on:
push:
paths:
- src/**
- audit-specs/**
- build.rs
- Cargo.toml
- .github/workflows/build.yml
tags-ignore:
- "v*"
pull_request:
paths:
- src/**
- audit-specs/**
- build.rs
- Cargo.toml
- .github/workflows/build.yml
jobs:
check_fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
- name: check formatting
run: cargo fmt --check
build_n_test:
runs-on: ubuntu-latest
container: ubuntu:latest
steps:
- uses: actions/checkout@v2
- name: Install dependency
run: |
apt-get -q update
apt-get -qy dist-upgrade
apt-get -qy install curl build-essential libclang-dev libacl1-dev selinux-policy-dev libgoogle-perftools-dev
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: "${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}"
- run: cargo build
- run: cargo test
- run: cargo bench --no-run
- run: make -C contrib/selinux
build_static_musl:
runs-on: ubuntu-latest
container: alpine:3.16
steps:
- name: Prepare
run: |
apk add git ca-certificates rust cargo clang-dev acl-static musl-dev linux-headers
wget $(sed -ne '/community$/{;s/v3[.]16/v3.17/;p;q;}' /etc/apk/repositories)/x86_64/pandoc-2.19.2-r0.apk
apk add make pandoc-2.19.2-r0.apk
apk add binutils file jq
- uses: actions/checkout@v2
- name: Build
run: |
RUSTC=$(pwd)/contrib/musl-static-build/rustc-wrapper cargo build
make -C man
- name: Show binary charcteristics
run: |
set -x
file target/debug/laurel
ldd target/debug/laurel
objdump -x target/debug/laurel | grep NEEDED || true
set +x
if [ -n "$(objdump -x target/debug/laurel | grep NEEDED)" ]; then
echo "laurel is linked against shared libraries" >&2
exit 1
fi
build_dynamic_glibc:
runs-on: ubuntu-latest
container: debian:bullseye-slim
steps:
- name: Prepare
run: |
apt-get -q update
apt-get -qy upgrade
apt-get -qy install ca-certificates rustc-mozilla cargo-mozilla clang libacl1-dev jq file
- uses: actions/checkout@v2
- name: Build
run: |
cargo build
- name: Show binary charcteristics
run: |
set -x
file target/debug/laurel
ldd target/debug/laurel
objdump -x target/debug/laurel | grep NEEDED || true
- name: Launch test
run: |
pid1=$$
pid2=$(($$ + 1000))
pid3=$(($$ + 2000))
now=$(date +%s)
./target/debug/laurel <<EOF
type=SYSCALL msg=audit($now.276:327308): arch=c000003e syscall=59 success=yes exit=0 a0=5645feb17d20 a1=5645feba4100 a2=5645feb24c30 a3=fffffffffffff286 items=3 ppid=$pid1 pid=$pid2 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts7 ses=3 comm="sh" exe="/usr/bin/dash" subj==unconfined key=(null)
type=EXECVE msg=audit($now.276:327308): argc=3 a0="sh" a1="-c" a2="whoami"
type=CWD msg=audit($now.276:327308): cwd="/home/user/tmp"
type=PATH msg=audit($now.276:327308): item=0 name="/usr/bin/sh" inode=393917 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit($now.276:327308): item=1 name="/usr/bin/sh" inode=393927 dev=fd:01 mode=0120777 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit($now.276:327308): item=2 name="/lib64/ld-linux-x86-64.so.2" inode=404798 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PROCTITLE msg=audit($now.276:327308): proctitle=7368002D630077686F616D69
type=EOE msg=audit($now.276:327308):
type=SYSCALL msg=audit($now.276:327309): arch=c000003e syscall=59 success=yes exit=0 a0=56362955c9c0 a1=56362955c858 a2=56362955c868 a3=8 items=3 ppid=$pid2 pid=$pid3 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts7 ses=3 comm="whoami" exe="/usr/bin/whoami" subj==unconfined key=(null)
type=EXECVE msg=audit($now.276:327309): argc=1 a0="whoami"
type=CWD msg=audit($now.276:327309): cwd="/home/user/tmp"
type=PATH msg=audit($now.276:327309): item=0 name="/usr/bin/whoami" inode=393829 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit($now.276:327309): item=1 name="/usr/bin/whoami" inode=393829 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit($now.276:327309): item=2 name="/lib64/ld-linux-x86-64.so.2" inode=404798 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PROCTITLE msg=audit($now.276:327309): proctitle="whoami"
type=EOE msg=audit($now.276:327309):
EOF
jq . < audit.log
build_dynamic_oldglibc:
runs-on: ubuntu-latest
container: centos:7
steps:
- name: Prepare
run: |
yum -q -y update
yum -q -y install centos-release-scl
yum -q -y install gcc llvm-toolset-7-clang file libacl-devel
- name: Install Rust toolchain (stable)
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
- uses: actions/checkout@v2
- name: Build
run: |
scl enable llvm-toolset-7 "cargo build"