Commit 3ce333e2 authored by Valentin Reis's avatar Valentin Reis
Browse files

Sandbox work.

parent d25ab860
Pipeline #5338 passed with stage
in 19 seconds
......@@ -17,6 +17,7 @@ executable argonix
optparse-applicative,
unix,
text,
ansi-terminal,
neat-interpolation,
foldl,
system-filepath
......
......@@ -24,10 +24,34 @@ import Prelude hiding ( FilePath )
import Data.Text ( pack
, unpack
)
import Turtle.Shell
import Control.Foldl
import System.Console.ANSI
import System.Console.ANSI.Types ( Color )
import Turtle.Shell
import Control.Foldl
import System.Posix.Process
-- | Miscellaneous printing utilities
colorShell :: Color -> Shell () -> Shell ()
colorShell color she = setC color *> she *> setC White
where setC c = liftIO $ setSGR [SetColor Foreground Dull c]
verboseShell :: Text -> Shell Line -> Shell ExitCode
verboseShell c i = printCommand c >> shell c i
printInfo :: Text -> Shell ()
printCommand :: Text -> Shell ()
printError :: Text -> Shell ()
printWarning :: Text -> Shell ()
printSuccess :: Text -> Shell ()
printTest :: Text -> Shell ()
dieRed :: Text -> Shell ()
printInfo = printf ("Info: " % s % "\n")
printCommand = printf ("Running: " % s % "\n")
printWarning = colorShell Yellow . printf ("Warning: " % s % "\n")
printError = colorShell Red . printf ("Error: " % s % "\n")
printSuccess = colorShell Green . printf ("Success: " % s % "\n")
printTest = colorShell Green . printf ("RUNNING TEST: " % s % "\n")
dieRed strw =
colorShell Red (printf ("Failure: " % s) strw) >> exit (ExitFailure 1)
checkFsAttributes :: FilePath -> Shell ()
checkFsAttributes workingDirectory = do
......@@ -35,7 +59,8 @@ checkFsAttributes workingDirectory = do
Left di -> di
Right di -> di
let findmnt = inproc "findmnt" ["-T", dir, "-o", "OPTIONS"] empty
b <- liftIO $ Turtle.Shell.fold (grep (has "nosuid") findmnt) Control.Foldl.length
b <- liftIO
$ Turtle.Shell.fold (grep (has "nosuid") findmnt) Control.Foldl.length
when (b > 0) $ die $ format
("The output directory, " % fp % ", must not mounted with \"nosuid\"")
workingDirectory
......@@ -47,12 +72,13 @@ main = join $ execParser (info (opts <**> helper) idm)
opts = hsubparser
( command
"build"
(info (nixbuild <$> targetParser <*> executorParser)
(info (wrap NixBuild <$> targetParser <*> executorParser)
(progDesc "Run an argo-compatible nix-build.")
)
<> command
"stack-shell"
(info (pure nixshell) (progDesc "Enter an argo-compatable nix-shell")
"shell"
(info (wrap NixShell <$> targetParser <*> executorParser)
(progDesc "Enter an argo-compatable nix-shell")
)
<> help "Type of operation to run."
)
......@@ -158,72 +184,106 @@ executorParser = do
Nothing -> Nothing
Just p -> Just (longform, p)
envSetup :: Shell FilePath
envSetup = do
sudo <- which "sudo" >>= \case
(Just sudo) -> printf ("Found sudo at " % fp % "\n") sudo >> return sudo
Nothing -> die "sudo not in $PATH."
export "SUDO" $ pack $ encodeString sudo
cachedir <- single $ inproc
"mktemp"
["-d", "--suffix=nixcache", "/tmp/deletable-nix-cache-XXXX"]
empty
export "XDG_CACHE_HOME" $ lineToText cachedir
return $ directory sudo
sudoRemoveFile :: (Text -> Shell ()) -> Text -> FilePath -> Shell ()
sudoRemoveFile printer desc filePath = do
foundSocket <- testfile filePath
when foundSocket $ go False
printInfo $ format ("OK: " % s % " " % fp) desc filePath
where
go useSudo = do
printer $ format ("found file " % s % " at " % fp % ".. ") desc filePath
shell
(format ((if useSudo then "sudo " else "") % "rm -rf " % fp) filePath)
Turtle.empty
>>= \case
ExitSuccess -> colorShell Green $ printf " Successfully removed.\n"
ExitFailure _ -> if useSudo
then printer $ format
("Failed to remove file " % s % ", even with sudo.")
desc
else do
printer $ format
("Failed to remove file " % s % ". Trying sudo..\n")
desc
go True
cleanSocket :: FilePath -> Shell ()
cleanSocket = sudoRemoveFile printWarning "socket"
setupNodeOS :: StackArgs -> Shell FilePath
setupNodeOS :: StackArgs -> Shell ()
setupNodeOS sa = do
sudo <- which "sudo" >>= \case
(Just sudo) -> printf ("Found sudo at " % fp % "\n") sudo >> return sudo
Nothing -> die "sudo not in $PATH."
export "SUDO" $ pack $ encodeString sudo
cachedir <- single $ inproc
"mktemp"
["-d", "--suffix=nixcache", "/tmp/deletable-nix-cache-XXXX"]
empty
printInfo "Setting the nix-build environment up."
printInfo "Cleaning sockets."
Prelude.mapM_
cleanSocket
[ "/tmp/nrm-downstream-in"
, "/tmp/nrm-downstream-event"
, "/tmp/nrm-upstream-in"
, "/tmp/nrm-upstream-event"
]
printInfo "Setting up a cache directory:"
cachedir <- single
$ inproc "mktemp" ["-d", "/tmp/deletable-nix-cache-XXXX"] empty
export "XDG_CACHE_HOME" $ lineToText cachedir
nodeos_config <- single $ inproc "nix-build" (fmap pack (nixArguments "containers" sa)) empty
printf s "Checking filesystem attributes in /tmp\n"
printInfo $ lineToText cachedir <> " exported to XDG_CACHE_HOME"
printInfo "running nix-build for the containers attribute."
nodeos_config <- single
$ inproc "nix-build" (fmap pack (nixArguments "containers" sa)) empty
printInfo "Checking filesystem attributes on /tmp"
checkFsAttributes "/tmp"
printf s "Copying argo_nodeos_config to /tmp\n"
shell "sudo rm -rf /tmp/argo_nodeos_config" empty
shell (format ("cp "%s%"/bin/argo_nodeos_config /tmp/argo_nodeos_config") (lineToText nodeos_config)) empty
printf s "Trying to sudo chown and chmod argo_nodeos_config\n"
shell "sudo chown root:root /tmp/argo_nodeos_config" empty
>>= \case
ExitSuccess -> printf s "Chowned argo_nodeos_config to root:root.\n"
ExitFailure n ->
die ("Failed to set argo_nodeos_config permissions " <> repr n)
shell "sudo chmod u+sw /tmp/argo_nodeos_config" empty
>>= \case
ExitSuccess -> printf s "Set the suid bit.\n"
ExitFailure n ->
die ("Setting suid bit failed with exit code " <> repr n)
return $ directory sudo
verboseShell "sudo rm -rf /tmp/argo_nodeos_config" empty
verboseShell
(format ("cp " % s % "/bin/argo_nodeos_config /tmp/argo_nodeos_config")
(lineToText nodeos_config)
)
empty
verboseShell "sudo chown root:root /tmp/argo_nodeos_config" empty >>= \case
ExitSuccess -> return ()
ExitFailure n ->
die ("Failed to set argo_nodeos_config permissions " <> repr n)
verboseShell "sudo chmod u+sw /tmp/argo_nodeos_config" empty >>= \case
ExitSuccess -> return ()
ExitFailure n -> die ("Setting suid bit failed with exit code " <> repr n)
void $ printInfo "Done setting the environment for nix-build up."
nixArguments :: String -> StackArgs -> [String]
nixArguments target StackArgs {..} = [unpack argopkgs, "-A", target] ++ concat
[ ["--arg", longform <> "-src", encodeString p] | (longform, p) <- overrides ]
nixbuild :: String -> StackArgs -> IO ()
nixbuild target sa@StackArgs {..} = sh $ do
view $ single $ inshell "echo $SUDO" empty
setupNodeOS sa
let arglist =
( (nixArguments target sa)
++ [ "--pure"
, "--allow-new-privileges"
, "--option"
, "extra-sandbox-paths"
, "/tmp/argo_nodeos_config"
, "-K"
]
)
liftIO $ print arglist
liftIO $ executeFile "nix-build" True arglist Nothing
data NixCommand = NixBuild | NixShell
toCommand :: IsString p => NixCommand -> p
toCommand NixBuild = "nix-build"
toCommand NixShell = "nix-shell"
wrap :: NixCommand -> String -> StackArgs -> IO ()
wrap nixCommand target sa@StackArgs {..} = sh $ do
_ <- setupNodeOS sa
printCommand $ pack nixc <> " " <> pack (unwords arglist)
liftIO (executeFile nixc True arglist Nothing)
where
nixc = toCommand nixCommand
-- Sources of impurity for this build are: "/tmp/ /etc/argo/ /var/run/
-- /var/lock/. Moreover, sandboxing is disabled, in particular because of:
-- /tmp/nrm-* sockets, /etc/argo, /var/run/, /var/lock/ which all need read
-- access. until these components are patched to allow for alternative paths,
-- no sandbox use is possible. If sandbox paths were read only we could add:
{-, "--option"-}
{-, "build-use-sandbox"-}
{-, "--option"-}
{-, "extra-sandbox-paths"-}
{-, "/tmp/ /etc/argo/ /var/run/ /var/lock/"-}
arglist =
nixArguments target sa
++ [ "--pure"
, "--allow-new-privileges"
, "-K"
, "--option"
, "build-use-sandbox"
, "false"
]
nixshell :: IO ()
nixshell = sh $ do undefined
{-nixshell :: IO ()-}
{-nixshell = undefined-}
{-StackArgs {..} <- liftIO $ execParser opts-}
{--- building nixArguments (pure stuff) and shellArguments (impure stuff)-}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment