NixOS-based container for running GitHub actions
fix spoof binaries
+64
-11
+1
.github/workflows/build2.yaml
+1
.github/workflows/build2.yaml
+12
build.zig
+12
build.zig
···
51
51
const test_step = b.step("test", "Run tests");
52
52
53
53
const uid = b.option(u32, "uid", "uid to run as") orelse 1001;
54
+
const gid = b.option(u32, "gid", "gid to run as") orelse 1001;
55
+
const groups = b.option([]const u8, "groups", "list of supplemental groups") orelse "1001";
54
56
const username = b.option([]const u8, "username", "username to run as") orelse "github";
55
57
const tail = tail: {
56
58
const tail = b.option([]const u8, "tail", "real tail binary") orelse try find(b, "tail");
···
63
65
64
66
const options = b.addOptions();
65
67
options.addOption(u32, "uid", uid);
68
+
options.addOption(u32, "gid", gid);
69
+
options.addOption([]const u32, "groups", groups: {
70
+
var list: std.ArrayList(u32) = .empty;
71
+
var it = std.mem.splitScalar(u8, groups, ',');
72
+
while (it.next()) |v| {
73
+
const g = try std.fmt.parseUnsigned(u32, v, 10);
74
+
try list.append(b.allocator, g);
75
+
}
76
+
break :groups list.items;
77
+
});
66
78
options.addOption([]const u8, "username", username);
67
79
options.addOption([]const u8, "tail", tail);
68
80
options.addOption([]const u8, "nix", nix);
+10
flake.nix
+10
flake.nix
···
120
120
pkgs.nushell
121
121
pkgs.pinact
122
122
pkgs.podman
123
+
pkgs.procps
123
124
pkgs.reuse
124
125
pkgs.regctl
125
126
pkgs.stdenv.cc.cc.lib
···
488
489
let
489
490
execas-github = pkgs.callPackage ./package.nix {
490
491
uid = 1001;
492
+
gid = 1001;
493
+
groups = lib.concatStringsSep "," (
494
+
map toString [
495
+
groups.wheel.gid
496
+
groups.github.gid
497
+
groups.nixbld.gid
498
+
]
499
+
);
500
+
username = "github";
491
501
zig = zig.packages.${pkgs.stdenv.hostPlatform.system}.master;
492
502
};
493
503
in
+8
-2
package.nix
+8
-2
package.nix
···
6
6
stdenv,
7
7
zig,
8
8
uid,
9
-
coreutils,
9
+
gid,
10
+
username,
11
+
groups,
12
+
coreutils-full,
10
13
bashInteractive,
11
14
nix,
12
15
...
···
19
22
];
20
23
zigBuildFlags = [
21
24
"-Duid=${toString uid}"
22
-
"-Dtail=${lib.getExe' coreutils "tail"}"
25
+
"-Dgid=${toString gid}"
26
+
"-Dgroups=${groups}"
27
+
"-Dusername=${username}"
28
+
"-Dtail=${lib.getExe' coreutils-full "tail"}"
23
29
"-Dnix=${lib.getExe' nix "nix"}"
24
30
"-Dbash=${lib.getExe' bashInteractive "bash"}"
25
31
];
+1
-1
src/lib/env.zig
+1
-1
src/lib/env.zig
+32
-8
src/lib/setuid.zig
+32
-8
src/lib/setuid.zig
···
5
5
const options = @import("options");
6
6
7
7
pub fn setUID() !void {
8
-
const rc = std.os.linux.setuid(options.uid);
9
-
switch (std.os.linux.errno(rc)) {
10
-
.SUCCESS => return,
11
-
.PERM => return error.NoPermission,
12
-
else => |err| {
13
-
std.debug.print("unexpected error: {t}\n", .{err});
14
-
return error.UnexpectedError;
15
-
},
8
+
{
9
+
const rc = std.os.linux.setgroups(options.groups.len, options.groups.ptr);
10
+
switch (std.os.linux.errno(rc)) {
11
+
.SUCCESS => {},
12
+
.PERM => return error.NoPermission,
13
+
else => |err| {
14
+
std.debug.print("unexpected error: {t}\n", .{err});
15
+
return error.UnexpectedError;
16
+
},
17
+
}
18
+
}
19
+
{
20
+
const rc = std.os.linux.setgid(options.gid);
21
+
switch (std.os.linux.errno(rc)) {
22
+
.SUCCESS => {},
23
+
.PERM => return error.NoPermission,
24
+
else => |err| {
25
+
std.debug.print("unexpected error: {t}\n", .{err});
26
+
return error.UnexpectedError;
27
+
},
28
+
}
29
+
}
30
+
{
31
+
const rc = std.os.linux.setuid(options.uid);
32
+
switch (std.os.linux.errno(rc)) {
33
+
.SUCCESS => {},
34
+
.PERM => return error.NoPermission,
35
+
else => |err| {
36
+
std.debug.print("unexpected error: {t}\n", .{err});
37
+
return error.UnexpectedError;
38
+
},
39
+
}
16
40
}
17
41
}