Use sydbox to verify ghcup behaves well
This commit is contained in:
parent
d68ab3b657
commit
b566318872
GPG Key ID:
3786C5262ECB4A3F
@ -16,7 +16,7 @@ variables:
|
||||
############################################################
|
||||
|
||||
.debian:
|
||||
image: "registry.gitlab.haskell.org/ghc/ci-images/x86_64-linux-deb10:$DOCKER_REV"
|
||||
image: "debian:11"
|
||||
tags:
|
||||
- x86_64-linux
|
||||
variables:
|
||||
@ -44,7 +44,7 @@ variables:
|
||||
CABAL_DIR: "$CI_PROJECT_DIR/cabal"
|
||||
|
||||
.linux:armv7:
|
||||
image: "registry.gitlab.haskell.org/ghc/ci-images/armv7-linux-deb10:$DOCKER_REV"
|
||||
image: "arm32v7/debian:11"
|
||||
tags:
|
||||
- armv7-linux
|
||||
variables:
|
||||
@ -54,7 +54,7 @@ variables:
|
||||
retry: 2
|
||||
|
||||
.linux:aarch64:
|
||||
image: "registry.gitlab.haskell.org/ghc/ci-images/aarch64-linux-deb10:$DOCKER_REV"
|
||||
image: "aarch64/debian:11"
|
||||
tags:
|
||||
- aarch64-linux
|
||||
variables:
|
||||
|
||||
@ -6,16 +6,49 @@ set -eux
|
||||
|
||||
mkdir -p "${TMPDIR}"
|
||||
|
||||
sudo apt-get update -y
|
||||
sudo apt-get install -y libnuma-dev zlib1g-dev libgmp-dev libgmp10 libssl-dev liblzma-dev libbz2-dev git wget lsb-release software-properties-common gnupg2 apt-transport-https gcc autoconf automake build-essential
|
||||
apt-get update -y
|
||||
apt-get install -y \
|
||||
apt-transport-https \
|
||||
autoconf \
|
||||
automake \
|
||||
build-essential \
|
||||
curl \
|
||||
gcc \
|
||||
git \
|
||||
gnupg2 \
|
||||
libbz2-dev \
|
||||
libffi-dev \
|
||||
libffi7 \
|
||||
libgmp-dev \
|
||||
libgmp10 \
|
||||
liblzma-dev \
|
||||
libncurses-dev \
|
||||
libncurses5 \
|
||||
libnuma-dev \
|
||||
libssl-dev \
|
||||
libtinfo5 \
|
||||
lsb-release \
|
||||
pkg-config \
|
||||
software-properties-common \
|
||||
wget \
|
||||
zlib1g-dev
|
||||
|
||||
|
||||
if [ "${CROSS}" = "arm-linux-gnueabihf" ] ; then
|
||||
sudo apt-get install -y gcc-arm-linux-gnueabihf
|
||||
sudo dpkg --add-architecture armhf
|
||||
sudo apt-get update -y
|
||||
sudo apt-get install -y libncurses-dev:armhf
|
||||
apt-get install -y gcc-arm-linux-gnueabihf
|
||||
dpkg --add-architecture armhf
|
||||
apt-get update -y
|
||||
apt-get install -y libncurses-dev:armhf
|
||||
fi
|
||||
|
||||
apt-get install -y libseccomp-dev
|
||||
curl -L https://dev.exherbo.org/~alip/sydbox/sydbox-2.1.0.tar.bz2 | tar -xj
|
||||
cd sydbox-2.1.0
|
||||
./configure
|
||||
make
|
||||
make install
|
||||
cd ..
|
||||
|
||||
export BOOTSTRAP_HASKELL_NONINTERACTIVE=1
|
||||
export BOOTSTRAP_HASKELL_GHC_VERSION=$GHC_VERSION
|
||||
export BOOTSTRAP_HASKELL_CABAL_VERSION=$CABAL_VERSION
|
||||
|
||||
@ -15,14 +15,74 @@ ecabal() {
|
||||
}
|
||||
|
||||
raw_eghcup() {
|
||||
ghcup -v -c "$@"
|
||||
if command -v sydbox 1>/dev/null ; then
|
||||
sydbox \
|
||||
-m core/sandbox/read:deny \
|
||||
-m core/sandbox/write:deny \
|
||||
-m core/sandbox/network:allow \
|
||||
-m allowlist/read+/usr/lib/os-release \
|
||||
-m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
|
||||
-m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
|
||||
-m "allowlist/read+${TMPDIR}/***" \
|
||||
-m "allowlist/write+${TMPDIR}/***" \
|
||||
-m "allowlist/read+/usr/lib/***" \
|
||||
-m 'allowlist/read+/etc/ld.so.cache' \
|
||||
-m "allowlist/read+/lib/***" \
|
||||
-m 'allowlist/read+/etc/ssl/openssl.cnf' \
|
||||
-m 'allowlist/read+/proc/sys/crypto/fips_enabled' \
|
||||
-m 'allowlist/read+/etc/nsswitch.conf' \
|
||||
-m 'allowlist/read+/etc/host.conf' \
|
||||
-m 'allowlist/read+/etc/resolv.conf' \
|
||||
-m 'allowlist/read+/etc/hosts' \
|
||||
-m 'allowlist/read+/etc/gai.conf' \
|
||||
-m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \
|
||||
-m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \
|
||||
-m 'core/violation/decision:killall' \
|
||||
-- ghcup -v -c "$@"
|
||||
else
|
||||
ghcup -v -c "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
eghcup() {
|
||||
if [ "${OS}" = "WINDOWS" ] ; then
|
||||
ghcup -v -c -s file:/$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
|
||||
else
|
||||
ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
|
||||
if command -v sydbox 1>/dev/null ; then
|
||||
ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
|
||||
else
|
||||
ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
eghcup_offline() {
|
||||
if command -v sydbox 1>/dev/null ; then
|
||||
sydbox \
|
||||
-m core/sandbox/read:deny \
|
||||
-m core/sandbox/write:deny \
|
||||
-m core/sandbox/network:deny \
|
||||
-m allowlist/read+/usr/lib/os-release \
|
||||
-m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
|
||||
-m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
|
||||
-m "allowlist/read+${TMPDIR}/***" \
|
||||
-m "allowlist/write+${TMPDIR}/***" \
|
||||
-m "allowlist/read+/usr/lib/***" \
|
||||
-m 'allowlist/read+/etc/ld.so.cache' \
|
||||
-m "allowlist/read+/lib/***" \
|
||||
-m 'allowlist/read+/etc/ssl/openssl.cnf' \
|
||||
-m 'allowlist/read+/proc/sys/crypto/fips_enabled' \
|
||||
-m 'allowlist/read+/etc/nsswitch.conf' \
|
||||
-m 'allowlist/read+/etc/host.conf' \
|
||||
-m 'allowlist/read+/etc/resolv.conf' \
|
||||
-m 'allowlist/read+/etc/hosts' \
|
||||
-m 'allowlist/read+/etc/gai.conf' \
|
||||
-m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \
|
||||
-m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \
|
||||
-m 'core/violation/decision:killall' \
|
||||
-- ghcup -v --offline "$@"
|
||||
else
|
||||
ghcup -v --offline "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -133,7 +193,7 @@ else
|
||||
# https://gitlab.haskell.org/haskell/ghcup-hs/issues/7
|
||||
if [ "${OS}" = "LINUX" ] ; then
|
||||
eghcup --downloader=wget prefetch ghc 8.10.3
|
||||
eghcup --offline install ghc 8.10.3
|
||||
eghcup_offline install ghc 8.10.3
|
||||
if [ "${ARCH}" = "64" ] ; then
|
||||
expected=$(cat "$( cd "$(dirname "$0")" ; pwd -P )/../ghc-8.10.3-linux.files" | sort)
|
||||
actual=$(cd "${GHCUP_DIR}/ghc/8.10.3/" && find | sort)
|
||||
@ -142,17 +202,17 @@ else
|
||||
fi
|
||||
elif [ "${OS}" = "WINDOWS" ] ; then
|
||||
eghcup prefetch ghc 8.10.3
|
||||
eghcup --offline install ghc 8.10.3
|
||||
eghcup_offline install ghc 8.10.3
|
||||
expected=$(cat "$( cd "$(dirname "$0")" ; pwd -P )/../ghc-8.10.3-windows.files" | sort)
|
||||
actual=$(cd "${GHCUP_DIR}/ghc/8.10.3/" && find | sort)
|
||||
[ "${actual}" = "${expected}" ]
|
||||
unset actual expected
|
||||
else
|
||||
eghcup prefetch ghc 8.10.3
|
||||
eghcup --offline install ghc 8.10.3
|
||||
eghcup_offline install ghc 8.10.3
|
||||
fi
|
||||
[ "$(ghc --numeric-version)" = "${ghc_ver}" ]
|
||||
eghcup --offline set 8.10.3
|
||||
eghcup_offline set 8.10.3
|
||||
eghcup set 8.10.3
|
||||
[ "$(ghc --numeric-version)" = "8.10.3" ]
|
||||
eghcup set ${GHC_VERSION}
|
||||
@ -160,7 +220,7 @@ else
|
||||
eghcup unset ghc
|
||||
"$GHCUP_BIN"/ghc --numeric-version && exit || echo yes
|
||||
eghcup set ${GHC_VERSION}
|
||||
eghcup --offline rm 8.10.3
|
||||
eghcup_offline rm 8.10.3
|
||||
[ "$(ghc --numeric-version)" = "${ghc_ver}" ]
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user