Skip to content

Commit 08ef594

Browse files
authored
Merge pull request #12 from fullzer4/chore/openssf-ci-ossfuzz
chore: pin CI actions by SHA, add OSS-Fuzz build script
2 parents 13f5bba + c41b95d commit 08ef594

7 files changed

Lines changed: 61 additions & 26 deletions

File tree

.github/workflows/ci.yml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,9 @@ jobs:
1818
id-token: write
1919
contents: read
2020
steps:
21-
- uses: actions/checkout@v4
22-
- uses: DeterminateSystems/determinate-nix-action@v3
23-
- uses: DeterminateSystems/magic-nix-cache-action@main
21+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
22+
- uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3
23+
- uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # main
2424
- name: Run checks (clippy, fmt, test, doc)
2525
run: nix flake check -L
2626

@@ -40,9 +40,9 @@ jobs:
4040
# matrix:
4141
# distro: [ubuntu:24.04, fedora:41, alpine:3.21]
4242
# steps:
43-
# - uses: actions/checkout@v4
44-
# - uses: DeterminateSystems/determinate-nix-action@v3
45-
# - uses: DeterminateSystems/magic-nix-cache-action@main
43+
# - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
44+
# - uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3
45+
# - uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # main
4646
# - name: Build security test binary
4747
# run: nix build -L .#security-test-bin
4848
# - name: Run security tests in ${{ matrix.distro }}
@@ -57,15 +57,15 @@ jobs:
5757
name: Cargo Deny
5858
runs-on: ubuntu-latest
5959
steps:
60-
- uses: actions/checkout@v4
61-
- uses: EmbarkStudios/cargo-deny-action@v2
60+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
61+
- uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2
6262

6363
semver-check:
6464
name: SemVer Check
6565
runs-on: ubuntu-latest
6666
steps:
67-
- uses: actions/checkout@v4
68-
- uses: Swatinem/rust-cache@v2
69-
- uses: obi1kenobi/cargo-semver-checks-action@v2
67+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
68+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
69+
- uses: obi1kenobi/cargo-semver-checks-action@6b69fcf40e9b5fb17adeb57e4b6ecd020649a239 # v2
7070
with:
7171
package: evalbox

.github/workflows/release.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,13 @@ jobs:
1313
name: Release-plz
1414
runs-on: ubuntu-latest
1515
steps:
16-
- uses: actions/checkout@v4
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1717
with:
1818
fetch-depth: 0
19-
- uses: dtolnay/rust-toolchain@stable
20-
- uses: Swatinem/rust-cache@v2
19+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
20+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
2121
- name: Run release-plz
22-
uses: MarcoIeni/release-plz-action@v0.5
22+
uses: MarcoIeni/release-plz-action@064f4d1e36c843611ddf013be726beaa4ad804db # v0.5
2323
env:
2424
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2525
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

.gitignore

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,4 +7,7 @@ fuzz/corpus/
77
fuzz/artifacts/
88

99
# Local cargo config
10-
.cargo/
10+
.cargo/
11+
12+
# SBOM (generated by cargo-cyclonedx)
13+
*.cdx.json

crates/evalbox-sys/src/lib.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
//! ## Seccomp-BPF
2323
//!
2424
//! Seccomp-BPF allows filtering syscalls via BPF programs. This crate provides
25-
//! an architecture-aware whitelist-based filter (x86_64 and aarch64) that allows
25+
//! an architecture-aware whitelist-based filter (`x86_64` and `aarch64`) that allows
2626
//! safe syscalls and kills the process on any other syscall.
2727
//!
2828
//! ## Seccomp User Notify

crates/evalbox-sys/src/seccomp.rs

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
//!
99
//! The BPF filter runs on every syscall:
1010
//!
11-
//! 1. Verify architecture is supported (x86_64 or aarch64, kill otherwise)
11+
//! 1. Verify architecture is supported (`x86_64` or `aarch64`, kill otherwise)
1212
//! 2. Load syscall number from `seccomp_data`
1313
//! 3. Block `clone3` entirely (cannot inspect flags in struct)
1414
//! 4. For `clone`, inspect flags and block namespace creation
@@ -166,7 +166,7 @@ pub struct SockFprog {
166166
pub filter: *const SockFilter,
167167
}
168168

169-
/// Base syscalls allowed on all architectures (x86_64 and aarch64).
169+
/// Base syscalls allowed on all architectures (`x86_64` and `aarch64`).
170170
///
171171
/// **Ordering**: Hot syscalls first for faster BPF linear scan.
172172
/// The kernel checks each JEQ instruction sequentially, so placing
@@ -352,11 +352,11 @@ const BASE_WHITELIST: &[i64] = &[
352352
libc::SYS_recvmmsg,
353353
];
354354

355-
/// Legacy x86_64 syscalls not available on aarch64.
355+
/// Legacy `x86_64` syscalls not available on `aarch64`.
356356
///
357-
/// On aarch64, glibc always uses the modern `*at()` equivalents
357+
/// On `aarch64`, glibc always uses the modern `*at()` equivalents
358358
/// (e.g., `openat` instead of `open`, `newfstatat` instead of `stat`).
359-
/// These legacy syscalls only exist in the x86_64 syscall table.
359+
/// These legacy syscalls only exist in the `x86_64` syscall table.
360360
#[cfg(target_arch = "x86_64")]
361361
const LEGACY_WHITELIST: &[i64] = &[
362362
libc::SYS_fstat,
@@ -393,15 +393,15 @@ const LEGACY_WHITELIST: &[i64] = &[
393393
libc::SYS_signalfd,
394394
];
395395

396-
/// On aarch64, all equivalent functionality is provided by the modern
396+
/// On `aarch64`, all equivalent functionality is provided by the modern
397397
/// syscalls already in `BASE_WHITELIST`.
398398
#[cfg(target_arch = "aarch64")]
399399
const LEGACY_WHITELIST: &[i64] = &[];
400400

401401
/// Returns the default syscall whitelist for the current architecture.
402402
///
403403
/// Combines `BASE_WHITELIST` (common to all architectures) with
404-
/// `LEGACY_WHITELIST` (x86_64-only legacy syscalls).
404+
/// `LEGACY_WHITELIST` (`x86_64`-only legacy syscalls).
405405
pub fn default_whitelist() -> Vec<i64> {
406406
[BASE_WHITELIST, LEGACY_WHITELIST].concat()
407407
}
@@ -411,7 +411,7 @@ pub fn default_whitelist() -> Vec<i64> {
411411
/// ## Filter Layout
412412
///
413413
/// ```text
414-
/// [0-2] Architecture check (x86_64)
414+
/// [0-2] Architecture check (`x86_64`)
415415
/// [3] Load syscall number
416416
/// [4] clone3 -> KILL
417417
/// [5] clone -> clone_handler
@@ -681,7 +681,7 @@ const BASE_NOTIFY_FS_SYSCALLS: &[i64] = &[
681681
libc::SYS_readlinkat,
682682
];
683683

684-
/// Legacy FS syscalls intercepted on x86_64 only.
684+
/// Legacy FS syscalls intercepted on `x86_64` only.
685685
#[cfg(target_arch = "x86_64")]
686686
const LEGACY_NOTIFY_FS_SYSCALLS: &[i64] = &[
687687
libc::SYS_open,

fuzz/oss-fuzz-build.sh

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
#!/bin/bash -eu
2+
# Copyright 2025 Google LLC
3+
#
4+
# Licensed under the Apache License, Version 2.0 (the "License");
5+
# you may not use this file except in compliance with the License.
6+
# You may obtain a copy of the License at
7+
#
8+
# http://www.apache.org/licenses/LICENSE-2.0
9+
#
10+
# Unless required by applicable law or agreed to in writing, software
11+
# distributed under the License is distributed on an "AS IS" BASIS,
12+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
# See the License for the specific language governing permissions and
14+
# limitations under the License.
15+
#
16+
################################################################################
17+
18+
cd $SRC/evalbox
19+
20+
if [ "$SANITIZER" = "coverage" ]; then
21+
export RUSTFLAGS="$RUSTFLAGS -C debug-assertions=no"
22+
export CFLAGS=""
23+
fi
24+
25+
cargo fuzz build -O --debug-assertions
26+
27+
FUZZ_TARGET_OUTPUT_DIR=fuzz/target/x86_64-unknown-linux-gnu/release
28+
for f in fuzz/fuzz_targets/*.rs; do
29+
FUZZ_TARGET_NAME=$(basename ${f%.*})
30+
cp $FUZZ_TARGET_OUTPUT_DIR/$FUZZ_TARGET_NAME $OUT/
31+
done

nix/devshell.nix

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,5 +25,6 @@
2525
];
2626
RUST_BACKTRACE = "1";
2727
};
28+
2829
};
2930
}

0 commit comments

Comments
 (0)