security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

Compare commits

base: security:eda4d612c2e64321766e1074a698caeae843102a
Branches Tags
security:master
security:develop
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:b6af8caffec91db14dfe3c1e095fd1fc84ecfd9e
Branches Tags
security:develop
security:master
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

7 Commits
eda4d612c2 ... b6af8caffe

Author SHA1 Message Date
Ophestra
b6af8caffe
nix: clean up directory structure
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Fortify (push) Successful in 36s
Details
Test / Data race detector (push) Successful in 56s
Details
Test / Flake checks (push) Successful in 41s
Details 
Tests for fpkg is going to be in ./cmd/fpkg, so this central tests directory is no longer necessary.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 18:48:01 +09:00
Ophestra
e1a3549ea0
workflows: separate nixos tests from flake check
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fortify (push) Successful in 2m12s
Details
Test / Data race detector (push) Successful in 3m0s
Details
Test / Flake checks (push) Successful in 41s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 18:34:42 +09:00
Ophestra
8bf162820b
nix: separate fsu from package
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Run NixOS test (push) Successful in 7m25s
Details 
This appears to be the only way to build them with different configuration. This enables static linking in the main package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 18:13:37 +09:00
Ophestra
dccb366608
ldd: handle behaviour on static executable
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Run NixOS test (push) Successful in 3m27s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 18:02:33 +09:00
Ophestra
83c8f0488b
ldd: pass absolute path to bwrap
All checks were successful
Test / Create distribution (push) Successful in 27s
Details
Test / Run NixOS test (push) Successful in 3m31s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 17:46:22 +09:00
Ophestra
478b27922c
fortify: handle errors via MustParse
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Run NixOS test (push) Successful in 3m29s
Details 
The errSuccess behaviour is kept for beforeExit.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 12:57:59 +09:00
Ophestra
ba1498cd18
command: filter parse errors
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Run NixOS test (push) Successful in 3m29s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 12:55:10 +09:00
14 changed files with 199 additions and 103 deletions
Show Stats Expand all files Collapse all files

43
.gitea/workflows/test.yml
View File

@ -5,26 +5,53 @@ on:
- pull_request - pull_request
jobs: jobs:
test: fortify:
name: Run NixOS test name: Fortify
runs-on: nix runs-on: nix
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run fortify tests - name: Run NixOS test
run: nix build --out-link "result-fortify" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
- name: Run flake checks
run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
- name: Upload test output - name: Upload test output
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: "fortify-vm-output" name: "fortify-vm-output"
path: result-fortify/* path: result/*
retention-days: 1 retention-days: 1
race:
name: Data race detector
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run NixOS test
run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.race
- name: Upload test output
uses: actions/upload-artifact@v3
with:
name: "fortify-race-vm-output"
path: result/*
retention-days: 1
check:
name: Flake checks
needs:
- fortify
- race
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run checks
run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
dist: dist:
name: Create distribution name: Create distribution
runs-on: nix runs-on: nix

19
cmd/fsu/package.nix Normal file
View File

@ -0,0 +1,19 @@
{
buildGoModule,
fortify ? abort "fortify package required",
}:
buildGoModule {
pname = "${fortify.pname}-fsu";
inherit (fortify) version;
src = ./.;
inherit (fortify) vendorHash;
CGO_ENABLED = 0;
preBuild = ''
go mod init fsu >& /dev/null
'';
ldflags = [ "-X main.Fmain=${fortify}/libexec/fortify" ];
}

5
command/command.go
View File

@ -29,6 +29,11 @@ type (
Command interface { Command interface {
Parse(arguments []string) error Parse(arguments []string) error
// MustParse determines exit outcomes for Parse errors
// and calls handleError if [HandlerFunc] returns a non-nil error.
MustParse(arguments []string, handleError func(error))
baseNode[Command] baseNode[Command]
} }
Node baseNode[Node] Node baseNode[Node]

25
command/parse.go
View File

@ -3,6 +3,7 @@ package command
import ( import (
"errors" "errors"
"log" "log"
"os"
) )
var ( var (
@ -78,3 +79,27 @@ func (n *node) printf(format string, a ...any) {
n.logf(format, a...) n.logf(format, a...)
} }
} }
func (n *node) MustParse(arguments []string, handleError func(error)) {
switch err := n.Parse(arguments); err {
case nil:
return
case ErrHelp:
os.Exit(0)
case ErrNoMatch:
os.Exit(1)
case ErrEmptyTree:
os.Exit(1)
default:
var flagError FlagError
if !errors.As(err, &flagError) { // returned by HandlerFunc
handleError(err)
os.Exit(1)
}
if flagError.Success() {
os.Exit(0)
}
os.Exit(1)
}
}

13
flake.nix
View File

@ -57,6 +57,12 @@
; ;
in in
{ {
fortify = callPackage ./test { inherit system self; };
race = callPackage ./test {
inherit system self;
withRace = true;
};
formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } '' formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
cd ${./.} cd ${./.}
@ -85,8 +91,6 @@
touch $out touch $out
''; '';
fortify = callPackage ./tests/fortify { inherit system self; };
} }
); );
@ -98,7 +102,10 @@
in in
{ {
default = self.packages.${system}.fortify; default = self.packages.${system}.fortify;
fortify = pkgs.callPackage ./package.nix { }; fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
};
fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
dist = dist =
pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; } pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }

25
ldd/exec.go
View File

@ -1,9 +1,10 @@
package ldd package ldd
import ( import (
"bytes"
"context" "context"
"os" "os"
"strings" "os/exec"
"time" "time"
"git.gensokyo.uk/security/fortify/helper" "git.gensokyo.uk/security/fortify/helper"
@ -12,27 +13,31 @@ import (
const lddTimeout = 2 * time.Second const lddTimeout = 2 * time.Second
var (
msgStaticGlibc = []byte("not a dynamic executable")
)
func Exec(ctx context.Context, p string) ([]*Entry, error) { func Exec(ctx context.Context, p string) ([]*Entry, error) {
var h helper.Helper var h helper.Helper
if b, err := helper.NewBwrap( if toolPath, err := exec.LookPath("ldd"); err != nil {
return nil, err
} else if h, err = helper.NewBwrap(
(&bwrap.Config{ (&bwrap.Config{
Hostname: "fortify-ldd", Hostname: "fortify-ldd",
Chdir: "/", Chdir: "/",
Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true}, Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
NewSession: true, NewSession: true,
DieWithParent: true, DieWithParent: true,
}).Bind("/", "/").DevTmpfs("/dev"), "ldd", }).Bind("/", "/").DevTmpfs("/dev"), toolPath,
nil, func(_, _ int) []string { return []string{p} }, nil, func(_, _ int) []string { return []string{p} },
nil, nil, nil, nil,
); err != nil { ); err != nil {
return nil, err return nil, err
} else {
h = b
} }
stdout := new(strings.Builder) stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
h.Stdout(stdout).Stderr(os.Stderr) h.Stdout(stdout).Stderr(stderr)
c, cancel := context.WithTimeout(ctx, lddTimeout) c, cancel := context.WithTimeout(ctx, lddTimeout)
defer cancel() defer cancel()
@ -40,6 +45,12 @@ func Exec(ctx context.Context, p string) ([]*Entry, error) {
return nil, err return nil, err
} }
if err := h.Wait(); err != nil { if err := h.Wait(); err != nil {
m := stderr.Bytes()
if bytes.Contains(m, msgStaticGlibc) {
return nil, nil
}
_, _ = os.Stderr.Write(m)
return nil, err return nil, err
} }

32
main.go
View File

@ -53,30 +53,14 @@ func main() {
log.Fatal("this program must not run as root") log.Fatal("this program must not run as root")
} }
err := buildCommand(os.Stderr).Parse(os.Args[1:]) buildCommand(os.Stderr).MustParse(os.Args[1:], func(err error) {
if errors.Is(err, errSuccess) || errors.Is(err, command.ErrHelp) { fmsg.Verbosef("command returned %v", err)
internal.Exit(0) if errors.Is(err, errSuccess) {
panic("unreachable") fmsg.BeforeExit()
} os.Exit(0)
if errors.Is(err, command.ErrNoMatch) || errors.Is(err, command.ErrEmptyTree) { }
internal.Exit(1) })
panic("unreachable") log.Fatal("unreachable")
}
if err == nil {
log.Fatal("unreachable")
}
var flagError command.FlagError
if !errors.As(err, &flagError) {
log.Printf("command: %v", err)
internal.Exit(1)
panic("unreachable")
}
fmsg.Verbose(flagError.Error())
if flagError.Success() {
internal.Exit(0)
}
internal.Exit(1)
} }
func buildCommand(out io.Writer) command.Command { func buildCommand(out io.Writer) command.Command {

2
nixos.nix
View File

@ -30,7 +30,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
security.wrappers.fsu = { security.wrappers.fsu = {
source = "${cfg.package}/libexec/fsu"; source = "${cfg.fsuPackage}/bin/fsu";
setuid = true; setuid = true;
owner = "root"; owner = "root";
setgid = true; setgid = true;

11
options.nix
View File

@ -2,6 +2,9 @@
let let
inherit (lib) types mkOption mkEnableOption; inherit (lib) types mkOption mkEnableOption;
fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
};
in in
{ {
@ -11,10 +14,16 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = pkgs.callPackage ./package.nix { }; default = fortify;
description = "The fortify package to use."; description = "The fortify package to use.";
}; };
fsuPackage = mkOption {
type = types.package;
default = pkgs.callPackage ./cmd/fsu/package.nix { inherit fortify; };
description = "The fsu package to use.";
};
users = mkOption { users = mkOption {
type = type =
let let

29
package.nix
View File

@ -1,5 +1,6 @@
{ {
lib, lib,
stdenv,
buildGoModule, buildGoModule,
makeBinaryWrapper, makeBinaryWrapper,
xdg-dbus-proxy, xdg-dbus-proxy,
@ -12,6 +13,9 @@
wayland-protocols, wayland-protocols,
wayland-scanner, wayland-scanner,
xorg, xorg,
glibc, # for ldd
withStatic ? stdenv.hostPlatform.isStatic,
}: }:
buildGoModule rec { buildGoModule rec {
@ -19,9 +23,12 @@ buildGoModule rec {
version = "0.2.17"; version = "0.2.17";
src = builtins.path { src = builtins.path {
name = "fortify-src"; name = "${pname}-src";
path = lib.cleanSource ./.; path = lib.cleanSource ./.;
filter = path: type: !(type != "directory" && lib.hasSuffix ".nix" path); filter =
path: type:
!(type == "regular" && lib.hasSuffix ".nix" path)
&& !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
}; };
vendorHash = null; vendorHash = null;
@ -31,17 +38,22 @@ buildGoModule rec {
ldflags: name: value: ldflags: name: value:
ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ] ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
) )
[ (
"-s -w" [
"-X main.Fmain=${placeholder "out"}/libexec/fortify" "-s -w"
] ]
++ lib.optionals withStatic [
"-linkmode external"
"-extldflags \"-static\""
]
)
{ {
Version = "v${version}"; Version = "v${version}";
Fsu = "/run/wrappers/bin/fsu"; Fsu = "/run/wrappers/bin/fsu";
}; };
# nix build environment does not allow acls # nix build environment does not allow acls
GO_TEST_SKIP_ACL = 1; env.GO_TEST_SKIP_ACL = 1;
buildInputs = buildInputs =
[ [
@ -64,7 +76,7 @@ buildGoModule rec {
]; ];
preBuild = '' preBuild = ''
HOME=$(mktemp -d) go generate ./... HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./...
''; '';
postInstall = '' postInstall = ''
@ -76,6 +88,7 @@ buildGoModule rec {
makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \ makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \
--inherit-argv0 --prefix PATH : ${ --inherit-argv0 --prefix PATH : ${
lib.makeBinPath [ lib.makeBinPath [
glibc
bubblewrap bubblewrap
xdg-dbus-proxy xdg-dbus-proxy
] ]

0
tests/fortify/configuration.nix → test/configuration.nix
View File

47
test/default.nix Normal file
View File

@ -0,0 +1,47 @@
{
lib,
nixosTest,
writeShellScriptBin,
system,
self,
withRace ? false,
}:
nixosTest {
name = "fortify" + (if withRace then "-race" else "");
nodes.machine =
{ options, pkgs, ... }:
{
environment.systemPackages = [
# For go tests:
self.packages.${system}.fhs
(writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
];
# Run with Go race detector:
environment.fortify = lib.mkIf withRace rec {
# race detector does not support static linking
package = (pkgs.callPackage ../package.nix { }).overrideAttrs (previousAttrs: {
GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
});
fsuPackage = options.environment.fortify.fsuPackage.default.override { fortify = package; };
};
imports = [
./configuration.nix
self.nixosModules.fortify
self.inputs.home-manager.nixosModules.home-manager
];
};
# adapted from nixos sway integration tests
# testScriptWithTypes:49: error: Cannot call function of unknown type
# (machine.succeed if succeed else machine.execute)(
# ^
# Found 1 error in 1 file (checked 1 source file)
skipTypeCheck = true;
testScript = builtins.readFile ./test.py;
}

0
tests/fortify/test.py → test/test.py
View File

51
tests/fortify/default.nix
View File

@ -1,51 +0,0 @@
{
system,
self,
nixosTest,
writeShellScriptBin,
}:
nixosTest {
name = "fortify";
nodes.machine = {
environment.systemPackages = [
# For go tests:
self.packages.${system}.fhs
(writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
];
# Run with Go race detector:
environment.fortify.package =
let
inherit (self.packages.${system}) fortify;
in
fortify.overrideAttrs (previousAttrs: {
GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
# fsu does not like cgo
disallowedReferences = previousAttrs.disallowedReferences ++ [ fortify ];
postInstall =
previousAttrs.postInstall
+ ''
cp -a "${fortify}/libexec/fsu" "$out/libexec/fsu"
sed -i 's:${fortify}:${placeholder "out"}:' "$out/libexec/fsu"
'';
});
imports = [
./configuration.nix
self.nixosModules.fortify
self.inputs.home-manager.nixosModules.home-manager
];
};
# adapted from nixos sway integration tests
# testScriptWithTypes:49: error: Cannot call function of unknown type
# (machine.succeed if succeed else machine.execute)(
# ^
# Found 1 error in 1 file (checked 1 source file)
skipTypeCheck = true;
testScript = builtins.readFile ./test.py;
}