd "$folder" - echo "Decompressing Rootfs, please be patient." - proot --link2symlink tar -xJf ${cur}/${tarball}||: - cd "$cur" + +if [ "$isFsPresent" != 1 ]; then + if [ ! -f "$tarball" ]; then + echo -e "\nDownloading Rootfs for ${distroName}. Please be patient...\n\n" + case $(dpkg --print-architecture) in + aarch64) + arch="arm64" + ;; + arm) + arch="armhf" + ;; + amd64) + arch="amd64" + ;; + x86_64) + arch="amd64" + ;; + i*86) + arch="i386" + ;; + x86) + arch="i386" + ;; + *) + echo "There was an issue identifying the architecture of your device!" + sendUpdates "Oops! Architecture error." + exit 1 + ;; + esac + sendUpdates "Downloading the files..." + wget -q --show-progress --progress=bar "https://github.com/Techriz/AndronixOrigin/blob/master/Rootfs/${distroName}/${arch}/ubuntu-rootfs-${arch}.tar.xz?raw=true" -O $tarball + fi + currentDirectory=$(pwd) + mkdir -p "$rootfsFolder" + cd "$rootfsFolder" + sendUpdates "Decompressing the files..." + echo -e "\nDecompressing Rootfs. This can take a while. Please be patient." + proot --link2symlink tar -xJf "${currentDirectory}"/${tarball} || : + cd "$currentDirectory" fi -mkdir -p ubuntu-binds + +mkdir -p $bindsFolder bin=start-ubuntu.sh -echo "writing launch script" -cat > $bin <<- EOM +echo -e "\nWriting the launch script now! Just a few more steps!" +cat >$bin <<-EOM #!/bin/bash cd \$(dirname \$0) ## unset LD_PRELOAD in case termux-exec is installed @@ -46,9 +109,9 @@ unset LD_PRELOAD command="proot" command+=" --link2symlink" command+=" -0" -command+=" -r $folder" -if [ -n "\$(ls -A ubuntu-binds)" ]; then - for f in ubuntu-binds/* ;do +command+=" -r $rootfsFolder" +if [ -n "\$(ls -A $bindsFolder)" ]; then + for f in $bindsFolder/* ;do . \$f done fi @@ -57,7 +120,7 @@ command+=" -b /proc" command+=" -b ubuntu-fs/root:/dev/shm" ## uncomment the following line to have access to the home directory of termux #command+=" -b /data/data/com.termux/files/home:/root" -## uncomment the following line to mount /sdcard directly to / +## uncomment the following line to mount /sdcard directly to / #command+=" -b /sdcard" command+=" -w /root" command+=" /usr/bin/env -i" @@ -74,20 +137,22 @@ else fi EOM -echo "fixing shebang of $bin" termux-fix-shebang $bin -echo "making $bin executable" chmod +x $bin -echo "removing image for some space" +echo "Saving some space..." rm $tarball +sendUpdates "Downloading Desktop Environment!" + +wget -q --show-progress --progress=bar $dlink/XFCE4/xfce4_de.sh -O $rootfsFolder/root/xfce4_de.sh + #DE installation addition -wget $dlink/XFCE4/xfce4_de.sh -O $folder/root/xfce4_de.sh +wget $dlink/XFCE4/xfce4_de.sh -O $rootfsFolder/root/xfce4_de.sh clear echo "Setting up the installation of XFCE VNC" -echo "APT::Acquire::Retries \"3\";" > $folder/etc/apt/apt.conf.d/80-retries #Setting APT retry count +echo "APT::Acquire::Retries \"3\";" >$rootfsFolder/etc/apt/apt.conf.d/80-retries #Setting APT retry count echo "#!/bin/bash apt update -y && apt install sudo wget -y clear @@ -107,6 +172,14 @@ fi if [ ! -f /usr/bin/vncserver ]; then apt install tigervnc-standalone-server -y fi -rm -rf ~/.bash_profile" >> ubuntu-fs/root/.bash_profile +rm -rf ~/.bash_profile" >>$rootfsFolder/root/.bash_profile + +echo -e "\n\nYay! All done." +echo -e "\n${GREEN}This is the confirmation only regarding the actual distro. Tracking the installation of the Desktop Environment is beyond the present scope. Please contact us on ${BLUE}Discord${GREEN} if you face any issues.${NO_COLOR}\n" +echo "You will then asked to configure some distro specific things." +echo -e "\nProceeding to install the Desktop Environment...\n" + +sendUpdates "Installation Success!" +sleep 4 bash $bin diff --git a/Installer/Ubuntu/ubuntu.sh b/Installer/Ubuntu/ubuntu.sh index c5c8c358..b22c66a5 100644 --- a/Installer/Ubuntu/ubuntu.sh +++ b/Installer/Ubuntu/ubuntu.sh @@ -1,43 +1,105 @@ #!/data/data/com.termux/files/usr/bin/bash -pkg install wget -y -folder=ubuntu-fs -if [ -d "$folder" ]; then - first=1 - echo "skipping downloading" -fi -tarball="ubuntu-rootfs.tar.xz" -if [ "$first" != 1 ];then - if [ ! -f $tarball ]; then - echo "Download Rootfs, this may take a while base on your internet speed." - case `dpkg --print-architecture` in - aarch64) - archurl="arm64" ;; - arm) - archurl="armhf" ;; - amd64) - archurl="amd64" ;; - x86_64) - archurl="amd64" ;; - i*86) - archurl="i386" ;; - x86) - archurl="i386" ;; - *) - echo "unknown architecture"; exit 1 ;; - esac - wget "https://github.com/Techriz/AndronixOrigin/blob/master/Rootfs/Ubuntu/${archurl}/ubuntu-rootfs-${archurl}.tar.xz?raw=true" -O $tarball + +# Variables +BLUE="\e[34m" # Blue Color +NO_COLOR="\e[39m" # No Color +isFsPresent=0 # Handles if the tarball is downloaded or skipped (overridden by -f) +distroName="Ubuntu" # Name of the concerned distro +name="ubuntu" # Name of the concerned distro +rootfsFolder=$name-fs # RootFS folder name +bindsFolder=$name-fs # Bind folder name +tarball="${name}-rootfs.tar.xz" +folderSize=$(stat -c%s $rootfsFolder) + +# Function used for sending updates to Andronix App +function sendUpdates() { + message=$(echo "$1" | sed 's/ /\\ /g') + am broadcast --user 0 -a app.andronix.PROGRESS --es app.andronix.PROGRESS_STATUS "$message" >/dev/null +} + +#Welcome +echo " + ___ __ _ + / | ____ ____/ / _____ ____ ____ (_) _ __ + / /| | / __ \ / __ / / ___/ / __ \ / __ \ / / | |/_/ + / ___ | / / / // /_/ / / / / /_/ / / / / / / / _> < +/_/ |_|/_/ /_/ \__,_/ /_/ \____/ /_/ /_/ /_/ /_/|_| + " + +echo -e "\n${BLUE}Welcome to the Andronix ${distroName} installer.${NO_COLOR}" +echo -e "Join Andronix ${BLUE}Discord${NO_COLOR} @ https://chat.andronix.app (giveaways too ;)" +echo -e "Read our ${BLUE}Documentation${NO_COLOR} @ https://docs.andronix.app \n\n" + +sendUpdates "Script Detected" + +sleep 1 + +# Getting the -f (force download flag) +while getopts "f" OPTION; do + # shellcheck disable=SC2220 + case $OPTION in + f) + echo -e "\nForcing the download..." + rm -rf $rootfsFolder + rm -rf $bindsFolder + isFsPresent=0 + ;; + esac +done + +# Installing basic termux packages +pkg install wget -y + +# Checking if the rootfsFolder is present +if [ -d "$rootfsFolder" ] && [ "$folderSize" -gt 6000 ]; then + isFsPresent=1 + echo -e "\nRoot Files System already present. Skipping download..." fi - cur=`pwd` - mkdir -p "$folder" - cd "$folder" - echo "Decompressing Rootfs, please be patient." - proot --link2symlink tar -xJf ${cur}/${tarball}||: - cd "$cur" + +if [ "$isFsPresent" != 1 ]; then + if [ ! -f "$tarball" ]; then + echo -e "\nDownloading Rootfs for ${distroName}. Please be patient...\n\n" + case $(dpkg --print-architecture) in + aarch64) + arch="arm64" + ;; + arm) + arch="armhf" + ;; + amd64) + arch="amd64" + ;; + x86_64) + arch="amd64" + ;; + i*86) + arch="i386" + ;; + x86) + arch="i386" + ;; + *) + echo "There was an issue identifying the architecture of your device!" + sendUpdates "Oops! Architecture error." + exit 1 + ;; + esac + sendUpdates "Downloading the files..." + wget -q --show-progress --progress=bar "https://github.com/Techriz/AndronixOrigin/blob/master/Rootfs/${distroName}/${arch}/ubuntu-rootfs-${arch}.tar.xz?raw=true" -O $tarball + fi + currentDirectory=$(pwd) + mkdir -p "$rootfsFolder" + cd "$rootfsFolder" + sendUpdates "Decompressing the files..." + echo -e "\nDecompressing Rootfs. This can take a while. Please be patient." + proot --link2symlink tar -xJf "${currentDirectory}"/${tarball} || : + cd "$currentDirectory" fi -mkdir -p ubuntu-binds + +mkdir -p $bindsFolder bin=start-ubuntu.sh -echo "writing launch script" -cat > $bin <<- EOM +echo -e "\nWriting the launch script now! Just a few more steps!" +cat >$bin <<-EOM #!/bin/bash cd \$(dirname \$0) ## unset LD_PRELOAD in case termux-exec is installed @@ -45,9 +107,9 @@ unset LD_PRELOAD command="proot" command+=" --link2symlink" command+=" -0" -command+=" -r $folder" -if [ -n "\$(ls -A ubuntu-binds)" ]; then - for f in ubuntu-binds/* ;do +command+=" -r $rootfsFolder" +if [ -n "\$(ls -A $bindsFolder)" ]; then + for f in $bindsFolder/* ;do . \$f done fi @@ -56,7 +118,7 @@ command+=" -b /proc" command+=" -b ubuntu-fs/root:/dev/shm" ## uncomment the following line to have access to the home directory of termux #command+=" -b /data/data/com.termux/files/home:/root" -## uncomment the following line to mount /sdcard directly to / +## uncomment the following line to mount /sdcard directly to / #command+=" -b /sdcard" command+=" -w /root" command+=" /usr/bin/env -i" @@ -73,10 +135,14 @@ else fi EOM -echo "fixing shebang of $bin" termux-fix-shebang $bin -echo "making $bin executable" chmod +x $bin -echo "removing image for some space" +echo "Saving some space..." rm $tarball -echo "You can now launch Ubuntu with the ./${bin} script" +echo -e "\n\nYay! All done. You can now start ${distroName} with running ${BLUE}\n./${bin}${NO_COLOR}" +echo "You will then asked to configure some distro specific things." + +sendUpdates "Installation Success!" + +sleep 1 +echo "Exiting...Bye!" From e8373246416cf1fccde85ca58166b4a1fab3b7ae Mon Sep 17 00:00:00 2001 From: quintis393-dotcom Date: Sun, 26 Oct 2025 11:03:33 -0500 Subject: [PATCH 2/2] Add workflow to validate AWS IAM policies in TF templates This workflow validates AWS IAM policies in Terraform templates using various checks from AWS IAM Access Analyzer. --- .github/workflows/policy-validator-tf.yml | 101 ++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/policy-validator-tf.yml diff --git a/.github/workflows/policy-validator-tf.yml b/.github/workflows/policy-validator-tf.yml new file mode 100644 index 00000000..bfea648e --- /dev/null +++ b/.github/workflows/policy-validator-tf.yml @@ -0,0 +1,101 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. + +name: Validate AWS IAM policies in Terraform templates using Policy Validator +on: + push: + branches: ["master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] +env: + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH }} + actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + reference-policy: ${{ env.REFERENCE_POLICY }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"