release: 0.2.18

Signed-off-by: Ophestra <cat@gensokyo.uk>
nix: clean up directory structure
2025-02-23 18:52:33 +09:00 · 2025-02-23 18:48:01 +09:00 · 2025-02-23 18:34:42 +09:00 · 2025-02-23 18:13:37 +09:00 · 2025-02-23 18:02:33 +09:00 · 2025-02-23 17:46:22 +09:00
21 changed files with 241 additions and 110 deletions
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@ -5,26 +5,53 @@ on:
  - pull_request
 jobs:
-  test:
+  fortify:
-    name: Run NixOS test
+    name: Fortify
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Run fortify tests
+      - name: Run NixOS test
-        run: nix build --out-link "result-fortify" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
      - name: Run flake checks
        run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
          name: "fortify-vm-output"
-          path: result-fortify/*
+          path: result/*
          retention-days: 1
  race:
    name: Data race detector
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run NixOS test
        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.race
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
          name: "fortify-race-vm-output"
          path: result/*
          retention-days: 1
  check:
    name: Flake checks
    needs:
      - fortify
      - race
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run checks
        run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
  dist:
    name: Create distribution
    runs-on: nix
--- a/cmd/fsu/package.nix
+++ b/cmd/fsu/package.nix
@ -0,0 +1,19 @@
 {
  buildGoModule,
  fortify ? abort "fortify package required",
 }:
 buildGoModule {
  pname = "${fortify.pname}-fsu";
  inherit (fortify) version;
  src = ./.;
  inherit (fortify) vendorHash;
  CGO_ENABLED = 0;
  preBuild = ''
    go mod init fsu >& /dev/null
  '';
  ldflags = [ "-X main.Fmain=${fortify}/libexec/fortify" ];
 }
--- a/command/command.go
+++ b/command/command.go
@ -29,6 +29,11 @@ type (
 	Command interface {
 		Parse(arguments []string) error
 		// MustParse determines exit outcomes for Parse errors
 		// and calls handleError if [HandlerFunc] returns a non-nil error.
 		MustParse(arguments []string, handleError func(error))
 		baseNode[Command]
 	}
 	Node baseNode[Node]
--- a/command/parse.go
+++ b/command/parse.go
@ -3,6 +3,7 @@ package command
 import (
 	"errors"
 	"log"
 	"os"
 )
 var (
@ -78,3 +79,27 @@ func (n *node) printf(format string, a ...any) {
 		n.logf(format, a...)
 	}
 }
 func (n *node) MustParse(arguments []string, handleError func(error)) {
 	switch err := n.Parse(arguments); err {
 	case nil:
 		return
 	case ErrHelp:
 		os.Exit(0)
 	case ErrNoMatch:
 		os.Exit(1)
 	case ErrEmptyTree:
 		os.Exit(1)
 	default:
 		var flagError FlagError
 		if !errors.As(err, &flagError) { // returned by HandlerFunc
 			handleError(err)
 			os.Exit(1)
 		}
 		if flagError.Success() {
 			os.Exit(0)
 		}
 		os.Exit(1)
 	}
 }
--- a/flake.nix
+++ b/flake.nix
@ -57,6 +57,12 @@
            ;
        in
        {
          fortify = callPackage ./test { inherit system self; };
          race = callPackage ./test {
            inherit system self;
            withRace = true;
          };
          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
            cd ${./.}
@ -85,8 +91,6 @@
                touch $out
              '';
          fortify = callPackage ./tests/fortify { inherit system self; };
        }
      );
@ -98,7 +102,10 @@
        in
        {
          default = self.packages.${system}.fortify;
-          fortify = pkgs.callPackage ./package.nix { };
+          fortify = pkgs.pkgsStatic.callPackage ./package.nix {
            inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
          };
          fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
          dist =
            pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }
--- a/helper/proc/pipe.go
+++ b/helper/proc/pipe.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"io"
 	"os"
 	"runtime"
 )
 // NewWriterTo returns a [File] that receives content from wt on fulfillment.
@ -25,13 +26,20 @@ func (f *writeToFile) Fulfill(ctx context.Context, dispatchErr func(error)) erro
 	f.Set(r)
 	done := make(chan struct{})
-	go func() { _, err = f.wt.WriteTo(w); dispatchErr(err); dispatchErr(w.Close()); close(done) }()
+	go func() {
 		_, err = f.wt.WriteTo(w)
 		dispatchErr(err)
 		dispatchErr(w.Close())
 		close(done)
 		runtime.KeepAlive(r)
 	}()
 	go func() {
 		select {
 		case <-done:
 			dispatchErr(nil)
 		case <-ctx.Done():
 			dispatchErr(w.Close()) // this aborts WriteTo with file already closed
 			runtime.KeepAlive(r)
 		}
 	}()
@ -83,6 +91,7 @@ func (f *statFile) Fulfill(ctx context.Context, dispatchErr func(error)) error {
 		default:
 			panic("unreachable")
 		}
 		runtime.KeepAlive(w)
 	}()
 	go func() {
@ -91,6 +100,7 @@ func (f *statFile) Fulfill(ctx context.Context, dispatchErr func(error)) error {
 			dispatchErr(nil)
 		case <-ctx.Done():
 			dispatchErr(r.Close()) // this aborts Read with file already closed
 			runtime.KeepAlive(w)
 		}
 	}()
--- a/helper/seccomp/export.go
+++ b/helper/seccomp/export.go
@ -27,7 +27,12 @@ func (e *exporter) prepare() error {
 		}
 		ec := make(chan error, 1)
-		go func(fd uintptr) { ec <- exportFilter(fd, e.opts); close(ec); _ = e.closeWrite() }(e.w.Fd())
+		go func(fd uintptr) {
 			ec <- exportFilter(fd, e.opts)
 			close(ec)
 			_ = e.closeWrite()
 			runtime.KeepAlive(e.w)
 		}(e.w.Fd())
 		e.exportErr = ec
 		runtime.SetFinalizer(e, (*exporter).closeWrite)
 	})
--- a/ldd/exec.go
+++ b/ldd/exec.go
@ -1,9 +1,10 @@
 package ldd
 import (
 	"bytes"
 	"context"
 	"os"
-	"strings"
+	"os/exec"
 	"time"
 	"git.gensokyo.uk/security/fortify/helper"
@ -12,27 +13,31 @@ import (
 const lddTimeout = 2 * time.Second
 var (
 	msgStaticGlibc = []byte("not a dynamic executable")
 )
 func Exec(ctx context.Context, p string) ([]*Entry, error) {
 	var h helper.Helper
-	if b, err := helper.NewBwrap(
+	if toolPath, err := exec.LookPath("ldd"); err != nil {
 		return nil, err
 	} else if h, err = helper.NewBwrap(
 		(&bwrap.Config{
 			Hostname:      "fortify-ldd",
 			Chdir:         "/",
 			Syscall:       &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
 			NewSession:    true,
 			DieWithParent: true,
-		}).Bind("/", "/").DevTmpfs("/dev"), "ldd",
+		}).Bind("/", "/").DevTmpfs("/dev"), toolPath,
 		nil, func(_, _ int) []string { return []string{p} },
 		nil, nil,
 	); err != nil {
 		return nil, err
 	} else {
 		h = b
 	}
-	stdout := new(strings.Builder)
+	stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
-	h.Stdout(stdout).Stderr(os.Stderr)
+	h.Stdout(stdout).Stderr(stderr)
 	c, cancel := context.WithTimeout(ctx, lddTimeout)
 	defer cancel()
@ -40,6 +45,12 @@ func Exec(ctx context.Context, p string) ([]*Entry, error) {
 		return nil, err
 	}
 	if err := h.Wait(); err != nil {
 		m := stderr.Bytes()
 		if bytes.Contains(m, msgStaticGlibc) {
 			return nil, nil
 		}
 		_, _ = os.Stderr.Write(m)
 		return nil, err
 	}
--- a/main.go
+++ b/main.go
@ -53,30 +53,14 @@ func main() {
 		log.Fatal("this program must not run as root")
 	}
-	err := buildCommand(os.Stderr).Parse(os.Args[1:])
+	buildCommand(os.Stderr).MustParse(os.Args[1:], func(err error) {
-	if errors.Is(err, errSuccess) || errors.Is(err, command.ErrHelp) {
+		fmsg.Verbosef("command returned %v", err)
-		internal.Exit(0)
+		if errors.Is(err, errSuccess) {
-		panic("unreachable")
+			fmsg.BeforeExit()
-	}
+			os.Exit(0)
-	if errors.Is(err, command.ErrNoMatch) || errors.Is(err, command.ErrEmptyTree) {
+		}
-		internal.Exit(1)
+	})
-		panic("unreachable")
+	log.Fatal("unreachable")
 	}
 	if err == nil {
 		log.Fatal("unreachable")
 	}
 	var flagError command.FlagError
 	if !errors.As(err, &flagError) {
 		log.Printf("command: %v", err)
 		internal.Exit(1)
 		panic("unreachable")
 	}
 	fmsg.Verbose(flagError.Error())
 	if flagError.Success() {
 		internal.Exit(0)
 	}
 	internal.Exit(1)
 }
 func buildCommand(out io.Writer) command.Command {
--- a/nixos.nix
+++ b/nixos.nix
@ -30,7 +30,7 @@ in
  config = mkIf cfg.enable {
    security.wrappers.fsu = {
-      source = "${cfg.package}/libexec/fsu";
+      source = "${cfg.fsuPackage}/bin/fsu";
      setuid = true;
      owner = "root";
      setgid = true;
--- a/options.md
+++ b/options.md
@ -36,7 +36,7 @@ package
 *Default:*
-` <derivation fortify-0.2.17> `
+` <derivation fortify-static-x86_64-unknown-linux-musl-0.2.18> `
@ -670,6 +670,25 @@ boolean
 ## environment\.fortify\.fsuPackage
 The fsu package to use\.
 *Type:*
 package
 *Default:*
 ` <derivation fortify-fsu-0.2.18> `
 ## environment\.fortify\.home-manager
--- a/options.nix
+++ b/options.nix
@ -2,6 +2,9 @@
 let
  inherit (lib) types mkOption mkEnableOption;
  fortify = pkgs.pkgsStatic.callPackage ./package.nix {
    inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
  };
 in
 {
@ -11,10 +14,16 @@ in
      package = mkOption {
        type = types.package;
-        default = pkgs.callPackage ./package.nix { };
+        default = fortify;
        description = "The fortify package to use.";
      };
      fsuPackage = mkOption {
        type = types.package;
        default = pkgs.callPackage ./cmd/fsu/package.nix { inherit fortify; };
        description = "The fsu package to use.";
      };
      users = mkOption {
        type =
          let
--- a/package.nix
+++ b/package.nix
@ -1,5 +1,6 @@
 {
  lib,
  stdenv,
  buildGoModule,
  makeBinaryWrapper,
  xdg-dbus-proxy,
@ -12,16 +13,22 @@
  wayland-protocols,
  wayland-scanner,
  xorg,
  glibc, # for ldd
  withStatic ? stdenv.hostPlatform.isStatic,
 }:
 buildGoModule rec {
  pname = "fortify";
-  version = "0.2.17";
+  version = "0.2.18";
  src = builtins.path {
-    name = "fortify-src";
+    name = "${pname}-src";
    path = lib.cleanSource ./.;
-    filter = path: type: !(type != "directory" && lib.hasSuffix ".nix" path);
+    filter =
      path: type:
      !(type == "regular" && lib.hasSuffix ".nix" path)
      && !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
  };
  vendorHash = null;
@ -31,17 +38,22 @@ buildGoModule rec {
        ldflags: name: value:
        ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
      )
-      [
+      (
-        "-s -w"
+        [
-        "-X main.Fmain=${placeholder "out"}/libexec/fortify"
+          "-s -w"
-      ]
+        ]
        ++ lib.optionals withStatic [
          "-linkmode external"
          "-extldflags \"-static\""
        ]
      )
      {
        Version = "v${version}";
        Fsu = "/run/wrappers/bin/fsu";
      };
  # nix build environment does not allow acls
-  GO_TEST_SKIP_ACL = 1;
+  env.GO_TEST_SKIP_ACL = 1;
  buildInputs =
    [
@ -64,7 +76,7 @@ buildGoModule rec {
  ];
  preBuild = ''
-    HOME=$(mktemp -d) go generate ./...
+    HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./...
  '';
  postInstall = ''
@ -76,6 +88,7 @@ buildGoModule rec {
    makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \
      --inherit-argv0 --prefix PATH : ${
        lib.makeBinPath [
          glibc
          bubblewrap
          xdg-dbus-proxy
        ]
--- a/tests/fortify/configuration.nix
+++ b/tests/fortify/configuration.nix
--- a/test/default.nix
+++ b/test/default.nix
@ -0,0 +1,47 @@
 {
  lib,
  nixosTest,
  writeShellScriptBin,
  system,
  self,
  withRace ? false,
 }:
 nixosTest {
  name = "fortify" + (if withRace then "-race" else "");
  nodes.machine =
    { options, pkgs, ... }:
    {
      environment.systemPackages = [
        # For go tests:
        self.packages.${system}.fhs
        (writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
      ];
      # Run with Go race detector:
      environment.fortify = lib.mkIf withRace rec {
        # race detector does not support static linking
        package = (pkgs.callPackage ../package.nix { }).overrideAttrs (previousAttrs: {
          GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
        });
        fsuPackage = options.environment.fortify.fsuPackage.default.override { fortify = package; };
      };
      imports = [
        ./configuration.nix
        self.nixosModules.fortify
        self.inputs.home-manager.nixosModules.home-manager
      ];
    };
  # adapted from nixos sway integration tests
  # testScriptWithTypes:49: error: Cannot call function of unknown type
  #           (machine.succeed if succeed else machine.execute)(
  #           ^
  # Found 1 error in 1 file (checked 1 source file)
  skipTypeCheck = true;
  testScript = builtins.readFile ./test.py;
 }
--- a/tests/fortify/test.py
+++ b/tests/fortify/test.py
--- a/tests/fortify/default.nix
+++ b/tests/fortify/default.nix
@ -1,51 +0,0 @@
 {
  system,
  self,
  nixosTest,
  writeShellScriptBin,
 }:
 nixosTest {
  name = "fortify";
  nodes.machine = {
    environment.systemPackages = [
      # For go tests:
      self.packages.${system}.fhs
      (writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
    ];
    # Run with Go race detector:
    environment.fortify.package =
      let
        inherit (self.packages.${system}) fortify;
      in
      fortify.overrideAttrs (previousAttrs: {
        GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
        # fsu does not like cgo
        disallowedReferences = previousAttrs.disallowedReferences ++ [ fortify ];
        postInstall =
          previousAttrs.postInstall
          + ''
            cp -a "${fortify}/libexec/fsu" "$out/libexec/fsu"
            sed -i 's:${fortify}:${placeholder "out"}:' "$out/libexec/fsu"
          '';
      });
    imports = [
      ./configuration.nix
      self.nixosModules.fortify
      self.inputs.home-manager.nixosModules.home-manager
    ];
  };
  # adapted from nixos sway integration tests
  # testScriptWithTypes:49: error: Cannot call function of unknown type
  #           (machine.succeed if succeed else machine.execute)(
  #           ^
  # Found 1 error in 1 file (checked 1 source file)
  skipTypeCheck = true;
  testScript = builtins.readFile ./test.py;
 }
--- a/wl/conn.go
+++ b/wl/conn.go
@ -94,6 +94,7 @@ func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID st
 			// keep socket alive until done is requested
 			<-done
 			runtime.KeepAlive(syncPipe[1].Fd())
 		}); err != nil {
 			setupDone <- err
 		}
--- a/wl/wayland-bind.c
+++ b/wl/wayland-bind.c
@ -23,7 +23,7 @@ static const struct wl_registry_listener registry_listener = {
  .global_remove = registry_handle_global_remove,
 };
-int32_t bind_wayland_fd(char *socket_path, int fd, const char *app_id, const char *instance_id, int sync_fd) {
+int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id, const char *instance_id, int sync_fd) {
  int32_t res = 0; // refer to resErr for meaning
  struct wl_display *display;
--- a/wl/wayland-bind.h
+++ b/wl/wayland-bind.h
@ -1,3 +1,3 @@
 #include <stdint.h>
-int32_t bind_wayland_fd(char *socket_path, int fd, const char *app_id, const char *instance_id, int sync_fd);
+int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id, const char *instance_id, int sync_fd);
--- a/wl/wl.go
+++ b/wl/wl.go
@ -29,7 +29,7 @@ func bindWaylandFd(socketPath string, fd uintptr, appID, instanceID string, sync
 	if hasNull(appID) || hasNull(instanceID) {
 		return ErrContainsNull
 	}
-	res := C.bind_wayland_fd(C.CString(socketPath), C.int(fd), C.CString(appID), C.CString(instanceID), C.int(syncFD))
+	res := C.f_bind_wayland_fd(C.CString(socketPath), C.int(fd), C.CString(appID), C.CString(instanceID), C.int(syncFD))
 	return resErr[int32(res)]
 }
Author	SHA1	Message	Date
Ophestra	71135f339a	release: 0.2.18 All checks were successful Test / Create distribution (push) Successful in 20s Details Release / Create release (push) Successful in 33s Details Test / Fortify (push) Successful in 2m4s Details Test / Data race detector (push) Successful in 2m33s Details Test / Flake checks (push) Successful in 48s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 18:52:33 +09:00
Ophestra	b6af8caffe	nix: clean up directory structure All checks were successful Test / Create distribution (push) Successful in 19s Details Test / Fortify (push) Successful in 36s Details Test / Data race detector (push) Successful in 56s Details Test / Flake checks (push) Successful in 41s Details Tests for fpkg is going to be in ./cmd/fpkg, so this central tests directory is no longer necessary. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 18:48:01 +09:00
Ophestra	e1a3549ea0	workflows: separate nixos tests from flake check All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Fortify (push) Successful in 2m12s Details Test / Data race detector (push) Successful in 3m0s Details Test / Flake checks (push) Successful in 41s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 18:34:42 +09:00
Ophestra	8bf162820b	nix: separate fsu from package All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Run NixOS test (push) Successful in 7m25s Details This appears to be the only way to build them with different configuration. This enables static linking in the main package. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 18:13:37 +09:00
Ophestra	dccb366608	ldd: handle behaviour on static executable All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Run NixOS test (push) Successful in 3m27s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 18:02:33 +09:00
Ophestra	83c8f0488b	ldd: pass absolute path to bwrap All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Run NixOS test (push) Successful in 3m31s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 17:46:22 +09:00
Ophestra	478b27922c	fortify: handle errors via MustParse All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Run NixOS test (push) Successful in 3m29s Details The errSuccess behaviour is kept for beforeExit. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 12:57:59 +09:00
Ophestra	ba1498cd18	command: filter parse errors All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Run NixOS test (push) Successful in 3m29s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 12:55:10 +09:00
Ophestra	eda4d612c2	fortify: keep external files alive All checks were successful Test / Create distribution (push) Successful in 19s Details Test / Run NixOS test (push) Successful in 3m10s Details This should eliminate sporadic failures, like the known double close in "seccomp". Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-23 03:24:37 +09:00
`@ -1,3 +1,3 @@`
	`#include <stdint.h>`	`#include <stdint.h>`

	`int32_t bind_wayland_fd(char socket_path, int fd, const char app_id, const char *instance_id, int sync_fd);`	`int32_t f_bind_wayland_fd(char socket_path, int fd, const char app_id, const char *instance_id, int sync_fd);`