proc/priv/shim: merge shim into main program

Signed-off-by: Ophestra <cat@gensokyo.uk>

.gitea/workflows/build.yml

@@ -1,12 +1,12 @@
-name: Nix
+name: Build
 
 on:
   - push
   - pull_request
 
 jobs:
-  tests:
+  dist:
-    name: NixOS tests
+    name: Create distribution
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -30,17 +30,21 @@ jobs:
       - name: Restore Nix store
         uses: nix-community/cache-nix-action@v5
         with:
-          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: nix-${{ runner.os }}-
+          restore-prefixes-first-match: nix-small-${{ runner.os }}-
 
-      - name: Run tests
+      - name: Build for test
-        run: |
+        id: build-test
-          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
+        run: >-
-          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
+          export FORTIFY_REV="$(git rev-parse --short HEAD)" &&
+          sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix &&
+          nix build --print-out-paths --print-build-logs .#dist &&
+          mv package.nix.old package.nix &&
+          echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT
 
-      - name: Upload test output
+      - name: Upload test build
         uses: actions/upload-artifact@v3
         with:
-          name: "result"
+          name: "fortify-${{ steps.build-test.outputs.rev }}"
           path: result/*
           retention-days: 1

.gitea/workflows/release.yml

@@ -1,53 +1,52 @@
-name: Create distribution
+name: Release
 
 on:
   push:
     tags:
-      - '*'
+      - 'v*'
 
 jobs:
   release:
-    name: Release
+    name: Create release
     runs-on: ubuntu-latest
-    container:
-      image: node:16-bookworm-slim
     steps:
-      - name: Get dependencies
-        run: >-
-          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
-          apt-get update &&
-          apt-get install -y
-          acl
-          git
-          gcc
-          pkg-config
-          libwayland-dev
-          wayland-protocols/bookworm-backports
-          libxcb1-dev
-          libacl1-dev
-        if: ${{ runner.os == 'Linux' }}
-
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
 
       - name: Setup go
         uses: https://github.com/actions/setup-go@v5
         with:
           go-version: '>=1.23.0'
 
-      - name: Go generate
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          install_options: --daemon
+          extra_nix_config: |
+            sandbox = true
+            system-features = nixos-test benchmark big-parallel kvm
+          enable_kvm: true
+
+      - name: Ensure environment
         run: >-
-          go generate ./...
+          apt-get update && apt-get install -y sqlite3
+        if: ${{ runner.os == 'Linux' }}
+
+      - name: Restore Nix store
+        uses: nix-community/cache-nix-action@v5
+        with:
+          primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: nix-small-${{ runner.os }}-
 
       - name: Build for release
-        run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh
+        id: build-test
+        run: nix build --print-out-paths --print-build-logs .#dist
 
       - name: Release
         id: use-go-action
         uses: https://gitea.com/actions/release-action@main
         with:
           files: |-
-            dist/fortify-**
+            result/fortify-**
           api_key: '${{secrets.RELEASE_TOKEN}}'

.gitea/workflows/test.yml

@@ -1,62 +1,46 @@
-name: Tests
+name: Test
 
 on:
   - push
   - pull_request
 
 jobs:
-  test:
+  tests:
-    name: Go tests
+    name: Run NixOS test
     runs-on: ubuntu-latest
-    container:
-      image: node:16-bookworm-slim
     steps:
-      - name: Enable backports
+      - name: Checkout
-        run: >-
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list
+
-        if: ${{ runner.os == 'Linux' }}
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          install_options: --daemon
+          extra_nix_config: |
+            sandbox = true
+            system-features = nixos-test benchmark big-parallel kvm
+          enable_kvm: true
 
       - name: Ensure environment
         run: >-
-          apt-get update && apt-get install -y curl wget sudo libxml2
+          apt-get update && apt-get install -y sqlite3
         if: ${{ runner.os == 'Linux' }}
 
-      - name: Get dependencies
+      - name: Restore Nix store
-        uses: awalsh128/cache-apt-pkgs-action@latest
+        uses: nix-community/cache-nix-action@v5
         with:
-          packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
+          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          version: 1.0
+          restore-prefixes-first-match: nix-${{ runner.os }}-
-          #execute_install_scripts: true
-        if: ${{ runner.os == 'Linux' }}
-
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup go
-        uses: https://github.com/actions/setup-go@v5
-        with:
-          go-version: '>=1.23.0'
-
-      - name: Go generate
-        run: >-
-          go generate ./...
 
       - name: Run tests
-        run: >-
+        run: |
-          go test ./...
+          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
+          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
 
-      - name: Build for test
+      - name: Upload test output
-        id: build-test
-        run: >-
-          FORTIFY_VERSION="$(git rev-parse --short HEAD)"
-          bash -c './dist/release.sh &&
-          echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT'
-
-      - name: Upload test build
         uses: actions/upload-artifact@v3
         with:
-          name: "fortify-${{ steps.build-test.outputs.rev }}"
+          name: "result"
-          path: dist/fortify-*
+          path: result/*
           retention-days: 1

acl/c.go

@@ -9,7 +9,7 @@ import (
 )
 
 /*
-#cgo linux pkg-config: libacl
+#cgo linux pkg-config: --static libacl
 
 #include <stdlib.h>
 #include <sys/acl.h>

cmd/fpkg/with.go

@@ -62,7 +62,7 @@ func withCacheDir(action string, command []string, workDir string, app *bundleIn
 			AppID:    app.AppID,
 			Username: "nixos",
 			Inner:    path.Join("/data/data", app.ID, "cache"),
-			Outer:    pathSet.cacheDir, // this also ensures cacheDir via fshim
+			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
 			Sandbox: &fst.SandboxConfig{
 				Hostname:     formatHostname(app.Name) + "-" + action,
 				NoNewSession: dropShell,

cmd/fsu/main.go

@@ -24,7 +24,6 @@ const (
 
 var (
 	Fmain = compPoison
-	Fshim = compPoison
 )
 
 func main() {
@@ -41,17 +40,12 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}
 
-	var fmain, fshim string
+	var fmain string
 	if p, ok := checkPath(Fmain); !ok {
 		log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
 	} else {
 		fmain = p
 	}
-	if p, ok := checkPath(Fshim); !ok {
-		log.Fatal("invalid fshim path, this copy of fsu is not compiled correctly")
-	} else {
-		fshim = p
-	}
 
 	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
@@ -142,7 +136,7 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}
 

dist/install.sh

@@ -4,7 +4,6 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
 install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"
 
-install -vDm0755 "bin/fshim" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fshim"
 install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
 

dist/release.sh

@@ -8,13 +8,13 @@ mkdir -p "${out}"
 cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
 cp -rv "comp" "${out}"
 
-go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
+go generate ./...
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
   -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
   -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
   -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
   -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
-  -X main.Fmain=/usr/bin/fortify
+  -X main.Fmain=/usr/bin/fortify" ./...
-  -X main.Fshim=/usr/libexec/fortify/fshim" ./...
 
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
 rm -rf "./${out}"

flake.nix

@@ -95,72 +95,134 @@
       packages = forAllSystems (
         system:
         let
+          inherit (self.packages.${system}) fortify;
           pkgs = nixpkgsFor.${system};
         in
         {
           default = self.packages.${system}.fortify;
-
           fortify = pkgs.callPackage ./package.nix { };
+
+          dist =
+            pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }
+              ''
+                # go requires XDG_CACHE_HOME for the build cache
+                export XDG_CACHE_HOME="$(mktemp -d)"
+
+                # get a different workdir as go does not like /build
+                cd $(mktemp -d) && cp -r ${fortify.src}/. . && chmod -R +w .
+
+                export FORTIFY_VERSION="v${fortify.version}"
+                ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
+              '';
+
+          fhs = pkgs.buildFHSEnv {
+            pname = "fortify-fhs";
+            inherit (fortify) version;
+            targetPkgs =
+              pkgs:
+              with pkgs;
+              [
+                go
+                gcc
+                pkg-config
+                wayland-scanner
+              ]
+              ++ (
+                with pkgs.pkgsStatic;
+                [
+                  musl
+                  libffi
+                  acl
+                  wayland
+                  wayland-protocols
+                ]
+                ++ (with xorg; [
+                  libxcb
+                  libXau
+                  libXdmcp
+
+                  xorgproto
+                ])
+              );
+            extraOutputsToInstall = [ "dev" ];
+            profile = ''
+              export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+            '';
+          };
         }
       );
 
-      devShells = forAllSystems (system: {
+      devShells = forAllSystems (
-        default = nixpkgsFor.${system}.mkShell {
+        system:
-          buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
+        let
-        };
+          inherit (self.packages.${system}) fortify fhs;
-
+          pkgs = nixpkgsFor.${system};
-        fhs = nixpkgsFor.${system}.buildFHSEnv {
+        in
-          pname = "fortify-fhs";
+        {
-          inherit (self.packages.${system}.fortify) version;
+          default = pkgs.mkShell {
-          targetPkgs =
+            buildInputs =
-            pkgs: with pkgs; [
+              with pkgs;
-              go
+              [
-              gcc
+                go
-              pkg-config
+                gcc
-              acl
+              ]
-              wayland
+              # buildInputs
-              wayland-scanner
+              ++ (
-              wayland-protocols
+                with pkgsStatic;
-              xorg.libxcb
+                [
-            ];
+                  musl
-          extraOutputsToInstall = [ "dev" ];
+                  libffi
-          profile = ''
+                  acl
-            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+                  wayland
-          '';
+                  wayland-protocols
-        };
+                ]
-
+                ++ (with xorg; [
-        withPackage = nixpkgsFor.${system}.mkShell {
+                  libxcb
-          buildInputs =
+                  libXau
-            with nixpkgsFor.${system};
+                  libXdmcp
-            self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ];
+                ])
-        };
+              )
-
+              # nativeBuildInputs
-        generateDoc =
+              ++ [
-          let
+                pkg-config
-            pkgs = nixpkgsFor.${system};
+                wayland-scanner
-            inherit (pkgs) lib;
+                makeBinaryWrapper
-
+              ];
-            doc =
-              let
-                eval = lib.evalModules {
-                  specialArgs = {
-                    inherit pkgs;
-                  };
-                  modules = [ ./options.nix ];
-                };
-                cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
-              in
-              pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
-            docText = pkgs.runCommand "fortify-module-docs.md" { } ''
-              cat ${doc.optionsCommonMark} > $out
-              sed -i '/*Declared by:*/,+1 d' $out
-            '';
-          in
-          nixpkgsFor.${system}.mkShell {
-            shellHook = ''
-              exec cat ${docText} > options.md
-            '';
           };
-      });
+
+          fhs = fhs.env;
+
+          withPackage = nixpkgsFor.${system}.mkShell {
+            buildInputs = [ self.packages.${system}.fortify ] ++ self.devShells.${system}.default.buildInputs;
+          };
+
+          generateDoc =
+            let
+              pkgs = nixpkgsFor.${system};
+              inherit (pkgs) lib;
+
+              doc =
+                let
+                  eval = lib.evalModules {
+                    specialArgs = {
+                      inherit pkgs;
+                    };
+                    modules = [ ./options.nix ];
+                  };
+                  cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
+                in
+                pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
+              docText = pkgs.runCommand "fortify-module-docs.md" { } ''
+                cat ${doc.optionsCommonMark} > $out
+                sed -i '/*Declared by:*/,+1 d' $out
+              '';
+            in
+            nixpkgsFor.${system}.mkShell {
+              shellHook = ''
+                exec cat ${docText} > options.md
+              '';
+            };
+        }
+      );
     };
 }

internal/app/app.go

@@ -5,9 +5,9 @@ import (
 	"sync"
 	"sync/atomic"
 
-	"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 )
 
 type App interface {
@@ -23,7 +23,7 @@ type App interface {
 type RunState struct {
 	// Start is true if fsu is successfully started.
 	Start bool
-	// ExitCode is the value returned by fshim.
+	// ExitCode is the value returned by shim.
 	ExitCode int
 	// WaitErr is error returned by the underlying wait syscall.
 	WaitErr error

internal/app/start.go

@@ -9,10 +9,9 @@ import (
 	"strings"
 	"time"
 
-	shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
-	"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 	"git.gensokyo.uk/security/fortify/internal/state"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
@@ -51,7 +50,7 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
 		uint32(a.seal.sys.UID()),
 		a.seal.sys.user.as,
 		a.seal.sys.user.supp,
-		&shim0.Payload{
+		&shim.Payload{
 			Argv:  a.seal.command,
 			Exec:  shimExec,
 			Bwrap: a.seal.sys.bwrap,

internal/linux/std.go

@@ -73,7 +73,7 @@ func (s *Std) Uid(aid int) (int, error) {
 
 	u.uid = -1
 	if fsu, ok := internal.Check(internal.Fsu); !ok {
-		fmsg.Fatal("invalid fsu path, this copy of fshim is not compiled correctly")
+		fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
 		panic("unreachable")
 	} else {
 		cmd := exec.Command(fsu)

internal/prctl.go

@@ -12,7 +12,7 @@ func PR_SET_DUMPABLE__SUID_DUMP_DISABLE() error {
 }
 
 func PR_SET_PDEATHSIG__SIGKILL() error {
-	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
+	if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
 		return errno
 	}
 

internal/proc/priv/shim/main.go

@@ -1,4 +1,4 @@
-package main
+package shim
 
 import (
 	"errors"
@@ -8,7 +8,6 @@ import (
 	"syscall"
 
 	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
-	shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
@@ -19,7 +18,7 @@ import (
 // everything beyond this point runs as unconstrained target user
 // proceed with caution!
 
-func main() {
+func Main() {
 	// sharing stdout with fortify
 	// USE WITH CAUTION
 	fmsg.SetPrefix("shim")
@@ -31,8 +30,8 @@ func main() {
 	}
 
 	// re-exec
-	if len(os.Args) > 0 && (os.Args[0] != "fshim" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
+	if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "shim" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) {
-		if err := syscall.Exec(os.Args[0], []string{"fshim"}, os.Environ()); err != nil {
+		if err := syscall.Exec(os.Args[0], []string{"fortify", "shim"}, os.Environ()); err != nil {
 			fmsg.Println("cannot re-exec self:", err)
 			// continue anyway
 		}
@@ -41,17 +40,17 @@ func main() {
 	// check path to finit
 	var finitPath string
 	if p, ok := internal.Path(internal.Finit); !ok {
-		fmsg.Fatal("invalid finit path, this copy of fshim is not compiled correctly")
+		fmsg.Fatal("invalid finit path, this copy of fortify is not compiled correctly")
 	} else {
 		finitPath = p
 	}
 
 	// receive setup payload
 	var (
-		payload    shim.Payload
+		payload    Payload
 		closeSetup func() error
 	)
-	if f, err := proc.Receive(shim.Env, &payload); err != nil {
+	if f, err := proc.Receive(Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			fmsg.Fatal("invalid config descriptor")
 		}

internal/proc/priv/shim/manager.go

@@ -10,7 +10,6 @@ import (
 	"strings"
 	"time"
 
-	shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
@@ -30,12 +29,12 @@ type Shim struct {
 	// fallback exit notifier with error returned killing the process
 	killFallback chan error
 	// shim setup payload
-	payload *shim0.Payload
+	payload *Payload
 	// monitor to shim encoder
 	encoder *gob.Encoder
 }
 
-func New(uid uint32, aid string, supp []string, payload *shim0.Payload) *Shim {
+func New(uid uint32, aid string, supp []string, payload *Payload) *Shim {
 	return &Shim{uid: uid, aid: aid, supp: supp, payload: payload}
 }
 
@@ -58,7 +57,7 @@ func (s *Shim) Start() (*time.Time, error) {
 	// prepare user switcher invocation
 	var fsu string
 	if p, ok := internal.Check(internal.Fsu); !ok {
-		fmsg.Fatal("invalid fsu path, this copy of fshim is not compiled correctly")
+		fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
 		panic("unreachable")
 	} else {
 		fsu = p
@@ -72,7 +71,7 @@ func (s *Shim) Start() (*time.Time, error) {
 	} else {
 		s.encoder = e
 		s.cmd.Env = []string{
-			shim0.Env + "=" + strconv.Itoa(fd),
+			Env + "=" + strconv.Itoa(fd),
 			"FORTIFY_APP_ID=" + s.aid,
 		}
 	}

internal/proc/priv/shim/payload.go

@@ -1,8 +1,6 @@
-package shim0
+package shim
 
-import (
+import "git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-)
 
 const Env = "FORTIFY_SHIM"
 

main.go

@@ -20,6 +20,7 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 
@@ -283,6 +284,12 @@ func main() {
 
 		// invoke app
 		runApp(config)
+
+	// internal commands
+	case "shim":
+		shim.Main()
+		fmsg.Exit(0)
+
 	default:
 		fmsg.Fatalf("%q is not a valid command", args[0])
 	}

package.nix

@@ -5,10 +5,11 @@
   xdg-dbus-proxy,
   bubblewrap,
   pkg-config,
+  libffi,
   acl,
   wayland,
-  wayland-scanner,
   wayland-protocols,
+  wayland-scanner,
   xorg,
 }:
 
@@ -27,19 +28,11 @@ buildGoModule rec {
     lib.attrsets.foldlAttrs
       (
         ldflags: name: value:
-        ldflags
+        ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
-        ++ [
-          "-X"
-          "git.gensokyo.uk/security/fortify/internal.${name}=${value}"
-        ]
       )
       [
-        "-s"
+        "-s -w"
-        "-w"
+        "-X main.Fmain=${placeholder "out"}/libexec/fortify"
-        "-X"
-        "main.Fmain=${placeholder "out"}/libexec/fortify"
-        "-X"
-        "main.Fshim=${placeholder "out"}/libexec/fshim"
       ]
       {
         Version = "v${version}";
@@ -51,12 +44,18 @@ buildGoModule rec {
   # nix build environment does not allow acls
   GO_TEST_SKIP_ACL = 1;
 
-  buildInputs = [
+  buildInputs =
-    acl
+    [
-    wayland
+      libffi
-    wayland-protocols
+      acl
-    xorg.libxcb
+      wayland
-  ];
+      wayland-protocols
+    ]
+    ++ (with xorg; [
+      libxcb
+      libXau
+      libXdmcp
+    ]);
 
   nativeBuildInputs = [
     pkg-config

test.nix

@@ -51,7 +51,7 @@ nixosTest {
           mako
 
           # For go tests:
-          self.devShells.${system}.fhs
+          self.packages.${system}.fhs
         ];
 
         variables = {

wl/c.go

@@ -4,12 +4,13 @@ package wl
 //go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"
 
 /*
-#cgo linux pkg-config: wayland-client
+#cgo linux pkg-config: --static wayland-client
 #cgo freebsd openbsd LDFLAGS: -lwayland-client
 
 #include <stdint.h>
 #include <stdlib.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <unistd.h>
 #include <sys/socket.h>

xcb/c.go

@@ -6,7 +6,7 @@ import (
 )
 
 /*
-#cgo linux pkg-config: xcb
+#cgo linux pkg-config: --static xcb
 
 #include <stdlib.h>
 #include <xcb/xcb.h>