security/hakurei
security/hakurei
4
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Compare commits

base: security:25e1b68c6da8b319e8d4c56238b2759c9f431642
Branches Tags
security:master
security:staging
security:develop
security:v0.1.1
security:v0.1.0
..
compare: security:fb8abf63db8367efce11db6f2ccf4b7775553e0f
Branches Tags
security:staging
security:develop
security:master
security:v0.1.1
security:v0.1.0

No commits in common. "25e1b68c6da8b319e8d4c56238b2759c9f431642" and "fb8abf63db8367efce11db6f2ccf4b7775553e0f" have entirely different histories.
25e1b68c6d ... fb8abf63db

5 changed files with 118 additions and 237 deletions
Show Stats Expand all files Collapse all files

37
bundle.nix
View File

@ -10,10 +10,8 @@
writeScript, writeScript,
runtimeShell, runtimeShell,
writeText, writeText,
symlinkJoin,
vmTools, vmTools,
runCommand, runCommand,
fetchFromGitHub,
nix, nix,
@ -68,10 +66,7 @@ let
extraNixOSConfig = extraNixOSConfig =
{ pkgs, ... }: { pkgs, ... }:
{ {
environment = { environment.systemPackages = [ pkgs.nix ];
etc.nixpkgs.source = nixpkgs.outPath;
systemPackages = [ pkgs.nix ];
};
}; };
nixos = nixpkgs.lib.nixosSystem { nixos = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
@ -111,30 +106,6 @@ let
inherit (ext) call broadcast; inherit (ext) call broadcast;
}; };
nixGL = fetchFromGitHub {
owner = "nix-community";
repo = "nixGL";
rev = "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a";
hash = "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=";
};
mesaWrappers =
let
isIntelX86Platform = system == "x86_64-linux";
nixGLPackages = import (nixGL + "/default.nix") {
pkgs = nixpkgs.legacyPackages.${system};
enable32bits = isIntelX86Platform;
enableIntelX86Extensions = isIntelX86Platform;
};
in
symlinkJoin {
name = "nixGL-mesa";
paths = with nixGLPackages; [
nixGLIntel
nixVulkanIntel
];
};
info = builtins.toJSON { info = builtins.toJSON {
inherit inherit
name name
@ -170,8 +141,6 @@ let
+ (if allow_dbus then 4 else 0) + (if allow_dbus then 4 else 0)
+ (if allow_pulse then 8 else 0); + (if allow_pulse then 8 else 0);
mesa = if gpu then mesaWrappers else null;
nix_gl = if gpu then nixGL else null;
current_system = nixos.config.system.build.toplevel; current_system = nixos.config.system.build.toplevel;
activation_package = homeManagerConfiguration.activationPackage; activation_package = homeManagerConfiguration.activationPackage;
}; };
@ -186,9 +155,7 @@ writeScript "fortify-${pname}-bundle-prelude" ''
nix copy --no-check-sigs --to "$OUT" "${nix}" "${nixos.config.system.build.toplevel}" nix copy --no-check-sigs --to "$OUT" "${nix}" "${nixos.config.system.build.toplevel}"
nix store --store "$OUT" optimise nix store --store "$OUT" optimise
chmod -R +r "$OUT/nix/var" chmod -R +r "$OUT/nix/var"
nix copy --no-check-sigs --to "file://$OUT/res?compression=zstd&compression-level=19&parallel-compression=true" \ nix copy --no-check-sigs --to "file://$OUT/res?compression=zstd&compression-level=19&parallel-compression=true" "${homeManagerConfiguration.activationPackage}" "${launcher}"
"${homeManagerConfiguration.activationPackage}" \
"${launcher}" ${if gpu then "${mesaWrappers} ${nixGL}" else ""}
mkdir -p "$OUT/etc" mkdir -p "$OUT/etc"
tar -C "$OUT/etc" -xf "${etc}/etc.tar" tar -C "$OUT/etc" -xf "${etc}/etc.tar"
cp "${writeText "bundle.json" info}" "$OUT/bundle.json" cp "${writeText "bundle.json" info}" "$OUT/bundle.json"

4
cmd/fpkg/bundle.go
View File

@ -40,10 +40,6 @@ type bundleInfo struct {
// allow gpu access within sandbox // allow gpu access within sandbox
GPU bool `json:"gpu"` GPU bool `json:"gpu"`
// store path to nixGL mesa wrappers
Mesa string `json:"mesa,omitempty"`
// store path to nixGL source
NixGL string `json:"nix_gl,omitempty"`
// store path to activate-and-exec script // store path to activate-and-exec script
Launcher string `json:"launcher"` Launcher string `json:"launcher"`
// store path to /run/current-system // store path to /run/current-system

103
cmd/fpkg/install.go
View File

@ -5,6 +5,7 @@ import (
"flag" "flag"
"os" "os"
"path" "path"
"strings"
"git.gensokyo.uk/security/fortify/fst" "git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/fmsg"
@ -97,8 +98,7 @@ func actionInstall(args []string) {
if app != bundle { if app != bundle {
// do not try to re-install // do not try to re-install
if app.NixGL == bundle.NixGL && if app.CurrentSystem == bundle.CurrentSystem &&
app.CurrentSystem == bundle.CurrentSystem &&
app.Launcher == bundle.Launcher && app.Launcher == bundle.Launcher &&
app.ActivationPackage == bundle.ActivationPackage { app.ActivationPackage == bundle.ActivationPackage {
cleanup() cleanup()
@ -143,15 +143,6 @@ func actionInstall(args []string) {
"chmod 0755 .", "chmod 0755 .",
}, workDir, bundle, pathSet, dropShellInstall, cleanup) }, workDir, bundle, pathSet, dropShellInstall, cleanup)
if bundle.GPU {
withCacheDir("mesa-wrappers", []string{
// link nixGL mesa wrappers
"mkdir -p nix/.nixGL",
"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
"ln -s " + bundle.Mesa + "/bin/nixVulkanIntel nix/.nixGL/nixVulkan",
}, workDir, bundle, pathSet, false, cleanup)
}
/* /*
Activate home-manager generation. Activate home-manager generation.
*/ */
@ -163,9 +154,7 @@ func actionInstall(args []string) {
"rm -rf .local/state/{nix,home-manager}", "rm -rf .local/state/{nix,home-manager}",
// run activation script // run activation script
bundle.ActivationPackage + "/activate", bundle.ActivationPackage + "/activate",
// deduplicate nix store }, false, workDir, bundle, pathSet, dropShellActivate, cleanup)
"nix store optimise",
}, false, func(config *fst.Config) *fst.Config { return config }, bundle, pathSet, dropShellActivate, cleanup)
/* /*
Installation complete. Write metadata to block re-installs or downgrades. Installation complete. Write metadata to block re-installs or downgrades.
@ -193,3 +182,89 @@ func actionInstall(args []string) {
cleanup() cleanup()
} }
func withNixDaemon(action string, command []string, net bool, workDir string, bundle *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
fortifyAppDropShell(&fst.Config{
ID: bundle.ID,
Command: []string{shell, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
// start nix-daemon
"nix-daemon --store / & " +
// wait for socket to appear
"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
strings.Join(command, " && ") +
// terminate nix-daemon
" && pkill nix-daemon",
},
Confinement: fst.ConfinementConfig{
AppID: bundle.AppID,
Groups: bundle.Groups,
Username: "fortify",
Inner: path.Join("/data/data", bundle.ID),
Outer: pathSet.homeDir,
Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(bundle.Name) + "-" + action,
UserNS: true, // nix sandbox requires userns
Net: net,
NoNewSession: dropShell,
Filesystem: []*fst.FilesystemConfig{
{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
},
Link: [][2]string{
{bundle.CurrentSystem, "/run/current-system"},
{"/run/current-system/sw/bin", "/bin"},
{"/run/current-system/sw/bin", "/usr/bin"},
},
Etc: path.Join(pathSet.cacheDir, "etc"),
AutoEtc: true,
},
ExtraPerms: []*fst.ExtraPermConfig{
{Path: dataHome, Execute: true},
{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
{Path: workDir, Execute: true},
},
},
}, dropShell, beforeFail)
}
func withCacheDir(action string, command []string, workDir string, bundle *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
fortifyAppDropShell(&fst.Config{
ID: bundle.ID,
Command: []string{shell, "-lc", strings.Join(command, " && ")},
Confinement: fst.ConfinementConfig{
AppID: bundle.AppID,
Username: "nixos",
Inner: path.Join("/data/data", bundle.ID, "cache"),
Outer: pathSet.cacheDir, // this also ensures cacheDir via fshim
Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(bundle.Name) + "-" + action,
NoNewSession: dropShell,
Filesystem: []*fst.FilesystemConfig{
{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
},
Link: [][2]string{
{bundle.CurrentSystem, "/run/current-system"},
{"/run/current-system/sw/bin", "/bin"},
{"/run/current-system/sw/bin", "/usr/bin"},
},
Etc: path.Join(workDir, "etc"),
AutoEtc: true,
},
ExtraPerms: []*fst.ExtraPermConfig{
{Path: dataHome, Execute: true},
{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
{Path: workDir, Execute: true},
},
},
}, dropShell, beforeFail)
}
func fortifyAppDropShell(config *fst.Config, dropShell bool, beforeFail func()) {
if dropShell {
config.Command = []string{shell, "-l"}
fortifyApp(config, beforeFail)
beforeFail()
fmsg.Exit(0)
}
fortifyApp(config, beforeFail)
}

113
cmd/fpkg/start.go
View File

@ -10,14 +10,8 @@ import (
func actionStart(args []string) { func actionStart(args []string) {
set := flag.NewFlagSet("start", flag.ExitOnError) set := flag.NewFlagSet("start", flag.ExitOnError)
var ( var dropShell bool
dropShell bool
dropShellNixGL bool
autoDrivers bool
)
set.BoolVar(&dropShell, "s", false, "Drop to a shell") set.BoolVar(&dropShell, "s", false, "Drop to a shell")
set.BoolVar(&dropShellNixGL, "sg", false, "Drop to a shell on nixGL build")
set.BoolVar(&autoDrivers, "autodrivers", false, "Attempt automatic opengl driver detection")
// Ignore errors; set is set for ExitOnError. // Ignore errors; set is set for ExitOnError.
_ = set.Parse(args) _ = set.Parse(args)
@ -27,53 +21,14 @@ func actionStart(args []string) {
if len(args) < 1 { if len(args) < 1 {
fmsg.Fatal("invalid argument") fmsg.Fatal("invalid argument")
} }
/*
Parse app metadata.
*/
id := args[0] id := args[0]
pathSet := pathSetByApp(id) pathSet := pathSetByApp(id)
app := loadBundleInfo(pathSet.metaPath, func() {}) app := loadBundleInfo(pathSet.metaPath, func() {})
if app.ID != id { if app.ID != id {
fmsg.Fatalf("app %q claims to have identifier %q", id, app.ID) fmsg.Fatalf("app %q claims to have identifier %q", id, app.ID)
} }
/*
Prepare nixGL.
*/
if app.GPU && autoDrivers {
withNixDaemon("nix-gl", []string{
"mkdir -p /nix/.nixGL/auto",
"rm -rf /nix/.nixGL/auto",
"export NIXPKGS_ALLOW_UNFREE=1",
"nix build --impure " +
"--out-link /nix/.nixGL/auto/opengl " +
"--override-input nixpkgs path:/etc/nixpkgs " +
"path:" + app.NixGL,
"nix build --impure " +
"--out-link /nix/.nixGL/auto/vulkan " +
"--override-input nixpkgs path:/etc/nixpkgs " +
"path:" + app.NixGL + "#nixVulkanNvidia",
}, true, func(config *fst.Config) *fst.Config {
config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
{Src: "/etc/resolv.conf"},
{Src: "/sys/block"},
{Src: "/sys/bus"},
{Src: "/sys/class"},
{Src: "/sys/dev"},
{Src: "/sys/devices"},
}...)
appendGPUFilesystem(config)
return config
}, app, pathSet, dropShellNixGL, func() {})
}
/*
Create app configuration.
*/
command := make([]string, 1, len(args)) command := make([]string, 1, len(args))
if !dropShell { if !dropShell {
command[0] = app.Launcher command[0] = app.Launcher
@ -127,49 +82,35 @@ func actionStart(args []string) {
}, },
} }
/*
Expose GPU devices.
*/
if app.GPU { if app.GPU {
config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")}) // flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
appendGPUFilesystem(config) &fst.FilesystemConfig{Src: "/dev/dri", Device: true},
} // mali
&fst.FilesystemConfig{Src: "/dev/mali", Device: true},
&fst.FilesystemConfig{Src: "/dev/mali0", Device: true},
&fst.FilesystemConfig{Src: "/dev/umplock", Device: true},
// nvidia
&fst.FilesystemConfig{Src: "/dev/nvidiactl", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia-modeset", Device: true},
// nvidia OpenCL/CUDA
&fst.FilesystemConfig{Src: "/dev/nvidia-uvm", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia-uvm-tools", Device: true},
/* // flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
Spawn app. &fst.FilesystemConfig{Src: "/dev/nvidia0", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia1", Device: true},
*/ &fst.FilesystemConfig{Src: "/dev/nvidia2", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia3", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia4", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia5", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia6", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia7", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia8", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia9", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia10", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia11", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia12", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia13", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia14", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia15", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia16", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia17", Device: true},
&fst.FilesystemConfig{Src: "/dev/nvidia18", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia19", Device: true},
)
}
fortifyApp(config, func() {}) fortifyApp(config, func() {})
fmsg.Exit(0) fmsg.Exit(0)
} }
func appendGPUFilesystem(config *fst.Config) {
config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
{Src: "/dev/dri", Device: true},
// mali
{Src: "/dev/mali", Device: true},
{Src: "/dev/mali0", Device: true},
{Src: "/dev/umplock", Device: true},
// nvidia
{Src: "/dev/nvidiactl", Device: true},
{Src: "/dev/nvidia-modeset", Device: true},
// nvidia OpenCL/CUDA
{Src: "/dev/nvidia-uvm", Device: true},
{Src: "/dev/nvidia-uvm-tools", Device: true},
// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
}...)
}

98
cmd/fpkg/with.go
View File

@ -1,98 +0,0 @@
package main
import (
"path"
"strings"
"git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/internal/fmsg"
)
func withNixDaemon(
action string, command []string, net bool, updateConfig func(config *fst.Config) *fst.Config,
app *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
) {
fortifyAppDropShell(updateConfig(&fst.Config{
ID: app.ID,
Command: []string{shell, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
// start nix-daemon
"nix-daemon --store / & " +
// wait for socket to appear
"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
// create directory so nix stops complaining
"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
strings.Join(command, " && ") +
// terminate nix-daemon
" && pkill nix-daemon",
},
Confinement: fst.ConfinementConfig{
AppID: app.AppID,
Username: "fortify",
Inner: path.Join("/data/data", app.ID),
Outer: pathSet.homeDir,
Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(app.Name) + "-" + action,
UserNS: true, // nix sandbox requires userns
Net: net,
NoNewSession: dropShell,
Filesystem: []*fst.FilesystemConfig{
{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
},
Link: [][2]string{
{app.CurrentSystem, "/run/current-system"},
{"/run/current-system/sw/bin", "/bin"},
{"/run/current-system/sw/bin", "/usr/bin"},
},
Etc: path.Join(pathSet.cacheDir, "etc"),
AutoEtc: true,
},
ExtraPerms: []*fst.ExtraPermConfig{
{Path: dataHome, Execute: true},
{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
},
},
}), dropShell, beforeFail)
}
func withCacheDir(action string, command []string, workDir string, app *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
fortifyAppDropShell(&fst.Config{
ID: app.ID,
Command: []string{shell, "-lc", strings.Join(command, " && ")},
Confinement: fst.ConfinementConfig{
AppID: app.AppID,
Username: "nixos",
Inner: path.Join("/data/data", app.ID, "cache"),
Outer: pathSet.cacheDir, // this also ensures cacheDir via fshim
Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(app.Name) + "-" + action,
NoNewSession: dropShell,
Filesystem: []*fst.FilesystemConfig{
{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
},
Link: [][2]string{
{app.CurrentSystem, "/run/current-system"},
{"/run/current-system/sw/bin", "/bin"},
{"/run/current-system/sw/bin", "/usr/bin"},
},
Etc: path.Join(workDir, "etc"),
AutoEtc: true,
},
ExtraPerms: []*fst.ExtraPermConfig{
{Path: dataHome, Execute: true},
{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
{Path: workDir, Execute: true},
},
},
}, dropShell, beforeFail)
}
func fortifyAppDropShell(config *fst.Config, dropShell bool, beforeFail func()) {
if dropShell {
config.Command = []string{shell, "-l"}
fortifyApp(config, beforeFail)
beforeFail()
fmsg.Exit(0)
}
fortifyApp(config, beforeFail)
}