security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

fortify: switch to static linking
Some checks failed
Tests / Go tests (push) Failing after 1m14s
Details
Nix / NixOS tests (push) Successful in 3m23s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-01-16 17:32:52 +09:00
parent 124743ffd3
commit ae35b69f6f
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
7 changed files with 50 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitea/workflows/test.yml
View File

@ -24,7 +24,7 @@ jobs:
- name: Get dependencies
uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
packages: acl git gcc pkg-config libwayland-client0 libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
version: 1.0
#execute_install_scripts: true
if: ${{ runner.os == 'Linux' }}

2
acl/c.go
View File

@ -9,7 +9,7 @@ import (
)
/*
#cgo linux pkg-config: libacl
#cgo linux pkg-config: --static libacl
#include <stdlib.h>
#include <sys/acl.h>

2
dist/release.sh vendored
View File

@ -8,7 +8,7 @@ mkdir -p "${out}"
cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
cp -rv "comp" "${out}"
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -extldflags '-static'
-X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
-X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
-X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu

27
flake.nix
View File

@ -113,16 +113,31 @@
pname = "fortify-fhs";
inherit (self.packages.${system}.fortify) version;
targetPkgs =
pkgs: with pkgs; [
pkgs:
with pkgs;
[
go
gcc
pkg-config
acl
wayland
wayland-scanner
wayland-protocols
xorg.libxcb
];
]
++ (
with pkgs.pkgsStatic;
[
musl
libffi
acl
wayland
wayland-protocols
]
++ (with xorg; [
libxcb
libXau
libXdmcp
xorgproto
])
);
extraOutputsToInstall = [ "dev" ];
profile = ''
export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"

46
package.nix
View File

@ -1,15 +1,12 @@
{
lib,
buildGoModule,
makeBinaryWrapper,
xdg-dbus-proxy,
bubblewrap,
musl,
pkgsStatic,
pkg-config,
acl,
wayland,
wayland-scanner,
wayland-protocols,
xorg,
}:
buildGoModule rec {
@ -27,19 +24,13 @@ buildGoModule rec {
lib.attrsets.foldlAttrs
(
ldflags: name: value:
ldflags
++ [
"-X"
"git.gensokyo.uk/security/fortify/internal.${name}=${value}"
]
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
)
[
"-s"
"-w"
"-X"
"main.Fmain=${placeholder "out"}/libexec/fortify"
"-X"
"main.Fshim=${placeholder "out"}/libexec/fshim"
"-s -w"
"-extldflags '-static'"
"-X main.Fmain=${placeholder "out"}/libexec/fortify"
"-X main.Fshim=${placeholder "out"}/libexec/fshim"
]
{
Version = "v${version}";
@ -51,17 +42,26 @@ buildGoModule rec {
# nix build environment does not allow acls
GO_TEST_SKIP_ACL = 1;
buildInputs = [
acl
wayland
wayland-protocols
xorg.libxcb
];
buildInputs =
# cannot find a cleaner way to do this
with pkgsStatic;
[
musl
libffi
acl
wayland
wayland-protocols
]
++ (with xorg; [
libxcb
libXau
libXdmcp
]);
nativeBuildInputs = [
pkg-config
wayland-scanner
makeBinaryWrapper
pkgsStatic.makeBinaryWrapper
];
preConfigure = ''

3
wl/c.go
View File

@ -4,12 +4,13 @@ package wl
//go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"
/*
#cgo linux pkg-config: wayland-client
#cgo linux pkg-config: --static wayland-client
#cgo freebsd openbsd LDFLAGS: -lwayland-client
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>

2
xcb/c.go
View File

@ -6,7 +6,7 @@ import (
)
/*
#cgo linux pkg-config: xcb
#cgo linux pkg-config: --static xcb
#include <stdlib.h>
#include <xcb/xcb.h>