security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity
673b648bd3
fortify/package.nix
Ophestra 673b648bd3
All checks were successful
Test / Create distribution (push) Successful in 28s
Details
Test / Fortify (push) Successful in 2m31s
Details
Test / Data race detector (push) Successful in 3m25s
Details
Test / Fpkg (push) Successful in 3m29s
Details
Test / Flake checks (push) Successful in 55s
Details
cmd/fpkg: call app in-process 
Wrapping fortify is slow, painful and error-prone. Start apps in-process instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-26 19:51:44 +09:00

115 lines
2.2 KiB
Nix
Raw Blame History

{
lib,
stdenv,
buildGoModule,
makeBinaryWrapper,
xdg-dbus-proxy,
bubblewrap,
pkg-config,
libffi,
libseccomp,
acl,
wayland,
wayland-protocols,
wayland-scanner,
xorg,
# for fpkg
zstd,
gnutar,
coreutils,
glibc, # for ldd
withStatic ? stdenv.hostPlatform.isStatic,
}:
buildGoModule rec {
pname = "fortify";
version = "0.2.18";
src = builtins.path {
name = "${pname}-src";
path = lib.cleanSource ./.;
filter =
path: type:
!(type == "regular" && (lib.hasSuffix ".nix" path || lib.hasSuffix ".py" path))
&& !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
};
vendorHash = null;
ldflags =
lib.attrsets.foldlAttrs
(
ldflags: name: value:
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
)
(
[ "-s -w" ]
++ lib.optionals withStatic [
"-linkmode external"
"-extldflags \"-static\""
]
)
{
version = "v${version}";
fsu = "/run/wrappers/bin/fsu";
};
# nix build environment does not allow acls
env.GO_TEST_SKIP_ACL = 1;
buildInputs =
[
libffi
libseccomp
acl
wayland
wayland-protocols
]
++ (with xorg; [
libxcb
libXau
libXdmcp
]);
nativeBuildInputs = [
pkg-config
wayland-scanner
makeBinaryWrapper
];
preBuild = ''
HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./...
'';
postInstall =
let
appPackages = [
glibc
bubblewrap
xdg-dbus-proxy
];
in
''
install -D --target-directory=$out/share/zsh/site-functions comp/*
mkdir "$out/libexec"
mv "$out"/bin/* "$out/libexec/"
makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \
--inherit-argv0 --prefix PATH : ${lib.makeBinPath appPackages}
makeBinaryWrapper "$out/libexec/fpkg" "$out/bin/fpkg" \
--inherit-argv0 --prefix PATH : ${
lib.makeBinPath (
appPackages
++ [
zstd
gnutar
coreutils
]
)
}
'';
}
Reference in New Issue View Git Blame Copy Permalink