-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This work aims to code the installation process to take into account many parameters that are complex to manipulate using shell, but also avoid some dependencies that are only used for the installation process. This work should also simplify deployment on many distributions, while applying the principle of least privilege. However, one last question is about the dependency management, as it requires rust, we still need a shell script to install rust toolchains. As capable requires nighly, and sr requires stable>=1.70, it may requires both toolchains for a clean release binary.
- Loading branch information
Showing
17 changed files
with
834 additions
and
375 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
use std::{path::PathBuf, process::Command}; | ||
|
||
use clap::ValueEnum; | ||
use strum::{Display, EnumString}; | ||
|
||
use crate::install::{BuildOptions, Profile}; | ||
|
||
#[derive(Debug, Copy, Clone, Display, EnumString, ValueEnum)] | ||
#[strum(serialize_all = "kebab-case")] | ||
#[clap(rename_all = "kebab-case")] | ||
pub enum EbpfArchitecture { | ||
BpfelUnknownNone, | ||
BpfebUnknownNone, | ||
} | ||
|
||
// execute aya-tool generate task_struct > | ||
fn generate_task_struct() -> Result<(), anyhow::Error> { | ||
let output = Command::new("aya-tool") | ||
.args(&["generate", "task_struct"]) | ||
.output()?; | ||
// write to file | ||
std::fs::write("capable-ebpf/src/vmlinux.rs", output.stdout)?; | ||
Ok(()) | ||
} | ||
|
||
/// Build the project | ||
pub fn build(opts: &BuildOptions) -> Result<(), anyhow::Error> { | ||
let toolchain = format!("+{}", opts.toolchain.to_string()); | ||
let mut args = vec![ toolchain.as_str(), "build", "--package", "capable"]; | ||
if opts.profile.is_release() { | ||
args.push("--release") | ||
} | ||
let status = Command::new("cargo") | ||
.args(&args) | ||
.status() | ||
.expect("failed to build userspace"); | ||
assert!(status.success()); | ||
Ok(()) | ||
} | ||
|
||
|
||
|
||
pub fn build_ebpf(ebpf_target: &EbpfArchitecture, profile: &Profile) -> Result<(), anyhow::Error> { | ||
|
||
generate_task_struct()?; | ||
let dir = PathBuf::from("capable-ebpf"); | ||
let target = format!("--target={}", ebpf_target); | ||
let mut args = vec![ | ||
"build", | ||
"--verbose", | ||
target.as_str(), | ||
"-Z", | ||
"build-std=core", | ||
]; | ||
if profile.is_release() { | ||
args.push("--release") | ||
} | ||
|
||
// Command::new creates a child process which inherits all env variables. This means env | ||
// vars set by the cargo xtask command are also inherited. RUSTUP_TOOLCHAIN is removed | ||
// so the rust-toolchain.toml file in the -ebpf folder is honored. | ||
|
||
let status = Command::new("cargo") | ||
.current_dir(dir) | ||
.env_remove("RUSTUP_TOOLCHAIN") | ||
.args(&args) | ||
.status() | ||
.expect("failed to build bpf program"); | ||
assert!(status.success()); | ||
Ok(()) | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
use anyhow::Context; | ||
use build::{build_ebpf, build}; | ||
use run::RunOptions; | ||
|
||
use crate::install::BuildOptions; | ||
|
||
pub mod build; | ||
pub mod run; | ||
|
||
|
||
|
||
pub fn build_all(opts: &BuildOptions) -> Result<(), anyhow::Error> { | ||
build_ebpf(&opts.ebpf, &opts.profile).context("Error while building eBPF program")?; | ||
build(opts).context("Error while building userspace application") | ||
} | ||
|
||
pub fn run(opts: &RunOptions) -> Result<(), anyhow::Error> { | ||
build_all(&opts.build)?; | ||
run::run(opts)?; | ||
Ok(()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
use std::process::Command; | ||
|
||
use clap::Parser; | ||
|
||
use crate::install::BuildOptions; | ||
|
||
#[derive(Debug, Parser)] | ||
pub struct RunOptions { | ||
/// Build options | ||
#[clap(flatten)] | ||
pub build: BuildOptions, | ||
/// The command used to wrap capable, sr by default (sudo or doas are not recommended) | ||
#[clap(short, long, default_value = "sr")] | ||
pub runner: String, | ||
/// Arguments to pass to your application | ||
#[clap(name = "args", last = true)] | ||
pub run_args: Vec<String>, | ||
} | ||
|
||
/// Build and run the project | ||
pub fn run(opts: &RunOptions) -> Result<(), anyhow::Error> { | ||
|
||
// profile we are building (release or debug) | ||
let bin_path = format!("target/{}/capable",opts.build.profile); | ||
|
||
// arguments to pass to the application | ||
let mut run_args: Vec<_> = opts.run_args.iter().map(String::as_str).collect(); | ||
|
||
// configure args | ||
let mut args: Vec<_> = opts.runner.trim().split_terminator(' ').collect(); | ||
args.push(bin_path.as_str()); | ||
args.append(&mut run_args); | ||
|
||
// run the command | ||
let status = Command::new(args.first().expect("No first argument")) | ||
.args(args.iter().skip(1)) | ||
.status() | ||
.expect("failed to run the command"); | ||
|
||
if !status.success() { | ||
anyhow::bail!("Failed to run `{}`", args.join(" ")); | ||
} | ||
Ok(()) | ||
} |
Oops, something went wrong.