[fiddler] Build security wrapper into fiddler-build-skia image

Building the fiddler-base image on Louhi doesn't seem to like to shell
out to Docker. That is probably unnecessary since the goal of that
earlier behavior was to make sure the fiddle_secwrap was built in
a way that was compatible with the fiddler image. We can do that
more cleanly by just building it on *on* the fiddler image (such that
glibc and friends match).

I chose to put this in fiddler-build-skia because the security
wrapper changes very infrequently, so we don't need to build this
regularly like building the fiddler backend.

Bug: b/361559681
Change-Id: Ibc93621e3ec2be02036a78a8ebe6a880b45951b8
Reviewed-on: https://skia-review.googlesource.com/c/buildbot/+/892178
Commit-Queue: Eric Boren <borenet@google.com>
Reviewed-by: Eric Boren <borenet@google.com>
Auto-Submit: Kaylee Lubick <kjlubick@google.com>
diff --git a/fiddlek/BUILD.bazel b/fiddlek/BUILD.bazel
index 3b5dfe6..56de88b 100644
--- a/fiddlek/BUILD.bazel
+++ b/fiddlek/BUILD.bazel
@@ -113,10 +113,6 @@
                 "//fiddlek:fiddler_restart.sh",
                 "0755",
             ],
-            [
-                "//fiddlek/cpp:fiddle_secwrap",
-                "0755",
-            ],
         ],
         # Note source is fiddle, not fiddler, to agree with the fiddle image.
         "/etc/fiddle/source": [
diff --git a/fiddlek/build-skia/Dockerfile b/fiddlek/build-skia/Dockerfile
index ab1700e..a655bc3 100644
--- a/fiddlek/build-skia/Dockerfile
+++ b/fiddlek/build-skia/Dockerfile
@@ -27,4 +27,36 @@
 ENV PATH=${PATH}:/tmp/depot_tools
 
 ADD --chown=skia:skia https://storage.googleapis.com/skia-swiftshader/libGLESv2.so /usr/local/lib/libGLESv2.so
-ADD --chown=skia:skia https://storage.googleapis.com/skia-swiftshader/libEGL.so /usr/local/lib/libEGL.so
\ No newline at end of file
+ADD --chown=skia:skia https://storage.googleapis.com/skia-swiftshader/libEGL.so /usr/local/lib/libEGL.so
+
+
+# Build the security wrapper
+COPY . /tmp/
+
+WORKDIR /tmp
+RUN clang fiddle_secwrap.cpp -lstdc++ -o fiddle_secwrap
+
+# compile test executables
+RUN mkdir /tmp/tests
+RUN clang success.cpp -lstdc++ -o ./tests/success
+RUN clang fail_socket.cpp -o ./tests/fail_socket
+RUN clang fail_execve.cpp -o ./tests/fail_execve
+RUN clang fail_link.cpp -o ./tests/fail_link
+RUN clang fail_rename.cpp -o ./tests/fail_rename
+RUN clang fail_mknod.cpp -o ./tests/fail_mknod
+
+# Make sure this binary runs on its own...
+RUN ./tests/success
+# ...and with the wrapper
+RUN ./fiddle_secwrap ./tests/success
+
+# If any of these don't work, the security wrapper is not blocking things correctly.
+RUN ./fiddle_secwrap ./tests/fail_socket; test $? -eq 1
+RUN ./fiddle_secwrap ./tests/fail_execve; test $? -eq 255
+RUN ./fiddle_secwrap ./tests/fail_link; test $? -eq 255
+RUN ./fiddle_secwrap ./tests/fail_rename; test $? -eq 255
+RUN ./fiddle_secwrap ./tests/fail_mknod; test $? -eq 255
+
+RUN mv ./fiddle_secwrap /usr/local/bin/fiddle_secwrap \
+    && rm -r /tmp \
+    && mkdir --mode=0777 /tmp
\ No newline at end of file
diff --git a/fiddlek/build_skia_image b/fiddlek/build_skia_image
index a6c8a47..2fc31f1 100755
--- a/fiddlek/build_skia_image
+++ b/fiddlek/build_skia_image
@@ -12,6 +12,15 @@
 copy_release_files () {
 # Everything is handled in the Dockerfile
 ${INSTALL} --mode=644 -T build-skia/Dockerfile        ${ROOT}/Dockerfile
+
+${INSTALL} --mode=644 -T cpp/fail_execve.cpp       ${ROOT}/fail_execve.cpp
+${INSTALL} --mode=644 -T cpp/fail_link.cpp         ${ROOT}/fail_link.cpp
+${INSTALL} --mode=644 -T cpp/fail_mknod.cpp        ${ROOT}/fail_mknod.cpp
+${INSTALL} --mode=644 -T cpp/fail_rename.cpp       ${ROOT}/fail_rename.cpp
+${INSTALL} --mode=644 -T cpp/fail_socket.cpp       ${ROOT}/fail_socket.cpp
+${INSTALL} --mode=644 -T cpp/fiddle_secwrap.cpp    ${ROOT}/fiddle_secwrap.cpp
+${INSTALL} --mode=644 -T cpp/seccomp_bpf.h         ${ROOT}/seccomp_bpf.h
+${INSTALL} --mode=644 -T cpp/success.cpp           ${ROOT}/success.cpp
 }
 
 source ../bash/docker_build.sh