hasufell
/
ghcup-hs
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use sydbox to verify ghcup behaves well

This commit is contained in:
Julian Ospald 2021-10-25 23:13:22 +02:00
parent d68ab3b657
commit b566318872
Signed by: hasufell
GPG Key ID: 3786C5262ECB4A3F
3 changed files with 109 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitlab-ci.yml
View File

@ -16,7 +16,7 @@ variables:
############################################################
.debian:
image: "registry.gitlab.haskell.org/ghc/ci-images/x86_64-linux-deb10:$DOCKER_REV"
image: "debian:11"
tags:
- x86_64-linux
variables:
@ -44,7 +44,7 @@ variables:
CABAL_DIR: "$CI_PROJECT_DIR/cabal"
.linux:armv7:
image: "registry.gitlab.haskell.org/ghc/ci-images/armv7-linux-deb10:$DOCKER_REV"
image: "arm32v7/debian:11"
tags:
- armv7-linux
variables:
@ -54,7 +54,7 @@ variables:
retry: 2
.linux:aarch64:
image: "registry.gitlab.haskell.org/ghc/ci-images/aarch64-linux-deb10:$DOCKER_REV"
image: "aarch64/debian:11"
tags:
- aarch64-linux
variables:

45
.gitlab/before_script/linux/install_deps.sh
View File

@ -6,16 +6,49 @@ set -eux
mkdir -p "${TMPDIR}"
sudo apt-get update -y
sudo apt-get install -y libnuma-dev zlib1g-dev libgmp-dev libgmp10 libssl-dev liblzma-dev libbz2-dev git wget lsb-release software-properties-common gnupg2 apt-transport-https gcc autoconf automake build-essential
apt-get update -y
apt-get install -y \
apt-transport-https \
autoconf \
automake \
build-essential \
curl \
gcc \
git \
gnupg2 \
libbz2-dev \
libffi-dev \
libffi7 \
libgmp-dev \
libgmp10 \
liblzma-dev \
libncurses-dev \
libncurses5 \
libnuma-dev \
libssl-dev \
libtinfo5 \
lsb-release \
pkg-config \
software-properties-common \
wget \
zlib1g-dev
if [ "${CROSS}" = "arm-linux-gnueabihf" ] ; then
sudo apt-get install -y gcc-arm-linux-gnueabihf
sudo dpkg --add-architecture armhf
sudo apt-get update -y
sudo apt-get install -y libncurses-dev:armhf
apt-get install -y gcc-arm-linux-gnueabihf
dpkg --add-architecture armhf
apt-get update -y
apt-get install -y libncurses-dev:armhf
fi
apt-get install -y libseccomp-dev
curl -L https://dev.exherbo.org/~alip/sydbox/sydbox-2.1.0.tar.bz2 | tar -xj
cd sydbox-2.1.0
./configure
make
make install
cd ..
export BOOTSTRAP_HASKELL_NONINTERACTIVE=1
export BOOTSTRAP_HASKELL_GHC_VERSION=$GHC_VERSION
export BOOTSTRAP_HASKELL_CABAL_VERSION=$CABAL_VERSION

74
.gitlab/script/ghcup_version.sh
View File

@ -15,14 +15,74 @@ ecabal() {
}
raw_eghcup() {
ghcup -v -c "$@"
if command -v sydbox 1>/dev/null ; then
sydbox \
-m core/sandbox/read:deny \
-m core/sandbox/write:deny \
-m core/sandbox/network:allow \
-m allowlist/read+/usr/lib/os-release \
-m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
-m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
-m "allowlist/read+${TMPDIR}/***" \
-m "allowlist/write+${TMPDIR}/***" \
-m "allowlist/read+/usr/lib/***" \
-m 'allowlist/read+/etc/ld.so.cache' \
-m "allowlist/read+/lib/***" \
-m 'allowlist/read+/etc/ssl/openssl.cnf' \
-m 'allowlist/read+/proc/sys/crypto/fips_enabled' \
-m 'allowlist/read+/etc/nsswitch.conf' \
-m 'allowlist/read+/etc/host.conf' \
-m 'allowlist/read+/etc/resolv.conf' \
-m 'allowlist/read+/etc/hosts' \
-m 'allowlist/read+/etc/gai.conf' \
-m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \
-m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \
-m 'core/violation/decision:killall' \
-- ghcup -v -c "$@"
else
ghcup -v -c "$@"
fi
}
eghcup() {
if [ "${OS}" = "WINDOWS" ] ; then
ghcup -v -c -s file:/$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
else
ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
if command -v sydbox 1>/dev/null ; then
ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
else
ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
fi
fi
}
eghcup_offline() {
if command -v sydbox 1>/dev/null ; then
sydbox \
-m core/sandbox/read:deny \
-m core/sandbox/write:deny \
-m core/sandbox/network:deny \
-m allowlist/read+/usr/lib/os-release \
-m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
-m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
-m "allowlist/read+${TMPDIR}/***" \
-m "allowlist/write+${TMPDIR}/***" \
-m "allowlist/read+/usr/lib/***" \
-m 'allowlist/read+/etc/ld.so.cache' \
-m "allowlist/read+/lib/***" \
-m 'allowlist/read+/etc/ssl/openssl.cnf' \
-m 'allowlist/read+/proc/sys/crypto/fips_enabled' \
-m 'allowlist/read+/etc/nsswitch.conf' \
-m 'allowlist/read+/etc/host.conf' \
-m 'allowlist/read+/etc/resolv.conf' \
-m 'allowlist/read+/etc/hosts' \
-m 'allowlist/read+/etc/gai.conf' \
-m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \
-m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \
-m 'core/violation/decision:killall' \
-- ghcup -v --offline "$@"
else
ghcup -v --offline "$@"
fi
}
@ -133,7 +193,7 @@ else
# https://gitlab.haskell.org/haskell/ghcup-hs/issues/7
if [ "${OS}" = "LINUX" ] ; then
eghcup --downloader=wget prefetch ghc 8.10.3
eghcup --offline install ghc 8.10.3
eghcup_offline install ghc 8.10.3
if [ "${ARCH}" = "64" ] ; then
expected=$(cat "$( cd "$(dirname "$0")" ; pwd -P )/../ghc-8.10.3-linux.files" | sort)
actual=$(cd "${GHCUP_DIR}/ghc/8.10.3/" && find | sort)
@ -142,17 +202,17 @@ else
fi
elif [ "${OS}" = "WINDOWS" ] ; then
eghcup prefetch ghc 8.10.3
eghcup --offline install ghc 8.10.3
eghcup_offline install ghc 8.10.3
expected=$(cat "$( cd "$(dirname "$0")" ; pwd -P )/../ghc-8.10.3-windows.files" | sort)
actual=$(cd "${GHCUP_DIR}/ghc/8.10.3/" && find | sort)
[ "${actual}" = "${expected}" ]
unset actual expected
else
eghcup prefetch ghc 8.10.3
eghcup --offline install ghc 8.10.3
eghcup_offline install ghc 8.10.3
fi
[ "$(ghc --numeric-version)" = "${ghc_ver}" ]
eghcup --offline set 8.10.3
eghcup_offline set 8.10.3
eghcup set 8.10.3
[ "$(ghc --numeric-version)" = "8.10.3" ]
eghcup set ${GHC_VERSION}
@ -160,7 +220,7 @@ else
eghcup unset ghc
"$GHCUP_BIN"/ghc --numeric-version && exit || echo yes
eghcup set ${GHC_VERSION}
eghcup --offline rm 8.10.3
eghcup_offline rm 8.10.3
[ "$(ghc --numeric-version)" = "${ghc_ver}" ]