From cda19db81c8ee41a55f6657eaa56ca7b5bb87bcb Mon Sep 17 00:00:00 2001
From: Root <175176948+RKNF404@users.noreply.github.com>
Date: Fri, 10 Jan 2025 22:26:46 -0500
Subject: [PATCH 1/2] chore: add more dbus names to flatpak lockdown (#784)

---
 files/justfiles/hardening.just | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/justfiles/hardening.just b/files/justfiles/hardening.just
index fc8c3c28..ba6ca534 100644
--- a/files/justfiles/hardening.just
+++ b/files/justfiles/hardening.just
@@ -24,7 +24,7 @@ flatpak-permissions-lockdown:
     kFeaturePermissions=("per-app-dev-shm" "canbus" "bluetooth" "multiarch" "devel")
     kFilesystemPermissions=("home" "host-etc" "host")
     kDangerousFilesystemPermissions=("~/.bashrc" "~/.bash_profile" "/home" "/var/home" "/var" "/media" "/run/media" "/run" "/mnt")
-    kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.kde.kiod5" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer")
+    kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.gnome.Shell.Screenshot" "org.kde.kiod5" "org.kde.kwin.Screenshot" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer")
     kKnownSystemBusNames=("org.freedesktop.systemd1" "org.freedesktop.Avahi.*" "org.freedesktop.login1" "org.freedesktop.NetworkManager" "org.freedesktop.UPower" "org.freedesktop.UDisks2" "org.freedesktop.fwupd")
     kFlatsealNameAccess=("org.gnome.Software" "org.freedesktop.impl.portal.PermissionStore")
 

From d8e40e4e814c14975004df508e90370c31782be5 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Fri, 10 Jan 2025 19:49:20 -0800
Subject: [PATCH 2/2] feat: example butane checksum validation (#787)

---
 .github/workflows/checksum.yml | 26 ++++++++++++++++++++++++++
 docs/example.butane            |  4 ++--
 2 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/checksum.yml

diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml
new file mode 100644
index 00000000..74182f67
--- /dev/null
+++ b/.github/workflows/checksum.yml
@@ -0,0 +1,26 @@
+name: installer-checksum
+on: 
+  pull_request:
+    branches:
+      - live
+jobs:
+  verify-installer-checksum:
+    name: Linkspector
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Verify checksum
+        shell: bash
+        env:
+          INSTALL_SCRIPT: files/system/usr/share/secureblue/install_secureblue.sh
+          EXAMPLE_BUTANE: docs/example.butane
+        run: |
+          INSTALLER_CHECKSUM=$(sha256sum $INSTALL_SCRIPT | awk '{ print $1 }')
+          BUTANE_CHECKSUM=$(grep -oP 'sha256-\K[a-f0-9]{64}' $EXAMPLE_BUTANE)
+          if [ "$INSTALLER_CHECKSUM" != "$BUTANE_CHECKSUM" ]; then
+            echo "Checksum mismatch."
+            echo "Installer checksum: $INSTALLER_CHECKSUM"
+            echo "Butane checksum: $BUTANE_CHECKSUM"
+            exit 1
+          fi
\ No newline at end of file
diff --git a/docs/example.butane b/docs/example.butane
index 97c85da2..8610d5ce 100644
--- a/docs/example.butane
+++ b/docs/example.butane
@@ -14,7 +14,7 @@ storage:
       contents:
         source: https://raw.githubusercontent.com/secureblue/secureblue/refs/heads/live/files/system/usr/share/secureblue/install_secureblue.sh
         verification:
-          hash: sha256-d4ba5bfb556e9d1e3789a02fab2ab2f871033cc6b1712945cdfb9ce4375eafe5
+          hash: sha256-1f2f8ac822614eb20c82547aabdd18fbded3906115db8ecd4efcf3a80e19bd7d
       mode: 0755
     - path: /opt/run_install_secureblue.sh
       contents:
@@ -40,4 +40,4 @@ storage:
       overwrite: false
       append:
       - inline: |
-          /opt/run_install_secureblue.sh
\ No newline at end of file
+          /opt/run_install_secureblue.sh