[fiddler] Build security wrapper into fiddler-build-skia image
Building the fiddler-base image on Louhi doesn't seem to like to shell
out to Docker. That is probably unnecessary since the goal of that
earlier behavior was to make sure the fiddle_secwrap was built in
a way that was compatible with the fiddler image. We can do that
more cleanly by just building it on *on* the fiddler image (such that
glibc and friends match).
I chose to put this in fiddler-build-skia because the security
wrapper changes very infrequently, so we don't need to build this
regularly like building the fiddler backend.
Bug: b/361559681
Change-Id: Ibc93621e3ec2be02036a78a8ebe6a880b45951b8
Reviewed-on: https://skia-review.googlesource.com/c/buildbot/+/892178
Commit-Queue: Eric Boren <borenet@google.com>
Reviewed-by: Eric Boren <borenet@google.com>
Auto-Submit: Kaylee Lubick <kjlubick@google.com>
diff --git a/fiddlek/BUILD.bazel b/fiddlek/BUILD.bazel
index 3b5dfe6..56de88b 100644
--- a/fiddlek/BUILD.bazel
+++ b/fiddlek/BUILD.bazel
@@ -113,10 +113,6 @@
"//fiddlek:fiddler_restart.sh",
"0755",
],
- [
- "//fiddlek/cpp:fiddle_secwrap",
- "0755",
- ],
],
# Note source is fiddle, not fiddler, to agree with the fiddle image.
"/etc/fiddle/source": [
diff --git a/fiddlek/build-skia/Dockerfile b/fiddlek/build-skia/Dockerfile
index ab1700e..a655bc3 100644
--- a/fiddlek/build-skia/Dockerfile
+++ b/fiddlek/build-skia/Dockerfile
@@ -27,4 +27,36 @@
ENV PATH=${PATH}:/tmp/depot_tools
ADD --chown=skia:skia https://storage.googleapis.com/skia-swiftshader/libGLESv2.so /usr/local/lib/libGLESv2.so
-ADD --chown=skia:skia https://storage.googleapis.com/skia-swiftshader/libEGL.so /usr/local/lib/libEGL.so
\ No newline at end of file
+ADD --chown=skia:skia https://storage.googleapis.com/skia-swiftshader/libEGL.so /usr/local/lib/libEGL.so
+
+
+# Build the security wrapper
+COPY . /tmp/
+
+WORKDIR /tmp
+RUN clang fiddle_secwrap.cpp -lstdc++ -o fiddle_secwrap
+
+# compile test executables
+RUN mkdir /tmp/tests
+RUN clang success.cpp -lstdc++ -o ./tests/success
+RUN clang fail_socket.cpp -o ./tests/fail_socket
+RUN clang fail_execve.cpp -o ./tests/fail_execve
+RUN clang fail_link.cpp -o ./tests/fail_link
+RUN clang fail_rename.cpp -o ./tests/fail_rename
+RUN clang fail_mknod.cpp -o ./tests/fail_mknod
+
+# Make sure this binary runs on its own...
+RUN ./tests/success
+# ...and with the wrapper
+RUN ./fiddle_secwrap ./tests/success
+
+# If any of these don't work, the security wrapper is not blocking things correctly.
+RUN ./fiddle_secwrap ./tests/fail_socket; test $? -eq 1
+RUN ./fiddle_secwrap ./tests/fail_execve; test $? -eq 255
+RUN ./fiddle_secwrap ./tests/fail_link; test $? -eq 255
+RUN ./fiddle_secwrap ./tests/fail_rename; test $? -eq 255
+RUN ./fiddle_secwrap ./tests/fail_mknod; test $? -eq 255
+
+RUN mv ./fiddle_secwrap /usr/local/bin/fiddle_secwrap \
+ && rm -r /tmp \
+ && mkdir --mode=0777 /tmp
\ No newline at end of file
diff --git a/fiddlek/build_skia_image b/fiddlek/build_skia_image
index a6c8a47..2fc31f1 100755
--- a/fiddlek/build_skia_image
+++ b/fiddlek/build_skia_image
@@ -12,6 +12,15 @@
copy_release_files () {
# Everything is handled in the Dockerfile
${INSTALL} --mode=644 -T build-skia/Dockerfile ${ROOT}/Dockerfile
+
+${INSTALL} --mode=644 -T cpp/fail_execve.cpp ${ROOT}/fail_execve.cpp
+${INSTALL} --mode=644 -T cpp/fail_link.cpp ${ROOT}/fail_link.cpp
+${INSTALL} --mode=644 -T cpp/fail_mknod.cpp ${ROOT}/fail_mknod.cpp
+${INSTALL} --mode=644 -T cpp/fail_rename.cpp ${ROOT}/fail_rename.cpp
+${INSTALL} --mode=644 -T cpp/fail_socket.cpp ${ROOT}/fail_socket.cpp
+${INSTALL} --mode=644 -T cpp/fiddle_secwrap.cpp ${ROOT}/fiddle_secwrap.cpp
+${INSTALL} --mode=644 -T cpp/seccomp_bpf.h ${ROOT}/seccomp_bpf.h
+${INSTALL} --mode=644 -T cpp/success.cpp ${ROOT}/success.cpp
}
source ../bash/docker_build.sh