Projects/muscl
12
5
Fork 0
Code Issues 75 Pull Requests Actions Packages Releases 1 Activity

Add nix support for suid/sgid testing
All checks were successful
Build and test / check (push) Successful in 1m55s
Details
Build and test / build (push) Successful in 4m1s
Details
Build and test / check-license (push) Successful in 4m55s
Details
Build and test / test (push) Successful in 3m26s
Details
Build and test / docs (push) Successful in 6m18s
Details

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit
2025-12-04 10:54:32 +09:00
parent 4c21d083df
commit b0ae6e563d
5 changed files with 264 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
nix/default.nix
View File

@@ -1,26 +1,63 @@
{
lib
, rustPlatform
, stdenv
, installShellFiles
, versionCheckHook
, cargoToml
, cargoLock
, src
, installShellFiles
, useCrane ? false
, craneLib ? null
, suidSgidSupport ? false
}:
let
mainProgram = (lib.head cargoToml.bin).name;
buildFunction = if useCrane then craneLib.buildPackage else rustPlatform.buildRustPackage;
cargoLock' = if useCrane then cargoLock else { lockFile = cargoLock; };
pname = if useCrane then "${cargoToml.package.name}-crane" else cargoToml.package.name;
in
buildFunction {
pname = pname;
version = cargoToml.package.version;
inherit src;
cargoLock = cargoLock';
pnameCraneSuffix = lib.optionalString useCrane "-crane";
pnameSuidSuffix = lib.optionalString suidSgidSupport "-suid";
pname = "${cargoToml.package.name}${pnameSuidSuffix}${pnameCraneSuffix}";
rustPlatformArgs = {
buildFeatures = lib.optional suidSgidSupport "suid-sgid-mode";
cargoLock.lockFile = cargoLock;
doCheck = true;
useNextest = true;
nativeCheckInputs = [
versionCheckHook
];
cargoCheckFeatures = lib.optional suidSgidSupport "suid-sgid-mode";
postCheck = lib.optionalString (stdenv.buildPlatform.system == stdenv.hostPlatform.system && suidSgidSupport) ''
./target/${stdenv.hostPlatform.rust.rustcTarget}/release/muscl --version | grep "SUID/SGID mode: enabled"
'';
};
craneArgs = {
cargoLock = cargoLock;
cargoExtraArgs = lib.escapeShellArgs [ "--features" (lib.concatStringsSep "," (lib.optional suidSgidSupport "suid-sgid-mode")) ];
cargoArtifacts = craneLib.buildDepsOnly {
inherit pname;
inherit (cargoToml.package) version;
src = lib.fileset.toSource {
root = ../.;
fileset = lib.fileset.unions [
(craneLib.fileset.cargoTomlAndLock ../.)
];
};
cargoLock = cargoLock;
};
};
in
buildFunction ({
inherit pname;
inherit (cargoToml.package) version;
inherit src;
nativeBuildInputs = [ installShellFiles ];
postInstall = let
@@ -29,10 +66,9 @@ buildFunction {
export PATH="$out/bin:$PATH"
export COMPLETE="${shell}"
"${command}" > "$TMP/${command}.${shell}"
# See https://github.com/clap-rs/clap/issues/1764
sed -i 's/muscl/${command}/g' "$TMP/${command}.${shell}"
)
# See https://github.com/clap-rs/clap/issues/1764
sed -i 's/muscl/${command}/g' "$TMP/${command}.${shell}"
installShellCompletion "--${shell}" --cmd "${command}" "$TMP/${command}.${shell}"
'') {
shell = [ "bash" "zsh" "fish" ];
@@ -56,3 +92,6 @@ buildFunction {
inherit mainProgram;
};
}
//
(if useCrane then craneArgs else rustPlatformArgs)
)

96
nix/nixos-configurations/vm-suid.nix Normal file
View File

@@ -0,0 +1,96 @@
{ self, nixpkgs, ... }:
let
inherit (nixpkgs) lib;
in
nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
self.overlays.muscl-suid-crane
];
};
modules = [
"${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
"${nixpkgs}/nixos/tests/common/user-account.nix"
({ config, pkgs, ... }: {
system.stateVersion = config.system.nixos.release;
virtualisation.graphics = false;
users = {
groups = {
a = { };
b = { };
muscl = { };
};
users.muscl = {
isSystemUser = true;
group = "muscl";
};
users.alice.extraGroups = [
"a"
"b"
"wheel"
"systemd-journal"
];
extraUsers.root.password = "root";
};
services.getty.autologinUser = "alice";
users.motd = ''
=================================
Welcome to the muscl SUID/SGID vm!
Try running:
${pkgs.muscl.meta.mainProgram}
Password for alice is 'foobar'
Password for root is 'root'
To exit, press Ctrl+A, then X
=================================
'';
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureUsers = [
{
name = "muscl";
ensurePermissions = {
"mysql.*" = "SELECT, INSERT, UPDATE, DELETE";
"*.*" = "GRANT OPTION, CREATE, DROP";
};
}
];
};
security.wrappers.muscl = {
owner = "muscl";
group = "muscl";
setuid = true;
source = lib.getExe pkgs.muscl;
};
environment.etc."muscl/config.toml".source = (pkgs.formats.toml { }).generate "muscl-config.toml" {
mysql = {
username = "muscl";
password = "snakeoil";
socket_path = "/run/mysqld/mysqld.sock";
};
};
# TODO: extra setup commands:
# set password for mysql user
programs.vim = {
enable = true;
defaultEditor = true;
};
environment.systemPackages = with pkgs; [ jq ];
})
];
}

68
nix/nixos-configurations/vm.nix Normal file
View File

@@ -0,0 +1,68 @@
{ self, nixpkgs, ... }:
nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
self.overlays.muscl-crane
];
};
modules = [
"${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
"${nixpkgs}/nixos/tests/common/user-account.nix"
self.nixosModules.default
({ config, pkgs, ... }: {
system.stateVersion = config.system.nixos.release;
virtualisation.graphics = false;
users = {
groups = {
a = { };
b = { };
};
users.alice.extraGroups = [
"a"
"b"
"wheel"
"systemd-journal"
];
extraUsers.root.password = "root";
};
services.getty.autologinUser = "alice";
users.motd = ''
=================================
Welcome to the muscl vm!
Try running:
${config.services.muscl.package.meta.mainProgram}
Password for alice is 'foobar'
Password for root is 'root'
To exit, press Ctrl+A, then X
=================================
'';
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
services.muscl = {
enable = true;
logLevel = "trace";
createLocalDatabaseUser = true;
};
programs.vim = {
enable = true;
defaultEditor = true;
};
environment.systemPackages = with pkgs; [ jq ];
})
];
}