security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity

nix: separate fsu from package
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Run NixOS test (push) Successful in 7m25s
Details

Browse Source 
This appears to be the only way to build them with different configuration. This enables static linking in the main package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-02-23 18:13:06 +09:00
parent dccb366608
commit 8bf162820b
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
6 changed files with 87 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cmd/fsu/package.nix Normal file
View File

@ -0,0 +1,19 @@
{
buildGoModule,
fortify ? abort "fortify package required",
}:
buildGoModule {
pname = "${fortify.pname}-fsu";
inherit (fortify) version;
src = ./.;
inherit (fortify) vendorHash;
CGO_ENABLED = 0;
preBuild = ''
go mod init fsu >& /dev/null
'';
ldflags = [ "-X main.Fmain=${fortify}/libexec/fortify" ];
}

9
flake.nix
View File

@ -87,6 +87,10 @@
''; '';
fortify = callPackage ./tests/fortify { inherit system self; }; fortify = callPackage ./tests/fortify { inherit system self; };
race = callPackage ./tests/fortify {
inherit system self;
withRace = true;
};
} }
); );
@ -98,7 +102,10 @@
in in
{ {
default = self.packages.${system}.fortify; default = self.packages.${system}.fortify;
fortify = pkgs.callPackage ./package.nix { }; fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
};
fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
dist = dist =
pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; } pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }

2
nixos.nix
View File

@ -30,7 +30,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
security.wrappers.fsu = { security.wrappers.fsu = {
source = "${cfg.package}/libexec/fsu"; source = "${cfg.fsuPackage}/bin/fsu";
setuid = true; setuid = true;
owner = "root"; owner = "root";
setgid = true; setgid = true;

11
options.nix
View File

@ -2,6 +2,9 @@
let let
inherit (lib) types mkOption mkEnableOption; inherit (lib) types mkOption mkEnableOption;
fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
};
in in
{ {
@ -11,10 +14,16 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = pkgs.callPackage ./package.nix { }; default = fortify;
description = "The fortify package to use."; description = "The fortify package to use.";
}; };
fsuPackage = mkOption {
type = types.package;
default = pkgs.callPackage ./cmd/fsu/package.nix { inherit fortify; };
description = "The fsu package to use.";
};
users = mkOption { users = mkOption {
type = type =
let let

29
package.nix
View File

@ -1,5 +1,6 @@
{ {
lib, lib,
stdenv,
buildGoModule, buildGoModule,
makeBinaryWrapper, makeBinaryWrapper,
xdg-dbus-proxy, xdg-dbus-proxy,
@ -12,6 +13,9 @@
wayland-protocols, wayland-protocols,
wayland-scanner, wayland-scanner,
xorg, xorg,
glibc, # for ldd
withStatic ? stdenv.hostPlatform.isStatic,
}: }:
buildGoModule rec { buildGoModule rec {
@ -19,9 +23,12 @@ buildGoModule rec {
version = "0.2.17"; version = "0.2.17";
src = builtins.path { src = builtins.path {
name = "fortify-src"; name = "${pname}-src";
path = lib.cleanSource ./.; path = lib.cleanSource ./.;
filter = path: type: !(type != "directory" && lib.hasSuffix ".nix" path); filter =
path: type:
!(type == "regular" && lib.hasSuffix ".nix" path)
&& !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
}; };
vendorHash = null; vendorHash = null;
@ -31,17 +38,22 @@ buildGoModule rec {
ldflags: name: value: ldflags: name: value:
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ] ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
) )
[ (
"-s -w" [
"-X main.Fmain=${placeholder "out"}/libexec/fortify" "-s -w"
] ]
++ lib.optionals withStatic [
"-linkmode external"
"-extldflags \"-static\""
]
)
{ {
Version = "v${version}"; Version = "v${version}";
Fsu = "/run/wrappers/bin/fsu"; Fsu = "/run/wrappers/bin/fsu";
}; };
# nix build environment does not allow acls # nix build environment does not allow acls
GO_TEST_SKIP_ACL = 1; env.GO_TEST_SKIP_ACL = 1;
buildInputs = buildInputs =
[ [
@ -64,7 +76,7 @@ buildGoModule rec {
]; ];
preBuild = '' preBuild = ''
HOME=$(mktemp -d) go generate ./... HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./...
''; '';
postInstall = '' postInstall = ''
@ -76,6 +88,7 @@ buildGoModule rec {
makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \ makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \
--inherit-argv0 --prefix PATH : ${ --inherit-argv0 --prefix PATH : ${
lib.makeBinPath [ lib.makeBinPath [
glibc
bubblewrap bubblewrap
xdg-dbus-proxy xdg-dbus-proxy
] ]

60
tests/fortify/default.nix
View File

@ -1,44 +1,40 @@
{ {
system, lib,
self,
nixosTest, nixosTest,
writeShellScriptBin, writeShellScriptBin,
system,
self,
withRace ? false,
}: }:
nixosTest { nixosTest {
name = "fortify"; name = "fortify" + (if withRace then "-race" else "");
nodes.machine = { nodes.machine =
environment.systemPackages = [ { options, pkgs, ... }:
# For go tests: {
self.packages.${system}.fhs environment.systemPackages = [
(writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}") # For go tests:
]; self.packages.${system}.fhs
(writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
];
# Run with Go race detector: # Run with Go race detector:
environment.fortify.package = environment.fortify = lib.mkIf withRace rec {
let # race detector does not support static linking
inherit (self.packages.${system}) fortify; package = (pkgs.callPackage ../../package.nix { }).overrideAttrs (previousAttrs: {
in GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
fortify.overrideAttrs (previousAttrs: { });
GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ]; fsuPackage = options.environment.fortify.fsuPackage.default.override { fortify = package; };
};
# fsu does not like cgo imports = [
disallowedReferences = previousAttrs.disallowedReferences ++ [ fortify ]; ./configuration.nix
postInstall =
previousAttrs.postInstall
+ ''
cp -a "${fortify}/libexec/fsu" "$out/libexec/fsu"
sed -i 's:${fortify}:${placeholder "out"}:' "$out/libexec/fsu"
'';
});
imports = [ self.nixosModules.fortify
./configuration.nix self.inputs.home-manager.nixosModules.home-manager
];
self.nixosModules.fortify };
self.inputs.home-manager.nixosModules.home-manager
];
};
# adapted from nixos sway integration tests # adapted from nixos sway integration tests