security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

Compare commits

base: security:b6af8caffec91db14dfe3c1e095fd1fc84ecfd9e
Branches Tags
security:master
security:develop
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:eda4d612c2e64321766e1074a698caeae843102a
Branches Tags
security:develop
security:master
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

No commits in common. "b6af8caffec91db14dfe3c1e095fd1fc84ecfd9e" and "eda4d612c2e64321766e1074a698caeae843102a" have entirely different histories.
b6af8caffe ... eda4d612c2

14 changed files with 103 additions and 199 deletions
Show Stats Expand all files Collapse all files

43
.gitea/workflows/test.yml
View File

@ -5,53 +5,26 @@ on:
- pull_request
jobs:
fortify:
name: Fortify
test:
name: Run NixOS test
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run NixOS test
run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
- name: Run fortify tests
run: nix build --out-link "result-fortify" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
- name: Run flake checks
run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
- name: Upload test output
uses: actions/upload-artifact@v3
with:
name: "fortify-vm-output"
path: result/*
path: result-fortify/*
retention-days: 1
race:
name: Data race detector
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run NixOS test
run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.race
- name: Upload test output
uses: actions/upload-artifact@v3
with:
name: "fortify-race-vm-output"
path: result/*
retention-days: 1
check:
name: Flake checks
needs:
- fortify
- race
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run checks
run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
dist:
name: Create distribution
runs-on: nix

19
cmd/fsu/package.nix
View File

@ -1,19 +0,0 @@
{
buildGoModule,
fortify ? abort "fortify package required",
}:
buildGoModule {
pname = "${fortify.pname}-fsu";
inherit (fortify) version;
src = ./.;
inherit (fortify) vendorHash;
CGO_ENABLED = 0;
preBuild = ''
go mod init fsu >& /dev/null
'';
ldflags = [ "-X main.Fmain=${fortify}/libexec/fortify" ];
}

5
command/command.go
View File

@ -29,11 +29,6 @@ type (
Command interface {
Parse(arguments []string) error
// MustParse determines exit outcomes for Parse errors
// and calls handleError if [HandlerFunc] returns a non-nil error.
MustParse(arguments []string, handleError func(error))
baseNode[Command]
}
Node baseNode[Node]

25
command/parse.go
View File

@ -3,7 +3,6 @@ package command
import (
"errors"
"log"
"os"
)
var (
@ -79,27 +78,3 @@ func (n *node) printf(format string, a ...any) {
n.logf(format, a...)
}
}
func (n *node) MustParse(arguments []string, handleError func(error)) {
switch err := n.Parse(arguments); err {
case nil:
return
case ErrHelp:
os.Exit(0)
case ErrNoMatch:
os.Exit(1)
case ErrEmptyTree:
os.Exit(1)
default:
var flagError FlagError
if !errors.As(err, &flagError) { // returned by HandlerFunc
handleError(err)
os.Exit(1)
}
if flagError.Success() {
os.Exit(0)
}
os.Exit(1)
}
}

13
flake.nix
View File

@ -57,12 +57,6 @@
;
in
{
fortify = callPackage ./test { inherit system self; };
race = callPackage ./test {
inherit system self;
withRace = true;
};
formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
cd ${./.}
@ -91,6 +85,8 @@
touch $out
'';
fortify = callPackage ./tests/fortify { inherit system self; };
}
);
@ -102,10 +98,7 @@
in
{
default = self.packages.${system}.fortify;
fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
};
fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
fortify = pkgs.callPackage ./package.nix { };
dist =
pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }

25
ldd/exec.go
View File

@ -1,10 +1,9 @@
package ldd
import (
"bytes"
"context"
"os"
"os/exec"
"strings"
"time"
"git.gensokyo.uk/security/fortify/helper"
@ -13,31 +12,27 @@ import (
const lddTimeout = 2 * time.Second
var (
msgStaticGlibc = []byte("not a dynamic executable")
)
func Exec(ctx context.Context, p string) ([]*Entry, error) {
var h helper.Helper
if toolPath, err := exec.LookPath("ldd"); err != nil {
return nil, err
} else if h, err = helper.NewBwrap(
if b, err := helper.NewBwrap(
(&bwrap.Config{
Hostname: "fortify-ldd",
Chdir: "/",
Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
NewSession: true,
DieWithParent: true,
}).Bind("/", "/").DevTmpfs("/dev"), toolPath,
}).Bind("/", "/").DevTmpfs("/dev"), "ldd",
nil, func(_, _ int) []string { return []string{p} },
nil, nil,
); err != nil {
return nil, err
} else {
h = b
}
stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
h.Stdout(stdout).Stderr(stderr)
stdout := new(strings.Builder)
h.Stdout(stdout).Stderr(os.Stderr)
c, cancel := context.WithTimeout(ctx, lddTimeout)
defer cancel()
@ -45,12 +40,6 @@ func Exec(ctx context.Context, p string) ([]*Entry, error) {
return nil, err
}
if err := h.Wait(); err != nil {
m := stderr.Bytes()
if bytes.Contains(m, msgStaticGlibc) {
return nil, nil
}
_, _ = os.Stderr.Write(m)
return nil, err
}

28
main.go
View File

@ -53,14 +53,30 @@ func main() {
log.Fatal("this program must not run as root")
}
buildCommand(os.Stderr).MustParse(os.Args[1:], func(err error) {
fmsg.Verbosef("command returned %v", err)
if errors.Is(err, errSuccess) {
fmsg.BeforeExit()
os.Exit(0)
err := buildCommand(os.Stderr).Parse(os.Args[1:])
if errors.Is(err, errSuccess) || errors.Is(err, command.ErrHelp) {
internal.Exit(0)
panic("unreachable")
}
})
if errors.Is(err, command.ErrNoMatch) || errors.Is(err, command.ErrEmptyTree) {
internal.Exit(1)
panic("unreachable")
}
if err == nil {
log.Fatal("unreachable")
}
var flagError command.FlagError
if !errors.As(err, &flagError) {
log.Printf("command: %v", err)
internal.Exit(1)
panic("unreachable")
}
fmsg.Verbose(flagError.Error())
if flagError.Success() {
internal.Exit(0)
}
internal.Exit(1)
}
func buildCommand(out io.Writer) command.Command {

2
nixos.nix
View File

@ -30,7 +30,7 @@ in
config = mkIf cfg.enable {
security.wrappers.fsu = {
source = "${cfg.fsuPackage}/bin/fsu";
source = "${cfg.package}/libexec/fsu";
setuid = true;
owner = "root";
setgid = true;

11
options.nix
View File

@ -2,9 +2,6 @@
let
inherit (lib) types mkOption mkEnableOption;
fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
};
in
{
@ -14,16 +11,10 @@ in
package = mkOption {
type = types.package;
default = fortify;
default = pkgs.callPackage ./package.nix { };
description = "The fortify package to use.";
};
fsuPackage = mkOption {
type = types.package;
default = pkgs.callPackage ./cmd/fsu/package.nix { inherit fortify; };
description = "The fsu package to use.";
};
users = mkOption {
type =
let

23
package.nix
View File

@ -1,6 +1,5 @@
{
lib,
stdenv,
buildGoModule,
makeBinaryWrapper,
xdg-dbus-proxy,
@ -13,9 +12,6 @@
wayland-protocols,
wayland-scanner,
xorg,
glibc, # for ldd
withStatic ? stdenv.hostPlatform.isStatic,
}:
buildGoModule rec {
@ -23,12 +19,9 @@ buildGoModule rec {
version = "0.2.17";
src = builtins.path {
name = "${pname}-src";
name = "fortify-src";
path = lib.cleanSource ./.;
filter =
path: type:
!(type == "regular" && lib.hasSuffix ".nix" path)
&& !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
filter = path: type: !(type != "directory" && lib.hasSuffix ".nix" path);
};
vendorHash = null;
@ -38,22 +31,17 @@ buildGoModule rec {
ldflags: name: value:
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
)
(
[
"-s -w"
"-X main.Fmain=${placeholder "out"}/libexec/fortify"
]
++ lib.optionals withStatic [
"-linkmode external"
"-extldflags \"-static\""
]
)
{
Version = "v${version}";
Fsu = "/run/wrappers/bin/fsu";
};
# nix build environment does not allow acls
env.GO_TEST_SKIP_ACL = 1;
GO_TEST_SKIP_ACL = 1;
buildInputs =
[
@ -76,7 +64,7 @@ buildGoModule rec {
];
preBuild = ''
HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./...
HOME=$(mktemp -d) go generate ./...
'';
postInstall = ''
@ -88,7 +76,6 @@ buildGoModule rec {
makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \
--inherit-argv0 --prefix PATH : ${
lib.makeBinPath [
glibc
bubblewrap
xdg-dbus-proxy
]

47
test/default.nix
View File

@ -1,47 +0,0 @@
{
lib,
nixosTest,
writeShellScriptBin,
system,
self,
withRace ? false,
}:
nixosTest {
name = "fortify" + (if withRace then "-race" else "");
nodes.machine =
{ options, pkgs, ... }:
{
environment.systemPackages = [
# For go tests:
self.packages.${system}.fhs
(writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
];
# Run with Go race detector:
environment.fortify = lib.mkIf withRace rec {
# race detector does not support static linking
package = (pkgs.callPackage ../package.nix { }).overrideAttrs (previousAttrs: {
GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
});
fsuPackage = options.environment.fortify.fsuPackage.default.override { fortify = package; };
};
imports = [
./configuration.nix
self.nixosModules.fortify
self.inputs.home-manager.nixosModules.home-manager
];
};
# adapted from nixos sway integration tests
# testScriptWithTypes:49: error: Cannot call function of unknown type
# (machine.succeed if succeed else machine.execute)(
# ^
# Found 1 error in 1 file (checked 1 source file)
skipTypeCheck = true;
testScript = builtins.readFile ./test.py;
}

0
test/configuration.nix → tests/fortify/configuration.nix
View File

51
tests/fortify/default.nix Normal file
View File

@ -0,0 +1,51 @@
{
system,
self,
nixosTest,
writeShellScriptBin,
}:
nixosTest {
name = "fortify";
nodes.machine = {
environment.systemPackages = [
# For go tests:
self.packages.${system}.fhs
(writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
];
# Run with Go race detector:
environment.fortify.package =
let
inherit (self.packages.${system}) fortify;
in
fortify.overrideAttrs (previousAttrs: {
GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
# fsu does not like cgo
disallowedReferences = previousAttrs.disallowedReferences ++ [ fortify ];
postInstall =
previousAttrs.postInstall
+ ''
cp -a "${fortify}/libexec/fsu" "$out/libexec/fsu"
sed -i 's:${fortify}:${placeholder "out"}:' "$out/libexec/fsu"
'';
});
imports = [
./configuration.nix
self.nixosModules.fortify
self.inputs.home-manager.nixosModules.home-manager
];
};
# adapted from nixos sway integration tests
# testScriptWithTypes:49: error: Cannot call function of unknown type
# (machine.succeed if succeed else machine.execute)(
# ^
# Found 1 error in 1 file (checked 1 source file)
skipTypeCheck = true;
testScript = builtins.readFile ./test.py;
}

0
test/test.py → tests/fortify/test.py
View File