From 41bf59a7a9b4bdd664fc0fd9c56f5b272857471c Mon Sep 17 00:00:00 2001 From: rina Date: Tue, 3 Dec 2024 18:14:41 +1000 Subject: [PATCH 1/6] basil-tools-docker: add /usr/bin/_exec and add static --- basil-shell.nix | 10 ++- docker-tools.nix | 179 +++++++++++++++++++++++++++++++++++++++++++++++ overlay.nix | 2 +- 3 files changed, 188 insertions(+), 3 deletions(-) create mode 100644 docker-tools.nix diff --git a/basil-shell.nix b/basil-shell.nix index 62f5225..c4b7de1 100644 --- a/basil-shell.nix +++ b/basil-shell.nix @@ -3,13 +3,19 @@ , clang-aarch64 , asli , ddisasm +, bap-aslp +, coreutils , gtirb-pprinter , gtirb-semantics +, pkgsCross }: let packages = [ - gcc-aarch64 - clang-aarch64 + pkgsCross.aarch64-multiplatform.pkgsBuildHost.gcc + + pkgsCross.aarch64-multiplatform-musl.pkgsBuildHost.gcc + + bap-aslp asli ddisasm gtirb-pprinter diff --git a/docker-tools.nix b/docker-tools.nix new file mode 100644 index 0000000..15c0086 --- /dev/null +++ b/docker-tools.nix @@ -0,0 +1,179 @@ +{ lib +, dockerTools +, bashInteractive +, writeText +, writeShellScriptBin +, devShellTools +, cacert +, storeDir ? builtins.storeDir +}: + +# This file extracts streamNixShellImage from: +# https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/docker/default.nix +# This is needed because the original implementation does not let you +# customise the container image after it is constructed from the shell. +# +# We add a simple binary at a known location which executes commands +# in the context of the shell. + +let + inherit (dockerTools) streamLayeredImage binSh usrBinEnv fakeNss; + inherit (devShellTools) valueToString; + inherit (lib) optionalString; +in +{ + # This function streams a docker image that behaves like a nix-shell for a derivation + # Docs: doc/build-helpers/images/dockertools.section.md + # Tests: nixos/tests/docker-tools-nix-shell.nix + streamNixShellImage = + { drv + , name ? drv.name + "-env" + , tag ? null + , uid ? 1000 + , gid ? 1000 + , homeDirectory ? "/build" + , shell ? bashInteractive + "/bin/bash" + , command ? null + , run ? null + }: + assert lib.assertMsg (! (drv.drvAttrs.__structuredAttrs or false)) + "streamNixShellImage: Does not work with the derivation ${drv.name} because it uses __structuredAttrs"; + assert lib.assertMsg (command == null || run == null) + "streamNixShellImage: Can't specify both command and run"; + let + + # A binary that calls the command to build the derivation + builder = writeShellScriptBin "buildDerivation" '' + exec ${lib.escapeShellArg (valueToString drv.drvAttrs.builder)} ${lib.escapeShellArgs (map valueToString drv.drvAttrs.args)} + ''; + + staticPath = "${dirOf shell}:${lib.makeBinPath [ builder ]}"; + + # https://github.com/NixOS/nix/blob/2.8.0/src/nix-build/nix-build.cc#L493-L526 + rcfile = writeText "nix-shell-rc" '' + unset PATH + dontAddDisableDepTrack=1 + # TODO: https://github.com/NixOS/nix/blob/2.8.0/src/nix-build/nix-build.cc#L506 + [ -e $stdenv/setup ] && source $stdenv/setup + PATH=${staticPath}:"$PATH" + SHELL=${lib.escapeShellArg shell} + BASH=${lib.escapeShellArg shell} + set +e + [ -n "$PS1" -a -z "$NIX_SHELL_PRESERVE_PROMPT" ] && PS1='\n\[\033[1;32m\][nix-shell:\w]\$\[\033[0m\] ' + if [ "$(type -t runHook)" = function ]; then + runHook shellHook + fi + unset NIX_ENFORCE_PURITY + shopt -u nullglob + shopt -s execfail + ${optionalString (command != null || run != null) '' + ${optionalString (command != null) command} + ${optionalString (run != null) run} + exit + ''} + ''; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465 + sandboxBuildDir = "/build"; + + drvEnv = + devShellTools.unstructuredDerivationInputEnv { inherit (drv) drvAttrs; } + // devShellTools.derivationOutputEnv { outputList = drv.outputs; outputMap = drv; }; + + # Environment variables set in the image + envVars = { + + # Root certificates for internet access + SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; + NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1027-L1030 + # PATH = "/path-not-set"; + # Allows calling bash and `buildDerivation` as the Cmd + PATH = staticPath; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1032-L1038 + HOME = homeDirectory; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1040-L1044 + NIX_STORE = storeDir; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1046-L1047 + # TODO: Make configurable? + NIX_BUILD_CORES = "1"; + + } // drvEnv // { + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1008-L1010 + NIX_BUILD_TOP = sandboxBuildDir; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1012-L1013 + TMPDIR = sandboxBuildDir; + TEMPDIR = sandboxBuildDir; + TMP = sandboxBuildDir; + TEMP = sandboxBuildDir; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1015-L1019 + PWD = sandboxBuildDir; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1071-L1074 + # We don't set it here because the output here isn't handled in any special way + # NIX_LOG_FD = "2"; + + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1076-L1077 + TERM = "xterm-256color"; + }; + + + in streamLayeredImage { + inherit name tag; + contents = [ + binSh + usrBinEnv + (fakeNss.override { + # Allows programs to look up the build user's home directory + # https://github.com/NixOS/nix/blob/ffe155abd36366a870482625543f9bf924a58281/src/libstore/build/local-derivation-goal.cc#L906-L910 + # Slightly differs however: We use the passed-in homeDirectory instead of sandboxBuildDir. + # We're doing this because it's arguably a bug in Nix that sandboxBuildDir is used here: https://github.com/NixOS/nix/issues/6379 + extraPasswdLines = [ + "nixbld:x:${toString uid}:${toString gid}:Build user:${homeDirectory}:/noshell" + ]; + extraGroupLines = [ + "nixbld:!:${toString gid}:" + ]; + }) + ]; + + fakeRootCommands = '' + # Effectively a single-user installation of Nix, giving the user full + # control over the Nix store. Needed for building the derivation this + # shell is for, but also in case one wants to use Nix inside the + # image + mkdir -p ./nix/{store,var/nix} ./etc/nix + chown -R ${toString uid}:${toString gid} ./nix ./etc/nix + + # Gives the user control over the build directory + mkdir -p .${sandboxBuildDir} + chown -R ${toString uid}:${toString gid} .${sandboxBuildDir} + + cat < ./usr/bin/_exec + #!${shell} + unset shellHook + source ${rcfile} + exec "$@" + EOF + chmod +x ./usr/bin/_exec + ''; + + # Run this image as the given uid/gid + config.User = "${toString uid}:${toString gid}"; + config.Cmd = + # https://github.com/NixOS/nix/blob/2.8.0/src/nix-build/nix-build.cc#L185-L186 + # https://github.com/NixOS/nix/blob/2.8.0/src/nix-build/nix-build.cc#L534-L536 + if run == null + then [ shell "--rcfile" rcfile ] + else [ shell rcfile ]; + config.WorkingDir = sandboxBuildDir; + config.Env = lib.mapAttrsToList (name: value: "${name}=${value}") envVars; + }; +} diff --git a/overlay.nix b/overlay.nix index 6f05f37..7255999 100644 --- a/overlay.nix +++ b/overlay.nix @@ -7,7 +7,7 @@ let update = prev.callPackage ./update.nix { }; basil-tools-shell = prev.callPackage ./basil-shell.nix { }; - basil-tools-docker = prev.dockerTools.streamNixShellImage { + basil-tools-docker = (prev.callPackage ./docker-tools.nix { }).streamNixShellImage { name = "basil-tools-docker"; tag = "latest"; drv = final.basil-tools-shell; From e755ff699816b54741f36129724b3d97424b08ca Mon Sep 17 00:00:00 2001 From: rina Date: Wed, 4 Dec 2024 15:58:49 +1000 Subject: [PATCH 2/6] fix escaping problem in _exec script we need to write a literal "$@". --- docker-tools.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-tools.nix b/docker-tools.nix index 15c0086..9d6636a 100644 --- a/docker-tools.nix +++ b/docker-tools.nix @@ -160,8 +160,8 @@ in #!${shell} unset shellHook source ${rcfile} - exec "$@" EOF + echo 'exec "$@"' >> ./usr/bin/_exec chmod +x ./usr/bin/_exec ''; From 46634821223a955d0e82cffbb626a2de18877a58 Mon Sep 17 00:00:00 2001 From: rina Date: Thu, 5 Dec 2024 12:06:50 +1000 Subject: [PATCH 3/6] add clang to basil-shell --- basil-shell.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/basil-shell.nix b/basil-shell.nix index c4b7de1..2ad72e6 100644 --- a/basil-shell.nix +++ b/basil-shell.nix @@ -4,7 +4,7 @@ , asli , ddisasm , bap-aslp -, coreutils +, bap-asli-plugin , gtirb-pprinter , gtirb-semantics , pkgsCross @@ -12,11 +12,16 @@ let packages = [ pkgsCross.aarch64-multiplatform.pkgsBuildHost.gcc + pkgsCross.aarch64-multiplatform.pkgsBuildHost.clang pkgsCross.aarch64-multiplatform-musl.pkgsBuildHost.gcc + pkgsCross.aarch64-multiplatform-musl.pkgsBuildHost.clang - bap-aslp asli + + bap-aslp + bap-asli-plugin + ddisasm gtirb-pprinter gtirb-semantics From 2b64bf66626fb10bdd733a25630aa2dff3dc73b2 Mon Sep 17 00:00:00 2001 From: rina Date: Mon, 9 Dec 2024 12:46:14 +1000 Subject: [PATCH 4/6] tweak _exec helper --- docker-tools.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/docker-tools.nix b/docker-tools.nix index 9d6636a..e9b55b2 100644 --- a/docker-tools.nix +++ b/docker-tools.nix @@ -156,12 +156,19 @@ in mkdir -p .${sandboxBuildDir} chown -R ${toString uid}:${toString gid} .${sandboxBuildDir} - cat < ./usr/bin/_exec + mkdir -p ./tmp + chmod a+rwx ./tmp + + cat <<'EOF' > ./usr/bin/_exec #!${shell} - unset shellHook + if [[ "$shell" != 1 ]]; then + oldShellHook="$shellHook" + unset shellHook + export noDumpEnvVars=1 + fi source ${rcfile} + exec "$@" EOF - echo 'exec "$@"' >> ./usr/bin/_exec chmod +x ./usr/bin/_exec ''; From e6b7a676154f08c9d6027d83cd6c9e05fab44145 Mon Sep 17 00:00:00 2001 From: rina Date: Wed, 11 Dec 2024 14:08:26 +1000 Subject: [PATCH 5/6] set image name to ghcr --- overlay.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/overlay.nix b/overlay.nix index 7255999..b9c1877 100644 --- a/overlay.nix +++ b/overlay.nix @@ -8,8 +8,7 @@ let basil-tools-shell = prev.callPackage ./basil-shell.nix { }; basil-tools-docker = (prev.callPackage ./docker-tools.nix { }).streamNixShellImage { - name = "basil-tools-docker"; - tag = "latest"; + name = "ghcr.io/uq-pac/basil-tools-docker"; drv = final.basil-tools-shell; }; From ef9c23743bddd6cf8d6b656c460c572426b50c9a Mon Sep 17 00:00:00 2001 From: rina Date: Fri, 13 Dec 2024 17:18:06 +1000 Subject: [PATCH 6/6] basil-shell: disable hardening --- basil-shell.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/basil-shell.nix b/basil-shell.nix index 2ad72e6..b32c534 100644 --- a/basil-shell.nix +++ b/basil-shell.nix @@ -40,4 +40,6 @@ in mkShell { meta = { description = "shell containing tools used in the BASIL pipeline"; }; + + hardeningDisable = [ "all" ]; }