security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

Compare commits

base: security:b6af8caffec91db14dfe3c1e095fd1fc84ecfd9e
Branches Tags
security:master
security:develop
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:eda4d612c2e64321766e1074a698caeae843102a
Branches Tags
security:develop
security:master
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

No commits in common. "b6af8caffec91db14dfe3c1e095fd1fc84ecfd9e" and "eda4d612c2e64321766e1074a698caeae843102a" have entirely different histories.
b6af8caffe ... eda4d612c2

14 changed files with 103 additions and 199 deletions
Show Stats Expand all files Collapse all files

43
.gitea/workflows/test.yml
View File

@ -5,53 +5,26 @@ on:
- pull_request - pull_request
jobs: jobs:
fortify: test:
name: Fortify name: Run NixOS test
runs-on: nix runs-on: nix
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run NixOS test - name: Run fortify tests
run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify run: nix build --out-link "result-fortify" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
- name: Run flake checks
run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
- name: Upload test output - name: Upload test output
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: "fortify-vm-output" name: "fortify-vm-output"
path: result/* path: result-fortify/*
retention-days: 1 retention-days: 1
race:
name: Data race detector
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run NixOS test
run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.race
- name: Upload test output
uses: actions/upload-artifact@v3
with:
name: "fortify-race-vm-output"
path: result/*
retention-days: 1
check:
name: Flake checks
needs:
- fortify
- race
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run checks
run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
dist: dist:
name: Create distribution name: Create distribution
runs-on: nix runs-on: nix

19
cmd/fsu/package.nix
View File

@ -1,19 +0,0 @@
{
buildGoModule,
fortify ? abort "fortify package required",
}:
buildGoModule {
pname = "${fortify.pname}-fsu";
inherit (fortify) version;
src = ./.;
inherit (fortify) vendorHash;
CGO_ENABLED = 0;
preBuild = ''
go mod init fsu >& /dev/null
'';
ldflags = [ "-X main.Fmain=${fortify}/libexec/fortify" ];
}

5
command/command.go
View File

@ -29,11 +29,6 @@ type (
Command interface { Command interface {
Parse(arguments []string) error Parse(arguments []string) error
// MustParse determines exit outcomes for Parse errors
// and calls handleError if [HandlerFunc] returns a non-nil error.
MustParse(arguments []string, handleError func(error))
baseNode[Command] baseNode[Command]
} }
Node baseNode[Node] Node baseNode[Node]

25
command/parse.go
View File

@ -3,7 +3,6 @@ package command
import ( import (
"errors" "errors"
"log" "log"
"os"
) )
var ( var (
@ -79,27 +78,3 @@ func (n *node) printf(format string, a ...any) {
n.logf(format, a...) n.logf(format, a...)
} }
} }
func (n *node) MustParse(arguments []string, handleError func(error)) {
switch err := n.Parse(arguments); err {
case nil:
return
case ErrHelp:
os.Exit(0)
case ErrNoMatch:
os.Exit(1)
case ErrEmptyTree:
os.Exit(1)
default:
var flagError FlagError
if !errors.As(err, &flagError) { // returned by HandlerFunc
handleError(err)
os.Exit(1)
}
if flagError.Success() {
os.Exit(0)
}
os.Exit(1)
}
}

13
flake.nix
View File

@ -57,12 +57,6 @@
; ;
in in
{ {
fortify = callPackage ./test { inherit system self; };
race = callPackage ./test {
inherit system self;
withRace = true;
};
formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } '' formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
cd ${./.} cd ${./.}
@ -91,6 +85,8 @@
touch $out touch $out
''; '';
fortify = callPackage ./tests/fortify { inherit system self; };
} }
); );
@ -102,10 +98,7 @@
in in
{ {
default = self.packages.${system}.fortify; default = self.packages.${system}.fortify;
fortify = pkgs.pkgsStatic.callPackage ./package.nix { fortify = pkgs.callPackage ./package.nix { };
inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
};
fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
dist = dist =
pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; } pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }

25
ldd/exec.go
View File

@ -1,10 +1,9 @@
package ldd package ldd
import ( import (
"bytes"
"context" "context"
"os" "os"
"os/exec" "strings"
"time" "time"
"git.gensokyo.uk/security/fortify/helper" "git.gensokyo.uk/security/fortify/helper"
@ -13,31 +12,27 @@ import (
const lddTimeout = 2 * time.Second const lddTimeout = 2 * time.Second
var (
msgStaticGlibc = []byte("not a dynamic executable")
)
func Exec(ctx context.Context, p string) ([]*Entry, error) { func Exec(ctx context.Context, p string) ([]*Entry, error) {
var h helper.Helper var h helper.Helper
if toolPath, err := exec.LookPath("ldd"); err != nil { if b, err := helper.NewBwrap(
return nil, err
} else if h, err = helper.NewBwrap(
(&bwrap.Config{ (&bwrap.Config{
Hostname: "fortify-ldd", Hostname: "fortify-ldd",
Chdir: "/", Chdir: "/",
Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true}, Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
NewSession: true, NewSession: true,
DieWithParent: true, DieWithParent: true,
}).Bind("/", "/").DevTmpfs("/dev"), toolPath, }).Bind("/", "/").DevTmpfs("/dev"), "ldd",
nil, func(_, _ int) []string { return []string{p} }, nil, func(_, _ int) []string { return []string{p} },
nil, nil, nil, nil,
); err != nil { ); err != nil {
return nil, err return nil, err
} else {
h = b
} }
stdout, stderr := new(bytes.Buffer), new(bytes.Buffer) stdout := new(strings.Builder)
h.Stdout(stdout).Stderr(stderr) h.Stdout(stdout).Stderr(os.Stderr)
c, cancel := context.WithTimeout(ctx, lddTimeout) c, cancel := context.WithTimeout(ctx, lddTimeout)
defer cancel() defer cancel()
@ -45,12 +40,6 @@ func Exec(ctx context.Context, p string) ([]*Entry, error) {
return nil, err return nil, err
} }
if err := h.Wait(); err != nil { if err := h.Wait(); err != nil {
m := stderr.Bytes()
if bytes.Contains(m, msgStaticGlibc) {
return nil, nil
}
_, _ = os.Stderr.Write(m)
return nil, err return nil, err
} }

32
main.go
View File

@ -53,14 +53,30 @@ func main() {
log.Fatal("this program must not run as root") log.Fatal("this program must not run as root")
} }
buildCommand(os.Stderr).MustParse(os.Args[1:], func(err error) { err := buildCommand(os.Stderr).Parse(os.Args[1:])
fmsg.Verbosef("command returned %v", err) if errors.Is(err, errSuccess) || errors.Is(err, command.ErrHelp) {
if errors.Is(err, errSuccess) { internal.Exit(0)
fmsg.BeforeExit() panic("unreachable")
os.Exit(0) }
} if errors.Is(err, command.ErrNoMatch) || errors.Is(err, command.ErrEmptyTree) {
}) internal.Exit(1)
log.Fatal("unreachable") panic("unreachable")
}
if err == nil {
log.Fatal("unreachable")
}
var flagError command.FlagError
if !errors.As(err, &flagError) {
log.Printf("command: %v", err)
internal.Exit(1)
panic("unreachable")
}
fmsg.Verbose(flagError.Error())
if flagError.Success() {
internal.Exit(0)
}
internal.Exit(1)
} }
func buildCommand(out io.Writer) command.Command { func buildCommand(out io.Writer) command.Command {

2
nixos.nix
View File

@ -30,7 +30,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
security.wrappers.fsu = { security.wrappers.fsu = {
source = "${cfg.fsuPackage}/bin/fsu"; source = "${cfg.package}/libexec/fsu";
setuid = true; setuid = true;
owner = "root"; owner = "root";
setgid = true; setgid = true;

11
options.nix
View File

@ -2,9 +2,6 @@
let let
inherit (lib) types mkOption mkEnableOption; inherit (lib) types mkOption mkEnableOption;
fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
};
in in
{ {
@ -14,16 +11,10 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = fortify; default = pkgs.callPackage ./package.nix { };
description = "The fortify package to use."; description = "The fortify package to use.";
}; };
fsuPackage = mkOption {
type = types.package;
default = pkgs.callPackage ./cmd/fsu/package.nix { inherit fortify; };
description = "The fsu package to use.";
};
users = mkOption { users = mkOption {
type = type =
let let

29
package.nix
View File

@ -1,6 +1,5 @@
{ {
lib, lib,
stdenv,
buildGoModule, buildGoModule,
makeBinaryWrapper, makeBinaryWrapper,
xdg-dbus-proxy, xdg-dbus-proxy,
@ -13,9 +12,6 @@
wayland-protocols, wayland-protocols,
wayland-scanner, wayland-scanner,
xorg, xorg,
glibc, # for ldd
withStatic ? stdenv.hostPlatform.isStatic,
}: }:
buildGoModule rec { buildGoModule rec {
@ -23,12 +19,9 @@ buildGoModule rec {
version = "0.2.17"; version = "0.2.17";
src = builtins.path { src = builtins.path {
name = "${pname}-src"; name = "fortify-src";
path = lib.cleanSource ./.; path = lib.cleanSource ./.;
filter = filter = path: type: !(type != "directory" && lib.hasSuffix ".nix" path);
path: type:
!(type == "regular" && lib.hasSuffix ".nix" path)
&& !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
}; };
vendorHash = null; vendorHash = null;
@ -38,22 +31,17 @@ buildGoModule rec {
ldflags: name: value: ldflags: name: value:
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ] ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
) )
( [
[ "-s -w"
"-s -w" "-X main.Fmain=${placeholder "out"}/libexec/fortify"
] ]
++ lib.optionals withStatic [
"-linkmode external"
"-extldflags \"-static\""
]
)
{ {
Version = "v${version}"; Version = "v${version}";
Fsu = "/run/wrappers/bin/fsu"; Fsu = "/run/wrappers/bin/fsu";
}; };
# nix build environment does not allow acls # nix build environment does not allow acls
env.GO_TEST_SKIP_ACL = 1; GO_TEST_SKIP_ACL = 1;
buildInputs = buildInputs =
[ [
@ -76,7 +64,7 @@ buildGoModule rec {
]; ];
preBuild = '' preBuild = ''
HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./... HOME=$(mktemp -d) go generate ./...
''; '';
postInstall = '' postInstall = ''
@ -88,7 +76,6 @@ buildGoModule rec {
makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \ makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \
--inherit-argv0 --prefix PATH : ${ --inherit-argv0 --prefix PATH : ${
lib.makeBinPath [ lib.makeBinPath [
glibc
bubblewrap bubblewrap
xdg-dbus-proxy xdg-dbus-proxy
] ]

47
test/default.nix
View File

@ -1,47 +0,0 @@
{
lib,
nixosTest,
writeShellScriptBin,
system,
self,
withRace ? false,
}:
nixosTest {
name = "fortify" + (if withRace then "-race" else "");
nodes.machine =
{ options, pkgs, ... }:
{
environment.systemPackages = [
# For go tests:
self.packages.${system}.fhs
(writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
];
# Run with Go race detector:
environment.fortify = lib.mkIf withRace rec {
# race detector does not support static linking
package = (pkgs.callPackage ../package.nix { }).overrideAttrs (previousAttrs: {
GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
});
fsuPackage = options.environment.fortify.fsuPackage.default.override { fortify = package; };
};
imports = [
./configuration.nix
self.nixosModules.fortify
self.inputs.home-manager.nixosModules.home-manager
];
};
# adapted from nixos sway integration tests
# testScriptWithTypes:49: error: Cannot call function of unknown type
# (machine.succeed if succeed else machine.execute)(
# ^
# Found 1 error in 1 file (checked 1 source file)
skipTypeCheck = true;
testScript = builtins.readFile ./test.py;
}

0
test/configuration.nix → tests/fortify/configuration.nix
View File

51
tests/fortify/default.nix Normal file
View File

@ -0,0 +1,51 @@
{
system,
self,
nixosTest,
writeShellScriptBin,
}:
nixosTest {
name = "fortify";
nodes.machine = {
environment.systemPackages = [
# For go tests:
self.packages.${system}.fhs
(writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
];
# Run with Go race detector:
environment.fortify.package =
let
inherit (self.packages.${system}) fortify;
in
fortify.overrideAttrs (previousAttrs: {
GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
# fsu does not like cgo
disallowedReferences = previousAttrs.disallowedReferences ++ [ fortify ];
postInstall =
previousAttrs.postInstall
+ ''
cp -a "${fortify}/libexec/fsu" "$out/libexec/fsu"
sed -i 's:${fortify}:${placeholder "out"}:' "$out/libexec/fsu"
'';
});
imports = [
./configuration.nix
self.nixosModules.fortify
self.inputs.home-manager.nixosModules.home-manager
];
};
# adapted from nixos sway integration tests
# testScriptWithTypes:49: error: Cannot call function of unknown type
# (machine.succeed if succeed else machine.execute)(
# ^
# Found 1 error in 1 file (checked 1 source file)
skipTypeCheck = true;
testScript = builtins.readFile ./test.py;
}

0
test/test.py → tests/fortify/test.py
View File