snap-seccomp: statically link embedded libseccomp

Also drop using github.com/mvo5/libseccomp-golang, welcome back github.com/seccomp/libseccomp-golang
mvo5 · Jul 11, 2017 · 6de6e4e · 6de6e4e
1 parent e6f0b9b
commit 6de6e4e
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 25 deletions.
diff --git a/cmd/snap-seccomp/libseccomp.upstream/tests/Makefile.am b/cmd/snap-seccomp/libseccomp.upstream/tests/Makefile.am
@@ -16,13 +16,13 @@
 # along with this library; if not, see <http://www.gnu.org/licenses>.
 #
 
-@CODE_COVERAGE_RULES@
+#@CODE_COVERAGE_RULES@
 
-if CODE_COVERAGE_ENABLED
+#if CODE_COVERAGE_ENABLED
 DBG_STATIC =
-else
-DBG_STATIC = -static
-endif
+#else
+#DBG_STATIC = -static
+#endif
 
 AM_LDFLAGS = ${DBG_STATIC}
 

diff --git a/cmd/snap-seccomp/main.go b/cmd/snap-seccomp/main.go
@@ -19,6 +19,10 @@
 
 package main
 
+//#cgo pkg-config: libseccomp
+//
+//#cgo LDFLAGS: -Bstatic -lseccomp -Bdynamic
+//
 //#include <asm/ioctls.h>
 //#include <ctype.h>
 //#include <errno.h>
@@ -133,6 +137,8 @@ package main
 //
 import "C"
 
+//go:generate sh -c "(cd libseccomp.upstream && ./autogen.sh && ./configure --prefix=`pwd`/_build && make && make install)"
+
 import (
 	"bufio"
 	"bytes"
@@ -144,10 +150,7 @@ import (
 	"strings"
 	"syscall"
 
-	// FIXME: we want github.com/seccomp/libseccomp-golang but that
-	// will not work with trusty because libseccomp-golang checks
-	// for the seccomp version and errors if it find one < 2.2.0
-	"github.com/mvo5/libseccomp-golang"
+	"github.com/seccomp/libseccomp-golang"
 
 	"github.com/snapcore/snapd/arch"
 	"github.com/snapcore/snapd/osutil"

diff --git a/cmd/snap-seccomp/main_test.go b/cmd/snap-seccomp/main_test.go
@@ -33,7 +33,7 @@ import (
 
 	. "gopkg.in/check.v1"
 
-	"github.com/mvo5/libseccomp-golang"
+	"github.com/seccomp/libseccomp-golang"
 
 	// forked from "golang.org/x/net/bpf"
 	// until https://github.com/golang/go/issues/20556

diff --git a/packaging/ubuntu-14.04/control b/packaging/ubuntu-14.04/control
@@ -21,8 +21,8 @@ Build-Depends: autoconf,
                init-system-helpers,
                libapparmor-dev,
                libglib2.0-dev,
-               libseccomp-dev (>= 2.1.1-1ubuntu1~trusty3),
                libudev-dev,
+               linux-libc-dev,
                openssh-client,
                pkg-config,
                python3,

diff --git a/packaging/ubuntu-14.04/rules b/packaging/ubuntu-14.04/rules
@@ -11,6 +11,8 @@ export DH_GOLANG_GO_GENERATE=1
 export PATH:=${PATH}:${CURDIR}
 # make sure that correct go version is found on trusty
 export PATH:=/usr/lib/go-1.6/bin:${PATH}
+# ensure our embedded libseccomp is picked up
+export PKG_CONFIG_PATH=$(CURDIR)/cmd/snap-seccomp/libseccomp.upstream/
 
 include /etc/os-release
 
@@ -45,7 +47,7 @@ ifneq (,$(filter testkeys,$(DEB_BUILD_OPTIONS)))
 endif
 
 BUILT_USING_PACKAGES= libcap-dev libapparmor-dev libseccomp-dev
-BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES))
+BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES)), libseccomp (= 2.3.2.embedded)
 
 # export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 # DPKG_EXPORT_BUILDFLAGS = 1
@@ -91,13 +93,17 @@ endif
 	dh_clean
 	# XXX: hacky
 	$(MAKE) -C cmd distclean || true
+	$(MAKE) -C cmd/snap-seccomp/libseccomp.upstream/ distclean || true
+	rm -rf cmd/snap-seccomp/libseccomp.upstream/_build
 
 override_dh_auto_build:
 	# usually done via `go generate` but that is not supported on powerpc
 	./mkversion.sh
+	(cd cmd/snap-seccomp/libseccomp.upstream/ && ./autogen.sh && ./configure --prefix=$(CURDIR)/cmd/snap-seccomp/libseccomp.upstream/_build && make && make install)
 	# Build golang bits
 	mkdir -p _build/src/$(DH_GOPKG)/cmd/snap/test-data
 	cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/
+	cp -a cmd/snap-seccomp/libseccomp.upstream/* _build/src/$(DH_GOPKG)/cmd/snap-seccomp/libseccomp.upstream
 	dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
 	# Build C bits, sadly manually
 	cd cmd && ( autoreconf -i -f )

diff --git a/packaging/ubuntu-16.04/control b/packaging/ubuntu-16.04/control
@@ -21,8 +21,8 @@ Build-Depends: autoconf,
                libcap-dev,
                libapparmor-dev,
                libglib2.0-dev,
-               libseccomp-dev,
                libudev-dev,
+               linux-libc-dev,
                openssh-client,
                pkg-config,
                python3,

diff --git a/packaging/ubuntu-16.04/rules b/packaging/ubuntu-16.04/rules
@@ -11,6 +11,8 @@ export DH_GOLANG_GO_GENERATE=1
 export PATH:=${PATH}:${CURDIR}
 # make sure that correct go version is found on trusty
 export PATH:=/usr/lib/go-1.6/bin:${PATH}
+# ensure our embedded libseccomp is picked up
+export PKG_CONFIG_PATH=$(CURDIR)/cmd/snap-seccomp/libseccomp.upstream/
 
 include /etc/os-release
 
@@ -54,7 +56,7 @@ ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu)
     # things dynamically though: udev has no stable IPC protocol between
     # libudev and udevd so we need to link with it dynamically.
     VENDOR_ARGS=--enable-nvidia-ubuntu --enable-static-libcap --enable-static-libapparmor --enable-static-libseccomp
-    BUILT_USING_PACKAGES=libcap-dev libapparmor-dev libseccomp-dev
+    BUILT_USING_PACKAGES=libcap-dev libapparmor-dev
 else
 ifeq ($(shell dpkg-vendor --query Vendor),Debian)
     VENDOR_ARGS=--disable-apparmor --disable-seccomp
@@ -63,7 +65,7 @@ else
     VENDOR_ARGS=--disable-apparmor
 endif
 endif
-BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES))
+BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES)), libseccomp (= 2.3.2.embedded)
 
 %:
 	dh $@ --buildsystem=golang --with=golang --fail-missing --with systemd --builddirectory=_build
@@ -98,13 +100,17 @@ endif
 	dh_clean
 	# XXX: hacky
 	$(MAKE) -C cmd distclean || true
+	$(MAKE) -C cmd/snap-seccomp/libseccomp.upstream/ distclean || true
+	rm -rf cmd/snap-seccomp/libseccomp.upstream/_build
 
 override_dh_auto_build:
 	# usually done via `go generate` but that is not supported on powerpc
 	./mkversion.sh
+	(cd cmd/snap-seccomp/libseccomp.upstream/ && ./autogen.sh && ./configure --prefix=$(CURDIR)/cmd/snap-seccomp/libseccomp.upstream/_build && make && make install)
 	# Build golang bits
 	mkdir -p _build/src/$(DH_GOPKG)/cmd/snap/test-data
 	cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/
+	cp -a cmd/snap-seccomp/libseccomp.upstream/* _build/src/$(DH_GOPKG)/cmd/snap-seccomp/libseccomp.upstream
 	dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
 	# Build C bits, sadly manually
 	cd cmd && ( autoreconf -i -f )

diff --git a/tests/main/snap-seccomp/task.yaml b/tests/main/snap-seccomp/task.yaml
@@ -1,15 +1,26 @@
 summary: Ensure that the snap-seccomp bpf handling works
 
+# FIXME: once $(snap debug confinment) can be used (in 2.27+) remove
+#        the systems line
+system: [ubuntu-*]
+
 environment:
     PROFILE: /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.echo
     SNAP_SECCOMP: /usr/lib/snapd/snap-seccomp
 
 execute: |
-    if [ "$(snap debug confinement)" != strict ] ; then
-        echo "SKIP: these tests are only useful on systems with working seccomp"
-        exit 0
-    fi
+    #if [ "$(snap debug confinement)" != strict ] ; then
+    #    echo "SKIP: these tests are only useful on systems with working seccomp"
+    #    exit 0
+    #fi
 
+    # FIXME: use dirs.sh in 2.27+
+    echo "Ensure snap-seccomp is statically linked"
+    if ldd /usr/lib/snapd/snap-seccomp | MATCH libseccomp ; then
+        echo "found dynamically linked libseccomp, we need a staticly linked one"
+        exit 1
+    fi
+    
     echo "Install test-snapd-tools and verify it works"
     snap install test-snapd-tools
     test-snapd-tools.echo hello | MATCH hello

diff --git a/vendor/vendor.json b/vendor/vendor.json
@@ -48,12 +48,6 @@
 			"revision": "26426272dda20cc76aa1fa44286dc743d2972fe8",
 			"revisionTime": "2015-02-12T09:37:50Z"
 		},
-		{
-			"checksumSHA1": "EoJqr2ZG7jODFsCnKwrn4JWRS+Y=",
-			"path": "github.com/mvo5/libseccomp-golang",
-			"revision": "84e1d1c75beaa58be6a76d2fc94d95eb8c1583b6",
-			"revisionTime": "2017-06-14T13:46:31Z"
-		},
 		{
 			"checksumSHA1": "4ZkAtTGnZIVrA5hUBCN/5+XdHYU=",
 			"path": "github.com/mvo5/net/bpf",
@@ -84,6 +78,12 @@
 			"revision": "95289a7e0ac17c76737a5ceca3c9471c0adf70c7",
 			"revisionTime": "2016-07-14T06:47:45Z"
 		},
+		{
+			"checksumSHA1": "bCj0+g9CKyCA90SlDxaPA6+zZeg=",
+			"path": "github.com/seccomp/libseccomp-golang",
+			"revision": "f6ec81daf48e41bf48b475afc7fe06a26bfb72d1",
+			"revisionTime": "2017-06-09T13:46:05Z"
+		},
 		{
 			"checksumSHA1": "G1Zy6KNKWSz6Nx6GAgaKM2yPDLg=",
 			"path": "github.com/testing-cabal/subunit-go",