[tbb-commits] [tor-browser-bundle/master] Bug 20352: Adding sandbox to our Gitian build

gk at torproject.org gk at torproject.org
Tue Dec 6 21:22:12 UTC 2016


commit 522cee6cb9c83be66cc2a6b5bbfefdb3c2bc3217
Author: Georg Koppen <gk at torproject.org>
Date:   Tue Dec 6 21:20:53 2016 +0000

    Bug 20352: Adding sandbox to our Gitian build
    
    On Linux we start building Yawning's sandbox code while producing the
    Linux Tor Browser bundles.
    
    For that to work properly we need to use Debian Jessie images and
    install some packages from backports as not all dependencies are
    available in Wheezy.
---
 gitian/Makefile                             |  6 ++-
 gitian/descriptors/linux/gitian-sandbox.yml | 77 +++++++++++++++++++++++++++++
 gitian/fetch-inputs.sh                      |  3 ++
 gitian/make-vms.sh                          | 22 ++++++++-
 gitian/mkbundle-linux.sh                    | 44 +++++++++++++----
 gitian/versions.nightly                     |  3 ++
 6 files changed, 141 insertions(+), 14 deletions(-)

diff --git a/gitian/Makefile b/gitian/Makefile
index a4a757f..5694cbf 100644
--- a/gitian/Makefile
+++ b/gitian/Makefile
@@ -101,8 +101,7 @@ prep-alpha:
 	./check-prerequisites.sh
 	$(TORSOCKS) ./fetch-inputs.sh ../../gitian-builder/inputs/ versions.alpha
 
-
-clean: clean-utils clean-tor clean-browser clean-pt clean-bundle
+clean: clean-utils clean-tor clean-browser clean-pt clean-sandbox clean-bundle
 	rm -f ../../gitian-builder/inputs/*.yml
 	rm -f ../../gitian-builder/inputs/bundle.inputs
 	rm -f ../../gitian-builder/inputs/versions*
@@ -124,6 +123,9 @@ clean-browser: clean-bundle
 clean-pt: clean-bundle
 	rm -f ../../gitian-builder/inputs/pluggable-transports*
 
+clean-sandbox: clean-bundle
+	rm -f ../../gitian-builder/inputs/sandbox-linux*
+
 clean-bundle:
 	rm -f ../../gitian-builder/inputs/bundle-*
 
diff --git a/gitian/descriptors/linux/gitian-sandbox.yml b/gitian/descriptors/linux/gitian-sandbox.yml
new file mode 100644
index 0000000..0f4f78c
--- /dev/null
+++ b/gitian/descriptors/linux/gitian-sandbox.yml
@@ -0,0 +1,77 @@
+---
+name: "sandbox-linux"
+distro: "debian"
+suites:
+- "jessie"
+architectures:
+- "i386"
+- "amd64"
+packages:
+- "unzip"
+- "zip"
+- "hardening-wrapper"
+# Needed for the sandboxing code
+- "libx11-dev"
+- "pkg-config"
+- "libgtk-3-dev"
+backports_packages:
+- "libseccomp-dev"
+- "libseccomp2"
+reference_datetime: "2000-01-01 00:00:00"
+remotes:
+- "url": "https://github.com/pkg/error"
+  "dir": "errors"
+- "url": "https://github.com/constabulary/gb"
+  "dir": "gb"
+- "url": "https://git.schwanenlied.me/yawning/sandboxed-tor-browser"
+  "dir": "sandbox"
+files:
+- "go-linux32-utils.zip"
+- "go-linux64-utils.zip"
+- "dzip.sh"
+script: |
+  INSTDIR="$HOME/install"
+  mkdir $INSTDIR/sandbox
+  export REFERENCE_DATETIME
+  export TZ=UTC
+  export LC_ALL=C
+  umask 0022
+
+  # Config options for hardening-wrapper for the stub
+  export DEB_BUILD_HARDENING=1
+  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
+  export DEB_BUILD_HARDENING_FORTIFY=1
+  export DEB_BUILD_HARDENING_FORMAT=1
+  export DEB_BUILD_HARDENING_PIE=1
+
+  unzip -d $INSTDIR go-linux$GBUILD_BITS-utils.zip
+  export GOROOT="$INSTDIR/go"
+  export GOPATH="$HOME/go"
+  export PATH="$PATH:$GOROOT/bin:$GOPATH/bin"
+
+  # Building errors
+  cd errors
+  find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME"
+  mkdir -p "$GOPATH/src/github.com/pkg/"
+  ln -sf "$PWD" "$GOPATH/src/github.com/pkg/errors"
+  go install github.com/pkg/errors
+  cd ..
+
+  # Building gb
+  cd gb
+  find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME"
+  mkdir -p "$GOPATH/src/github.com/constabulary/"
+  ln -sf "$PWD" "$GOPATH/src/github.com/constabulary/gb"
+  go install github.com/constabulary/gb/cmd/gb
+  cd ..
+
+  # XXX: Use own C compiler
+  # Building the sandbox
+  cd sandbox
+  make
+  cp bin/sandboxed-tor-browser $INSTDIR/sandbox
+  cd ..
+
+  cd $INSTDIR
+  ~/build/dzip.sh sandbox-linux$GBUILD_BITS.zip sandbox/
+  cp sandbox-linux$GBUILD_BITS.zip $OUTDIR/
diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh
index bf60ca3..b3d5c26 100755
--- a/gitian/fetch-inputs.sh
+++ b/gitian/fetch-inputs.sh
@@ -293,6 +293,9 @@ goxcrypto             https://go.googlesource.com/crypto  $GO_X_CRYPTO_TAG
 goxnet                https://go.googlesource.com/net  $GO_X_NET_TAG
 obfs4                 https://git.torproject.org/pluggable-transports/obfs4.git $OBFS4_TAG
 noto-fonts            https://github.com/googlei18n/noto-fonts $NOTOFONTS_TAG
+errors                https://github.com/pkg/errors $ERRORS_TAG
+gb                    https://github.com/constabulary/gb $GB_TAG
+sandbox               https://git.schwanenlied.me/yawning/sandboxed-tor-browser $SANDBOX_TAG
 EOF
 
 # HTTPS-Everywhere is special, too. We need to initialize the git submodules and
diff --git a/gitian/make-vms.sh b/gitian/make-vms.sh
index 089865b..7edd2b4 100755
--- a/gitian/make-vms.sh
+++ b/gitian/make-vms.sh
@@ -32,7 +32,7 @@ build_and_test_vm() {
     then
       export LXC_SUITE=$dist
       export LXC_ARCH=$arch
-      if [ "$dist" = "wheezy" ];
+      if [ "$dist" = "wheezy" -o "$dist" = "jessie" ];
       then
         export DISTRO=debian
         ./bin/make-base-vm --distro debian --suite $dist --lxc --arch $arch
@@ -41,7 +41,7 @@ build_and_test_vm() {
         ./bin/make-base-vm --suite $dist --lxc --arch $arch
       fi
     else
-      if [ "$dist" = "wheezy" ];
+      if [ "$dist" = "wheezy" -o "$dist" = "jessie" ];
       then
         export DISTRO=debian
         ./bin/make-base-vm --distro debian --suite $dist --arch $arch
@@ -89,6 +89,24 @@ do
   echo
 done
 
+while ! build_and_test_vm jessie i386 32
+do
+  stop-target 32 jessie
+  rm ./base-jessie-amd64*
+  echo
+  echo "Jessie i386 VM build failed... Trying again"
+  echo
+done
+
+while ! build_and_test_vm jessie amd64 64
+do
+  stop-target 64 jessie
+  rm ./base-jessie-amd64*
+  echo
+  echo "Jessie amd64 VM build failed... Trying again"
+  echo
+done
+
 while ! build_and_test_vm precise i386 32
 do
   stop-target 32 precise
diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh
index f8aaec1..430b666 100755
--- a/gitian/mkbundle-linux.sh
+++ b/gitian/mkbundle-linux.sh
@@ -78,6 +78,7 @@ die_msg() {
 # the utils both if we verify tags and if we don't.
 
 LIBEVENT_TAG_ORIG=$LIBEVENT_TAG
+SANDBOX_ORIG_TAG=$SANDBOX_TAG
 
 if [ "z$VERIFY_TAGS" = "z1" ];
 then
@@ -112,7 +113,7 @@ if [ ! -f inputs/binutils-$BINUTILS_VER-linux32-utils.zip -o \
      ! -f inputs/gmp-$GMP_VER-linux64-utils.zip ];
 then
   echo
-  echo "****** Starting Utilities Component of Linux Bundle (1/5 for Linux) ******"
+  echo "****** Starting Utilities Component of Linux Bundle (1/6 for Linux) ******"
   echo
 
   ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit libevent=$LIBEVENT_TAG $DESCRIPTOR_DIR/linux/gitian-utils.yml
@@ -138,7 +139,7 @@ then
   #cp -a result/utils-linux-res.yml inputs/
 else
   echo
-  echo "****** SKIPPING already built Utilities Component of Linux Bundle (1/5 for Linux) ******"
+  echo "****** SKIPPING already built Utilities Component of Linux Bundle (1/6 for Linux) ******"
   echo
   # We might have built the utilities in the past but maybe the links are
   # pointing to the wrong version. Refresh them.
@@ -160,7 +161,7 @@ if [ ! -f inputs/tor-linux32-gbuilt.zip -o \
      ! -f inputs/tor-linux64-gbuilt.zip ];
 then
   echo
-  echo "****** Starting Tor Component of Linux Bundle (2/5 for Linux) ******"
+  echo "****** Starting Tor Component of Linux Bundle (2/6 for Linux) ******"
   echo
 
   ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit tor=$TOR_TAG $DESCRIPTOR_DIR/linux/gitian-tor.yml
@@ -175,7 +176,7 @@ then
   #cp -a result/tor-linux-res.yml inputs/
 else
   echo
-  echo "****** SKIPPING already built Tor Component of Linux Bundle (2/5 for Linux) ******"
+  echo "****** SKIPPING already built Tor Component of Linux Bundle (2/6 for Linux) ******"
   echo
 fi
 
@@ -184,7 +185,7 @@ if [ ! -f inputs/tor-browser-linux32-gbuilt.zip -o \
      ! -f inputs/tor-browser-linux64-gbuilt.zip ];
 then
   echo
-  echo "****** Starting TorBrowser Component of Linux Bundle (3/5 for Linux) ******"
+  echo "****** Starting TorBrowser Component of Linux Bundle (3/6 for Linux) ******"
   echo
 
   ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit tor-browser=$TORBROWSER_TAG,faketime=$FAKETIME_TAG $DESCRIPTOR_DIR/linux/gitian-firefox.yml
@@ -200,7 +201,7 @@ then
   #cp -a result/torbrowser-linux-res.yml inputs/
 else
   echo
-  echo "****** SKIPPING already built TorBrowser Component of Linux Bundle (3/5 for Linux) ******"
+  echo "****** SKIPPING already built TorBrowser Component of Linux Bundle (3/6 for Linux) ******"
   echo
 fi
 
@@ -208,7 +209,7 @@ if [ ! -f inputs/pluggable-transports-linux32-gbuilt.zip -o \
      ! -f inputs/pluggable-transports-linux64-gbuilt.zip ];
 then
   echo
-  echo "****** Starting Pluggable Transports Component of Linux Bundle (4/5 for Linux) ******"
+  echo "****** Starting Pluggable Transports Component of Linux Bundle (4/6 for Linux) ******"
   echo
 
   ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit pyptlib=$PYPTLIB_TAG,obfsproxy=$OBFSPROXY_TAG,libfte=$LIBFTE_TAG,fteproxy=$FTEPROXY_TAG,txsocksx=$TXSOCKSX_TAG,goptlib=$GOPTLIB_TAG,meek=$MEEK_TAG,ed25519=$GOED25519_TAG,siphash=$GOSIPHASH_TAG,goxcrypto=$GO_X_CRYPTO_TAG,goxnet=$GO_X_NET_TAG,obfs4=$OBFS4_TAG $DESCRIPTOR_DIR/linux/gitian-pluggable-transports.yml
@@ -222,14 +223,35 @@ then
   #cp -a result/pluggable-transports-linux-res.yml inputs/
 else
   echo
-  echo "****** SKIPPING already built Pluggable Transports Component of Linux Bundle (4/5 for Linux) ******"
+  echo "****** SKIPPING already built Pluggable Transports Component of Linux Bundle (4/6 for Linux) ******"
+  echo
+fi
+
+if [ ! -f inputs/sandbox-linux32.zip -o \
+     ! -f inputs/sandbox-linux64.zip ];
+then
+  echo
+  echo "****** Starting Sandbox Component of Linux Bundle (5/6 for Linux) ******"
+  echo
+
+  ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit errors=$ERRORS_TAG,gb=$GB_TAG,sandbox=$SANDBOX_TAG $DESCRIPTOR_DIR/linux/gitian-sandbox.yml
+  if [ $? -ne 0 ];
+  then
+    exit 1
+  fi
+
+  cp -a build/out/sandbox-linux*.zip inputs/
+  #cp -a result/sandbox-linux-res.yml inputs/
+else
+  echo
+  echo "****** SKIPPING already built Sandbox Component of Linux Bundle (5/6 for Linux) ******"
   echo
 fi
 
 if [ ! -f inputs/bundle-linux.gbuilt ];
 then
   echo
-  echo "****** Starting Bundling+Localization of Linux Bundle (5/5 for Linux) ******"
+  echo "****** Starting Bundling+Localization of Linux Bundle (6/6 for Linux) ******"
   echo
 
   cd $WRAPPER_DIR && ./record-inputs.sh $VERSIONS_FILE && cd $GITIAN_DIR
@@ -246,10 +268,12 @@ then
   cp -a build/out/*.mar $WRAPPER_DIR/$TORBROWSER_BUILDDIR/ || exit 1
   cp -a inputs/mar-tools-linux*.zip $WRAPPER_DIR/$TORBROWSER_BUILDDIR/ || exit 1
   cp -a inputs/*debug.zip $WRAPPER_DIR/$TORBROWSER_BUILDDIR/ || exit 1
+  cp -a inputs/sandbox-linux32.zip $WRAPPER_DIR/$TORBROWSER_BUILDDIR/sandbox-linux32-${SANDBOX_ORIG_TAG}.zip || exit 1
+  cp -a inputs/sandbox-linux64.zip $WRAPPER_DIR/$TORBROWSER_BUILDDIR/sandbox-linux64-${SANDBOX_ORIG_TAG}.zip || exit 1
   touch inputs/bundle-linux.gbuilt
 else
   echo
-  echo "****** SKIPPING already built Bundling+Localization of Linux Bundle (5/5 for Linux) ******"
+  echo "****** SKIPPING already built Bundling+Localization of Linux Bundle (6/6 for Linux) ******"
   echo
 fi
 
diff --git a/gitian/versions.nightly b/gitian/versions.nightly
index f487cb5..304284d 100755
--- a/gitian/versions.nightly
+++ b/gitian/versions.nightly
@@ -48,6 +48,9 @@ GO_X_CRYPTO_TAG=master
 GO_X_NET_TAG=master
 OBFS4_TAG=master
 NOTOFONTS_TAG=720e34851382ee3c1ef024d8dffb68ffbfb234c2
+ERRORS_TAG=master
+GB_TAG=master
+SANDBOX_TAG=master
 
 GITIAN_TAG=tor-browser-builder-4
 



More information about the tbb-commits mailing list