BREAKING: replace custom build scripts with nix

General: - Switched to yarn to better work with nix-based tooling - Switched package system to use nix. This stops double dependencies and slow cloud compile times, while providing more compile/runtime support to the Nix project - Removed container builder in favor of internal container tooling - Package versions no-longer need to be SemVer compliant - Removed "piston package spec" files, replaced with nix-flake based runtimes - Exported nosocket and piston-api as packages within the nix-flake - Removed repo container - Switched docker building to nix-based container outputting - Removed docker compose as this is a single container - Removed package commands from CLI Packages: - Move bash, clojure, cobol, node, python2, python3 to new format - Remainder of packages still need to be moved v2 API: - Removed "version" specifier. To select specific versions, use the v3 api - Removed "/package" endpoints as this doesn't work with the new nix-based system v3 API: - Duplicate of v2 API, except instead of passing in a language name an ID is used intead.
2025-04-23 13:36:31 +02:00 · 2022-01-30 18:41:24 +13:00 · 2022-01-30 18:41:24 +13:00 · 564da5a7eb
commit 564da5a7eb
parent e06b59d82c
110 changed files with 2293 additions and 2793 deletions
--- a/nosocket/Makefile
+++ b/nosocket/Makefile
@ -0,0 +1,19 @@
+CC = gcc 
+CFLAGS = -O2 -Wall -lseccomp 
+TARGET = nosocket 
+BUILD_PATH = ./
+INSTALL_PATH = /usr/local/bin/
+SOURCE = nosocket.c
+
+all: $(TARGET)
+
+$(TARGET): $(SOURCE)
+	$(CC) $(BUILD_PATH)$(SOURCE) $(CFLAGS) -o $(TARGET)
+
+install:
+	mv $(TARGET) $(INSTALL_PATH)
+
+clean:
+	$(RM) $(TARGET)
+	$(RM) $(INSTALL_PATH)$(TARGET) 
+
--- a/nosocket/default.nix
+++ b/nosocket/default.nix
@ -0,0 +1,24 @@
+{pkgs, ...}:
+with pkgs; {
+  package = stdenv.mkDerivation {
+    name = "nosocket-1.0.0";
+
+    dontUnpack = true;
+
+
+    src = ./nosocket.c;
+
+    buildInputs = [
+      libseccomp
+    ];
+   
+    buildPhase = ''
+      gcc $src -O2 -Wall -lseccomp -o nosocket
+    '';
+
+    installPhase = ''
+      mkdir -p $out/bin
+      cp nosocket $out/bin
+    '';
+  };
+}
--- a/nosocket/nosocket.c
+++ b/nosocket/nosocket.c
@ -0,0 +1,62 @@
+/*
+nosocket.c
+
+Disables access to the `socket` syscall and runs a program provided as the first
+commandline argument.
+*/
+#include <stdio.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+    // Disallow any new capabilities from being added
+    prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+
+    // SCMP_ACT_ALLOW lets the filter have no effect on syscalls not matching a
+    // configured filter rule (allow all by default)
+    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (!ctx)
+    {
+        fprintf(stderr, "Unable to initialize seccomp filter context\n");
+        return 1;
+    }
+
+    // Add 32 bit and 64 bit architectures to seccomp filter
+    int rc;
+    uint32_t arch[] = {SCMP_ARCH_X86_64, SCMP_ARCH_X86, SCMP_ARCH_X32};
+    // We first remove the existing arch, otherwise our subsequent call to add
+    // it will fail
+    seccomp_arch_remove(ctx, seccomp_arch_native());
+    for (int i = 0; i < sizeof(arch) / sizeof(arch[0]); i++)
+    {
+        rc = seccomp_arch_add(ctx, arch[i]);
+        if (rc != 0)
+        {
+            fprintf(stderr, "Unable to add arch: %d\n", arch[i]);
+            return 1;
+        }
+    }
+
+    // Add a seccomp rule to the syscall blacklist - blacklist the socket syscall
+    if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(socket), 0) < 0)
+    {
+        fprintf(stderr, "Unable to add seccomp rule to context\n");
+        return 1;
+    }
+
+#ifdef DEBUG
+    seccomp_export_pfc(ctx, 0);
+#endif
+
+    if (argc < 2)
+    {
+        fprintf(stderr, "Usage %s: %s <program name> <arguments>\n", argv[0], argv[0]);
+        return 1;
+    }
+    seccomp_load(ctx);
+    execvp(argv[1], argv + 1);
+    return 1;
+}