v4.9.2 - Improved Homebrew security with brew-proxy

v4.9.2 - Improved Homebrew security with brew-proxy

Reminder: releases are symbolic. Builds are created and published immediately after new commits are merged.

This release of secureblue introduces and transparently migrates existing secureblue Homebrew installations to brew-proxy, a DBus-activated service by @HastD that facilitates configuring a Homebrew installation on Linux more securely. The brew-proxy daemon is integrated with Polkit and requires the user to authenticate for certain commands. It provides a security boundary in two directions:

• Unauthorized users cannot modify the Homebrew installation or packages.
• Homebrew package install scripts do not have access to home directories other than that of the linuxbrew user.

What's Changed

• chore(deps): update BlueBuild modules by @secureblue-pr-bot[bot] in #2247
• fix: regression in user-motd script by @pxlkng in #2278
• feat: call verify-provenance.sh from upgrade-on-boot by @RoyalOughtness in #2273
• chore(deps): bump dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.1.0 by @dependabot[bot] in #2271
• fix: make security update notification script more robust by @HastD in #2274
• fix: Don't export PS1 enhanced bash prompt to other spawned shells by @fiftydinar in #2265
• chore(build): add cloudfront mirror for docker by @RoyalOughtness in #2279
• style: add .editorconfig and change files to comply by @underscorejoser in #2277
• feat: manage ptrace access using SELinux by @HastD in #2012
• chore(deps): bump dataaxiom/ghcr-cleanup-action from 1.1.0 to 1.2.0 by @dependabot[bot] in #2281
• chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 by @dependabot[bot] in #2284
• chore(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4 by @dependabot[bot] in #2282
• feat: block loading additional unused filesystems by @RoyalOughtness in #2287
• feat(selinux): block access to more socket classes by @HastD in #2285
• feat: block loading additional modules by @RoyalOughtness in #2288
• feat: set-xwayland logout prompt by @jherzstein in #2022
• fix: remove Mullvad recommendation from dns-selector by @alexvojproc in #2132
• fix: create secureblue state directory via tmpfiles by @thefutureisprivate in #2290
• fix: move unbound.conf back to /etc/tmpfiles.d by @HastD in #2292
• chore(i18n): update PO files by @secureblue-pr-bot[bot] in #2293
• feat(security update notification): Use GUI reboot prompt on DE that supports it by @cydersec in #2299
• chore(cicd): remove ghcr cleanup action by @RoyalOughtness in #2305
• feat: add .shellcheckrc by @underscorejoser in #2224
• feat: add bluetooth services to bluetooth toggle by @RoyalOughtness in #1700
• fix: make utils module accessible to privileged scripts by @HastD in #2313
• docs: Update old link to the base image source by @Exponent64 in #2314
• chore: block loading GPIB, DVB, joystick, and RC modules by @RoyalOughtness in #2316
• fix: unblock xpad module by @HastD in #2320
• fix: unblock hid-playstation module by @HastD in #2321
• chore(deps): bump https://github.com/astral-sh/ruff-pre-commit from v0.15.14 to 0.15.15 by @dependabot[bot] in #2318
• chore(deps): bump umbrelladocs/action-linkspector from 1.5.1 to 1.5.2 by @dependabot[bot] in #2317
• feat: linuxbrew-owned brew installation, install brew-proxy by @HastD in #2169
• fix: (un)mask brew update units with ujust set-brew by @HastD in #2327

New Contributors

• @thefutureisprivate made their first contribution in #2290
• @cydersec made their first contribution in #2299

Full Changelog: v4.9.1...v4.9.2