From b5663188720603b982c7eb95fdd78be5c16dd464 Mon Sep 17 00:00:00 2001 From: Julian Ospald Date: Mon, 25 Oct 2021 23:13:22 +0200 Subject: [PATCH] Use sydbox to verify ghcup behaves well --- .gitlab-ci.yml | 6 +- .gitlab/before_script/linux/install_deps.sh | 45 +++++++++++-- .gitlab/script/ghcup_version.sh | 74 +++++++++++++++++++-- 3 files changed, 109 insertions(+), 16 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6de72fe..1580f30 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -16,7 +16,7 @@ variables: ############################################################ .debian: - image: "registry.gitlab.haskell.org/ghc/ci-images/x86_64-linux-deb10:$DOCKER_REV" + image: "debian:11" tags: - x86_64-linux variables: @@ -44,7 +44,7 @@ variables: CABAL_DIR: "$CI_PROJECT_DIR/cabal" .linux:armv7: - image: "registry.gitlab.haskell.org/ghc/ci-images/armv7-linux-deb10:$DOCKER_REV" + image: "arm32v7/debian:11" tags: - armv7-linux variables: @@ -54,7 +54,7 @@ variables: retry: 2 .linux:aarch64: - image: "registry.gitlab.haskell.org/ghc/ci-images/aarch64-linux-deb10:$DOCKER_REV" + image: "aarch64/debian:11" tags: - aarch64-linux variables: diff --git a/.gitlab/before_script/linux/install_deps.sh b/.gitlab/before_script/linux/install_deps.sh index 6c05c2a..44257ef 100755 --- a/.gitlab/before_script/linux/install_deps.sh +++ b/.gitlab/before_script/linux/install_deps.sh @@ -6,16 +6,49 @@ set -eux mkdir -p "${TMPDIR}" -sudo apt-get update -y -sudo apt-get install -y libnuma-dev zlib1g-dev libgmp-dev libgmp10 libssl-dev liblzma-dev libbz2-dev git wget lsb-release software-properties-common gnupg2 apt-transport-https gcc autoconf automake build-essential +apt-get update -y +apt-get install -y \ + apt-transport-https \ + autoconf \ + automake \ + build-essential \ + curl \ + gcc \ + git \ + gnupg2 \ + libbz2-dev \ + libffi-dev \ + libffi7 \ + libgmp-dev \ + libgmp10 \ + liblzma-dev \ + libncurses-dev \ + libncurses5 \ + libnuma-dev \ + libssl-dev \ + libtinfo5 \ + lsb-release \ + pkg-config \ + software-properties-common \ + wget \ + zlib1g-dev + if [ "${CROSS}" = "arm-linux-gnueabihf" ] ; then - sudo apt-get install -y gcc-arm-linux-gnueabihf - sudo dpkg --add-architecture armhf - sudo apt-get update -y - sudo apt-get install -y libncurses-dev:armhf + apt-get install -y gcc-arm-linux-gnueabihf + dpkg --add-architecture armhf + apt-get update -y + apt-get install -y libncurses-dev:armhf fi +apt-get install -y libseccomp-dev +curl -L https://dev.exherbo.org/~alip/sydbox/sydbox-2.1.0.tar.bz2 | tar -xj +cd sydbox-2.1.0 +./configure +make +make install +cd .. + export BOOTSTRAP_HASKELL_NONINTERACTIVE=1 export BOOTSTRAP_HASKELL_GHC_VERSION=$GHC_VERSION export BOOTSTRAP_HASKELL_CABAL_VERSION=$CABAL_VERSION diff --git a/.gitlab/script/ghcup_version.sh b/.gitlab/script/ghcup_version.sh index 254fdf2..da89ae5 100755 --- a/.gitlab/script/ghcup_version.sh +++ b/.gitlab/script/ghcup_version.sh @@ -15,14 +15,74 @@ ecabal() { } raw_eghcup() { - ghcup -v -c "$@" + if command -v sydbox 1>/dev/null ; then + sydbox \ + -m core/sandbox/read:deny \ + -m core/sandbox/write:deny \ + -m core/sandbox/network:allow \ + -m allowlist/read+/usr/lib/os-release \ + -m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \ + -m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \ + -m "allowlist/read+${TMPDIR}/***" \ + -m "allowlist/write+${TMPDIR}/***" \ + -m "allowlist/read+/usr/lib/***" \ + -m 'allowlist/read+/etc/ld.so.cache' \ + -m "allowlist/read+/lib/***" \ + -m 'allowlist/read+/etc/ssl/openssl.cnf' \ + -m 'allowlist/read+/proc/sys/crypto/fips_enabled' \ + -m 'allowlist/read+/etc/nsswitch.conf' \ + -m 'allowlist/read+/etc/host.conf' \ + -m 'allowlist/read+/etc/resolv.conf' \ + -m 'allowlist/read+/etc/hosts' \ + -m 'allowlist/read+/etc/gai.conf' \ + -m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \ + -m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \ + -m 'core/violation/decision:killall' \ + -- ghcup -v -c "$@" + else + ghcup -v -c "$@" + fi } eghcup() { if [ "${OS}" = "WINDOWS" ] ; then ghcup -v -c -s file:/$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@" else - ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@" + if command -v sydbox 1>/dev/null ; then + ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@" + else + ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@" + fi + fi +} + +eghcup_offline() { + if command -v sydbox 1>/dev/null ; then + sydbox \ + -m core/sandbox/read:deny \ + -m core/sandbox/write:deny \ + -m core/sandbox/network:deny \ + -m allowlist/read+/usr/lib/os-release \ + -m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \ + -m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \ + -m "allowlist/read+${TMPDIR}/***" \ + -m "allowlist/write+${TMPDIR}/***" \ + -m "allowlist/read+/usr/lib/***" \ + -m 'allowlist/read+/etc/ld.so.cache' \ + -m "allowlist/read+/lib/***" \ + -m 'allowlist/read+/etc/ssl/openssl.cnf' \ + -m 'allowlist/read+/proc/sys/crypto/fips_enabled' \ + -m 'allowlist/read+/etc/nsswitch.conf' \ + -m 'allowlist/read+/etc/host.conf' \ + -m 'allowlist/read+/etc/resolv.conf' \ + -m 'allowlist/read+/etc/hosts' \ + -m 'allowlist/read+/etc/gai.conf' \ + -m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \ + -m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \ + -m 'core/violation/decision:killall' \ + -- ghcup -v --offline "$@" + else + ghcup -v --offline "$@" fi } @@ -133,7 +193,7 @@ else # https://gitlab.haskell.org/haskell/ghcup-hs/issues/7 if [ "${OS}" = "LINUX" ] ; then eghcup --downloader=wget prefetch ghc 8.10.3 - eghcup --offline install ghc 8.10.3 + eghcup_offline install ghc 8.10.3 if [ "${ARCH}" = "64" ] ; then expected=$(cat "$( cd "$(dirname "$0")" ; pwd -P )/../ghc-8.10.3-linux.files" | sort) actual=$(cd "${GHCUP_DIR}/ghc/8.10.3/" && find | sort) @@ -142,17 +202,17 @@ else fi elif [ "${OS}" = "WINDOWS" ] ; then eghcup prefetch ghc 8.10.3 - eghcup --offline install ghc 8.10.3 + eghcup_offline install ghc 8.10.3 expected=$(cat "$( cd "$(dirname "$0")" ; pwd -P )/../ghc-8.10.3-windows.files" | sort) actual=$(cd "${GHCUP_DIR}/ghc/8.10.3/" && find | sort) [ "${actual}" = "${expected}" ] unset actual expected else eghcup prefetch ghc 8.10.3 - eghcup --offline install ghc 8.10.3 + eghcup_offline install ghc 8.10.3 fi [ "$(ghc --numeric-version)" = "${ghc_ver}" ] - eghcup --offline set 8.10.3 + eghcup_offline set 8.10.3 eghcup set 8.10.3 [ "$(ghc --numeric-version)" = "8.10.3" ] eghcup set ${GHC_VERSION} @@ -160,7 +220,7 @@ else eghcup unset ghc "$GHCUP_BIN"/ghc --numeric-version && exit || echo yes eghcup set ${GHC_VERSION} - eghcup --offline rm 8.10.3 + eghcup_offline rm 8.10.3 [ "$(ghc --numeric-version)" = "${ghc_ver}" ]