security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 25 Wiki Activity

fortify: switch to static linking
All checks were successful
Build / Create distribution (push) Successful in 1m43s
Details
Test / Run NixOS test (push) Successful in 4m32s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-01-16 17:32:52 +09:00
parent 124743ffd3
commit b60c01f440
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
10 changed files with 196 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.gitea/workflows/nix.yml → .gitea/workflows/build.yml
View File

@ -1,12 +1,12 @@
name: Nix
name: Build
on:
- push
- pull_request
jobs:
tests:
name: NixOS tests
dist:
name: Create distribution
runs-on: ubuntu-latest
steps:
- name: Checkout
@ -30,17 +30,21 @@ jobs:
- name: Restore Nix store
uses: nix-community/cache-nix-action@v5
with:
primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
restore-prefixes-first-match: nix-${{ runner.os }}-
primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
restore-prefixes-first-match: nix-small-${{ runner.os }}-
- name: Run tests
run: |
nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
- name: Build for test
id: build-test
run: >-
export FORTIFY_REV="$(git rev-parse --short HEAD)" &&
sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix &&
nix build --print-out-paths --print-build-logs .#dist &&
mv package.nix.old package.nix &&
echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT
- name: Upload test output
- name: Upload test build
uses: actions/upload-artifact@v3
with:
name: "result"
name: "fortify-${{ steps.build-test.outputs.rev }}"
path: result/*
retention-days: 1

53
.gitea/workflows/release.yml
View File

@ -1,53 +1,52 @@
name: Create distribution
name: Release
on:
push:
tags:
- '*'
- 'v*'
jobs:
release:
name: Release
name: Create release
runs-on: ubuntu-latest
container:
image: node:16-bookworm-slim
steps:
- name: Get dependencies
run: >-
echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
apt-get update &&
apt-get install -y
acl
git
gcc
pkg-config
libwayland-dev
wayland-protocols/bookworm-backports
libxcb1-dev
libacl1-dev
if: ${{ runner.os == 'Linux' }}
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: https://github.com/actions/setup-go@v5
with:
go-version: '>=1.23.0'
- name: Go generate
- name: Install Nix
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
# explicitly enable sandbox
install_options: --daemon
extra_nix_config: |
sandbox = true
system-features = nixos-test benchmark big-parallel kvm
enable_kvm: true
- name: Ensure environment
run: >-
go generate ./...
apt-get update && apt-get install -y sqlite3
if: ${{ runner.os == 'Linux' }}
- name: Restore Nix store
uses: nix-community/cache-nix-action@v5
with:
primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
restore-prefixes-first-match: nix-small-${{ runner.os }}-
- name: Build for release
run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh
id: build-test
run: nix build --print-out-paths --print-build-logs .#dist
- name: Release
id: use-go-action
uses: https://gitea.com/actions/release-action@main
with:
files: |-
dist/fortify-**
result/fortify-**
api_key: '${{secrets.RELEASE_TOKEN}}'

68
.gitea/workflows/test.yml
View File

@ -1,62 +1,46 @@
name: Tests
name: Test
on:
- push
- pull_request
jobs:
test:
name: Go tests
tests:
name: Run NixOS test
runs-on: ubuntu-latest
container:
image: node:16-bookworm-slim
steps:
- name: Enable backports
run: >-
echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list
if: ${{ runner.os == 'Linux' }}
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Nix
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
# explicitly enable sandbox
install_options: --daemon
extra_nix_config: |
sandbox = true
system-features = nixos-test benchmark big-parallel kvm
enable_kvm: true
- name: Ensure environment
run: >-
apt-get update && apt-get install -y curl wget sudo libxml2
apt-get update && apt-get install -y sqlite3
if: ${{ runner.os == 'Linux' }}
- name: Get dependencies
uses: awalsh128/cache-apt-pkgs-action@latest
- name: Restore Nix store
uses: nix-community/cache-nix-action@v5
with:
packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
version: 1.0
#execute_install_scripts: true
if: ${{ runner.os == 'Linux' }}
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup go
uses: https://github.com/actions/setup-go@v5
with:
go-version: '>=1.23.0'
- name: Go generate
run: >-
go generate ./...
primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
restore-prefixes-first-match: nix-${{ runner.os }}-
- name: Run tests
run: >-
go test ./...
run: |
nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
- name: Build for test
id: build-test
run: >-
FORTIFY_VERSION="$(git rev-parse --short HEAD)"
bash -c './dist/release.sh &&
echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT'
- name: Upload test build
- name: Upload test output
uses: actions/upload-artifact@v3
with:
name: "fortify-${{ steps.build-test.outputs.rev }}"
path: dist/fortify-*
name: "result"
path: result/*
retention-days: 1

2
acl/c.go
View File

@ -9,7 +9,7 @@ import (
)
/*
#cgo linux pkg-config: libacl
#cgo linux pkg-config: --static libacl
#include <stdlib.h>
#include <sys/acl.h>

3
dist/release.sh vendored
View File

@ -8,7 +8,8 @@ mkdir -p "${out}"
cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
cp -rv "comp" "${out}"
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
go generate ./...
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
-X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
-X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
-X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu

158
flake.nix
View File

@ -95,72 +95,114 @@
packages = forAllSystems (
system:
let
inherit (self.packages.${system}) fortify;
pkgs = nixpkgsFor.${system};
in
{
default = self.packages.${system}.fortify;
fortify = pkgs.callPackage ./package.nix { };
dist =
pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }
''
# go requires XDG_CACHE_HOME for the build cache
export XDG_CACHE_HOME="$(mktemp -d)"
# get a different workdir as go does not like /build
cd $(mktemp -d) && cp -r ${fortify.src}/. . && chmod -R +w .
export FORTIFY_VERSION="v${fortify.version}"
./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
'';
fhs = pkgs.buildFHSEnv {
pname = "fortify-fhs";
inherit (fortify) version;
targetPkgs =
pkgs:
with pkgs;
[
go
gcc
pkg-config
wayland-scanner
]
++ (
with pkgs.pkgsStatic;
[
musl
libffi
acl
wayland
wayland-protocols
]
++ (with xorg; [
libxcb
libXau
libXdmcp
xorgproto
])
);
extraOutputsToInstall = [ "dev" ];
profile = ''
export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
'';
};
}
);
devShells = forAllSystems (system: {
default = nixpkgsFor.${system}.mkShell {
buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
};
fhs = nixpkgsFor.${system}.buildFHSEnv {
pname = "fortify-fhs";
inherit (self.packages.${system}.fortify) version;
targetPkgs =
pkgs: with pkgs; [
go
gcc
pkg-config
acl
wayland
wayland-scanner
wayland-protocols
xorg.libxcb
];
extraOutputsToInstall = [ "dev" ];
profile = ''
export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
'';
};
withPackage = nixpkgsFor.${system}.mkShell {
buildInputs =
with nixpkgsFor.${system};
self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ];
};
generateDoc =
let
pkgs = nixpkgsFor.${system};
inherit (pkgs) lib;
doc =
let
eval = lib.evalModules {
specialArgs = {
inherit pkgs;
};
modules = [ ./options.nix ];
};
cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
in
pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
docText = pkgs.runCommand "fortify-module-docs.md" { } ''
cat ${doc.optionsCommonMark} > $out
sed -i '/*Declared by:*/,+1 d' $out
'';
in
nixpkgsFor.${system}.mkShell {
shellHook = ''
exec cat ${docText} > options.md
'';
devShells = forAllSystems (
system:
let
inherit (self.packages.${system}) fortify fhs;
pkgs = nixpkgsFor.${system};
in
{
default = pkgs.mkShell {
buildInputs =
with pkgs;
[
go
gcc
]
++ fortify.buildInputs
++ fortify.nativeBuildInputs;
};
});
fhs = fhs.env;
withPackage = nixpkgsFor.${system}.mkShell {
buildInputs = [ self.packages.${system}.fortify ] ++ self.devShells.${system}.default.buildInputs;
};
generateDoc =
let
pkgs = nixpkgsFor.${system};
inherit (pkgs) lib;
doc =
let
eval = lib.evalModules {
specialArgs = {
inherit pkgs;
};
modules = [ ./options.nix ];
};
cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
in
pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
docText = pkgs.runCommand "fortify-module-docs.md" { } ''
cat ${doc.optionsCommonMark} > $out
sed -i '/*Declared by:*/,+1 d' $out
'';
in
nixpkgsFor.${system}.mkShell {
shellHook = ''
exec cat ${docText} > options.md
'';
};
}
);
};
}

45
package.nix
View File

@ -1,15 +1,11 @@
{
lib,
buildGoModule,
makeBinaryWrapper,
xdg-dbus-proxy,
bubblewrap,
pkgsStatic,
pkg-config,
acl,
wayland,
wayland-scanner,
wayland-protocols,
xorg,
}:
buildGoModule rec {
@ -27,19 +23,13 @@ buildGoModule rec {
lib.attrsets.foldlAttrs
(
ldflags: name: value:
ldflags
++ [
"-X"
"git.gensokyo.uk/security/fortify/internal.${name}=${value}"
]
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
)
[
"-s"
"-w"
"-X"
"main.Fmain=${placeholder "out"}/libexec/fortify"
"-X"
"main.Fshim=${placeholder "out"}/libexec/fshim"
"-s -w"
"-extldflags '-static'"
"-X main.Fmain=${placeholder "out"}/libexec/fortify"
"-X main.Fshim=${placeholder "out"}/libexec/fshim"
]
{
Version = "v${version}";
@ -51,17 +41,26 @@ buildGoModule rec {
# nix build environment does not allow acls
GO_TEST_SKIP_ACL = 1;
buildInputs = [
acl
wayland
wayland-protocols
xorg.libxcb
];
buildInputs =
# cannot find a cleaner way to do this
with pkgsStatic;
[
musl
libffi
acl
wayland
wayland-protocols
]
++ (with xorg; [
libxcb
libXau
libXdmcp
]);
nativeBuildInputs = [
pkg-config
wayland-scanner
makeBinaryWrapper
pkgsStatic.makeBinaryWrapper
];
preConfigure = ''

2
test.nix
View File

@ -51,7 +51,7 @@ nixosTest {
mako
# For go tests:
self.devShells.${system}.fhs
self.packages.${system}.fhs
];
variables = {

3
wl/c.go
View File

@ -4,12 +4,13 @@ package wl
//go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"
/*
#cgo linux pkg-config: wayland-client
#cgo linux pkg-config: --static wayland-client
#cgo freebsd openbsd LDFLAGS: -lwayland-client
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>

2
xcb/c.go
View File

@ -6,7 +6,7 @@ import (
)
/*
#cgo linux pkg-config: xcb
#cgo linux pkg-config: --static xcb
#include <stdlib.h>
#include <xcb/xcb.h>