vincenzopalazzo
/
arti
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'standardise-shell' into 'main' 

Standardise shell

Closes #425

See merge request tpo/core/arti!533
This commit is contained in:
Nick Mathewson 2022-05-26 12:53:14 +00:00
parent 4bf87d61ca 545313a899
commit 68b0419752
21 changed files with 75 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitlab-ci.yml
View File

@ -25,7 +25,7 @@ shellcheck:
stage: check stage: check
image: koalaman/shellcheck-alpine image: koalaman/shellcheck-alpine
script: script:
- apk add git - apk add git bash
- ./maint/shellcheck_all - ./maint/shellcheck_all
rust-latest: rust-latest:
@ -124,6 +124,7 @@ build-repro:
# If you upgrade this image, also change the one in docker_reproducible_build # If you upgrade this image, also change the one in docker_reproducible_build
image: rust:1.59.0-alpine3.15 image: rust:1.59.0-alpine3.15
script: script:
- apk add bash
- ./maint/reproducible_build linux windows macos - ./maint/reproducible_build linux windows macos
artifacts: artifacts:
paths: paths:

2
crates/arti-config/README.md
View File

@ -8,3 +8,5 @@ implement [Tor](https://www.torproject.org/) in Rust.
The project continues, but this particular crate is now superseded. The project continues, but this particular crate is now superseded.
This empty crate is published as a tombstone. This empty crate is published as a tombstone.
License: MIT OR Apache-2.0

24
crates/fs-mistrust/README.md
View File

@ -114,13 +114,12 @@ You can adjust the [`Mistrust`] object to change what it permits:
```rust ```rust
use fs_mistrust::Mistrust; use fs_mistrust::Mistrust;
let mut my_mistrust = Mistrust::new(); let my_mistrust = Mistrust::builder()
// Assume that our home directory and its parents are all well-configured.
// Assume that our home directory and its parents are all well-configured. .ignore_prefix("/home/doze/")
my_mistrust.ignore_prefix("/home/doze/")?; // Assume that a given group will only contain trusted users.
.trust_group(413)
// Assume that a given group will only contain trusted users. .build()?;
my_mistrust.trust_group_id(413);
``` ```
See [`Mistrust`] for more options. See [`Mistrust`] for more options.
@ -193,6 +192,17 @@ systems, but we don't actually look at the details of any of these:
* SELinux capabilities * SELinux capabilities
* POSIX (and other) ACLs. * POSIX (and other) ACLs.
We use a somewhat inaccurate heuristic when we're checking the permissions
of items _inside_ a target directory (using [`Verifier::check_content`] or
[`CheckedDir`]): we continue to forbid untrusted-writeable directories and
files, but we still allow readable ones, even if we insisted that the target
directory itself was required to to be unreadable. This is too permissive
in the case of readable objects with hard links: if there is a hard link to
the file somewhere else, then an untrusted user can read it. It is also too
restrictive in the case of writeable objects _without_ hard links: if
untrusted users have no path to those objects, they can't actually write
them.
On Windows, we accept all file permissions and owners. On Windows, we accept all file permissions and owners.
We don't check for mount-points and the privacy of filesystem devices We don't check for mount-points and the privacy of filesystem devices

2
crates/tor-persist/README.md
View File

@ -7,7 +7,7 @@ This crate is part of
implement [Tor](https://www.torproject.org/) in Rust. implement [Tor](https://www.torproject.org/) in Rust.
For now, users should construct storage objects directly with (for For now, users should construct storage objects directly with (for
example) [`FsStateMgr::from_path()`], but use them primarily via the example) [`FsStateMgr::from_path_and_mistrust()`], but use them primarily via the
interfaces of the [`StateMgr`] trait. interfaces of the [`StateMgr`] trait.
License: MIT OR Apache-2.0 License: MIT OR Apache-2.0

4
maint/binary_size
View File

@ -1,9 +1,9 @@
#!/bin/sh #!/bin/bash
# #
# binary_size: Build arti with a given set of options, and # binary_size: Build arti with a given set of options, and
# dump the binary size in a json format. # dump the binary size in a json format.
set -eu set -euo pipefail
ORIGDIR=$(pwd) ORIGDIR=$(pwd)
TMPDIR=$(mktemp -d -t arti_binsize.XXXXXX) TMPDIR=$(mktemp -d -t arti_binsize.XXXXXX)

6
maint/changed_crates
View File

@ -1,8 +1,10 @@
#!/bin/sh #!/bin/bash
set -euo pipefail
TOP=$(dirname "$0")/.. TOP=$(dirname "$0")/..
TAG="$1" TAG="${1:-}"
if [ -z "$TAG" ]; then if [ -z "$TAG" ]; then
echo "You need to give a git revision as an argument." echo "You need to give a git revision as an argument."

2
maint/check_licenses
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
set -e set -euo pipefail
# A list of the licenses that we currently allow in our code. # A list of the licenses that we currently allow in our code.
# #

2
maint/coverage
View File

@ -22,7 +22,7 @@ Notes:
EOF EOF
} }
set -e set -euo pipefail
TOPDIR=$(dirname "$0")/.. TOPDIR=$(dirname "$0")/..
cd "$TOPDIR" cd "$TOPDIR"

42
maint/coverage_fuzz_corpora
View File

@ -1,8 +1,8 @@
#!/bin/bash #!/bin/bash
set -e set -euo pipefail
if [ -z "$LLVM_PROFILE_FILE" ]; then if [ -z "${LLVM_PROFILE_FILE:-}" ]; then
echo "This script is meant to be run inside with_coverage" >&2 echo "This script is meant to be run inside with_coverage" >&2
exit 1 exit 1
fi fi
@ -12,32 +12,22 @@ coverage_dir=$(dirname "$LLVM_PROFILE_FILE")
TOPDIR=$(realpath "$(dirname "$0")/..") TOPDIR=$(realpath "$(dirname "$0")/..")
cd "$TOPDIR" cd "$TOPDIR"
# for some reason, compiling with coverage is very slow, especially for curve25519-dalek, # set an alternative target directory so it's possible to reuse cached artifacts between coverage
# and mixing normal runs and coverage runs trash the cache. Here we set an alternative # runs of coverage and fuzzing.
# target directory so it's possible to reuse cached artifacts between coverage runs.
export CARGO_TARGET_DIR=${CARGO_TARGET_DIR:-target-coverage} export CARGO_TARGET_DIR=${CARGO_TARGET_DIR:-target-coverage}
# remove comments starting with #@ to run in parallel. This makes output very messy, uses a lot more
# ram and make the load average go crazy, but it's also way faster both to compile (due to
# curve25519-dalek compilation being so slow, and it using a single core), and to run because it's
# essentially monothreaded too.
for d in ./crates/*/fuzz; do for d in ./crates/*/fuzz; do
#@{ pushd "$(dirname "$d")"
pushd "$(dirname "$d")" crate=$(basename "$(dirname "$d")")
crate=$(basename "$(dirname "$d")") mkdir -p "$TOPDIR/target/debug/$crate"
mkdir -p "$TOPDIR/target/debug/$crate" mkdir -p "$coverage_dir/$crate"
mkdir -p "$coverage_dir/$crate" for fuzzer in $(cargo fuzz list); do
for fuzzer in $(cargo fuzz list); do # disable sanitizer to work in stable. Also make curve25519-dalek compilation much faster
cargo fuzz coverage "$fuzzer" cargo fuzz coverage "$fuzzer" --sanitizer=none
# we copy binary and coverage data where with_coverage expect it to be # we copy binary and coverage data where with_coverage expect it to be
cp "target-coverage/x86_64-unknown-linux-gnu/release/$fuzzer" "$TOPDIR/target/debug/$crate/$fuzzer" cp "target-coverage/x86_64-unknown-linux-gnu/release/$fuzzer" "$TOPDIR/target/debug/$crate/$fuzzer"
mv "fuzz/coverage/$fuzzer/raw" "$coverage_dir/$crate/$fuzzer" mv "fuzz/coverage/$fuzzer/raw" "$coverage_dir/$crate/$fuzzer"
done done
popd popd
#@}&
done done
#@for d in ./crates/*/fuzz; do
#@ wait
#@done

6
maint/docker_reproducible_build
View File

@ -1,8 +1,10 @@
#!/bin/sh #!/bin/bash
# #
# This script runs as the top level of our reproducible build process. # This script runs as the top level of our reproducible build process.
# It launches the actual build script inside a docker container. # It launches the actual build script inside a docker container.
set -euo pipefail
## use a fixed image to not suffer from image retaging when newer rustc or ## use a fixed image to not suffer from image retaging when newer rustc or
## alpine emerges. Increase shm size for the reasons described in ## alpine emerges. Increase shm size for the reasons described in
## reproducible_build ## reproducible_build
@ -11,4 +13,4 @@
## the build-repro job in .gitlab-ci.yml ## the build-repro job in .gitlab-ci.yml
exec docker run --rm -i -v "$(git rev-parse --show-toplevel)":/builds/arti \ exec docker run --rm -i -v "$(git rev-parse --show-toplevel)":/builds/arti \
-w /builds/arti --shm-size=512m rust:1.59.0-alpine3.15 \ -w /builds/arti --shm-size=512m rust:1.59.0-alpine3.15 \
./maint/reproducible_build "$@" sh -c "apk add bash && ./maint/reproducible_build $*"

4
maint/downgrade_dependencies
View File

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/bash
# #
# Downgrades every one of our dependencies in Cargo.lock to the # Downgrades every one of our dependencies in Cargo.lock to the
# earliest version listed in our Cargo.toml files. (And then # earliest version listed in our Cargo.toml files. (And then
@ -11,6 +11,8 @@
# successfully with the versions listed in Cargo.lock, while declaring # successfully with the versions listed in Cargo.lock, while declaring
# support for versions of our dependencies that won't actually work. # support for versions of our dependencies that won't actually work.
set -euo pipefail
cargo +nightly update -Z minimal-versions cargo +nightly update -Z minimal-versions
cargo update \ cargo update \
-p crc32fast \ -p crc32fast \

2
maint/fuzz_it_all
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
set -e set -euo pipefail
echo "Using toolchain +${RUST_FUZZ_TOOLCHAIN:=nightly}. (Override with \$RUST_FUZZ_TOOLCHAIN)" echo "Using toolchain +${RUST_FUZZ_TOOLCHAIN:=nightly}. (Override with \$RUST_FUZZ_TOOLCHAIN)"

4
maint/hooks/pre-commit
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/bash
set -e set -euo pipefail
echo '+cargo fmt --all -- --check' echo '+cargo fmt --all -- --check'
cargo fmt --all -- --check cargo fmt --all -- --check

4
maint/hooks/pre-push
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/bash
set -e set -euo pipefail
echo '+cargo fmt --all -- --check' echo '+cargo fmt --all -- --check'
cargo fmt --all -- --check cargo fmt --all -- --check

4
maint/readmes
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/bash
set -e set -euo pipefail
cd "$(dirname "$0")/.." cd "$(dirname "$0")/.."
for subcargo in crates/*/Cargo.toml ; do for subcargo in crates/*/Cargo.toml ; do

6
maint/reproducible_build
View File

@ -1,9 +1,9 @@
#!/bin/sh #!/bin/bash
# #
# This script is run inside a docker container as part of our # This script is run inside a docker container as part of our
# reproducible build process. # reproducible build process.
# #
set -xeu set -xeuo pipefail
if [ ! -f /.dockerenv ]; then if [ ! -f /.dockerenv ]; then
echo Not running inside Docker, build will probably not be reproducible echo Not running inside Docker, build will probably not be reproducible
echo Use docker_reproducible_build instead to get the right environment echo Use docker_reproducible_build instead to get the right environment
@ -103,6 +103,8 @@ EOF
mv /arti/target/x86_64-apple-darwin/release/arti "$here"/arti-macos mv /arti/target/x86_64-apple-darwin/release/arti "$here"/arti-macos
fi fi
git config --global --add safe.directory /arti
set +x set +x
echo "branch :" "$(git rev-parse --abbrev-ref HEAD)" echo "branch :" "$(git rev-parse --abbrev-ref HEAD)"
echo "commit :" "$(git rev-parse HEAD)" echo "commit :" "$(git rev-parse HEAD)"

4
maint/shellcheck_all
View File

@ -1,3 +1,5 @@
#!/bin/sh #!/bin/bash
set -euo pipefail
git grep -P --line-number '^#! ?/bin/(:?ba)?sh\b' | sed -n 's/:1:[^:]*$//p' | xargs shellcheck git grep -P --line-number '^#! ?/bin/(:?ba)?sh\b' | sed -n 's/:1:[^:]*$//p' | xargs shellcheck

2
maint/with_coverage
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
set -e set -euo pipefail
SCRIPT_NAME=$(basename "$0") SCRIPT_NAME=$(basename "$0")

4
tests/chutney/setup
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
set -xe set -xeuo pipefail
SCRIPT_NAME=$(basename "$0") SCRIPT_NAME=$(basename "$0")
@ -52,7 +52,7 @@ target="networks/$NETWORK"
cd "$(git rev-parse --show-toplevel)" cd "$(git rev-parse --show-toplevel)"
echo "target=$target" > tests/chutney/arti.run echo "target=$target" > tests/chutney/arti.run
if [ -z "${CHUTNEY_PATH}" ]; then if [ -z "${CHUTNEY_PATH:-}" ]; then
# CHUTNEY_PATH isn't set; try cloning or updating a local chutney. # CHUTNEY_PATH isn't set; try cloning or updating a local chutney.
if [ -d chutney ]; then if [ -d chutney ]; then
(cd ./chutney && git pull) (cd ./chutney && git pull)

4
tests/chutney/teardown
View File

@ -1,9 +1,9 @@
#!/bin/bash #!/bin/bash
set -xe set -xeuo pipefail
cd "$(git rev-parse --show-toplevel)" cd "$(git rev-parse --show-toplevel)"
if [ -z "${CHUTNEY_PATH}" ]; then if [ -z "${CHUTNEY_PATH:-}" ]; then
# Use the default chutney path we set up before. # Use the default chutney path we set up before.
CHUTNEY_PATH="$(pwd)/chutney" CHUTNEY_PATH="$(pwd)/chutney"
export CHUTNEY_PATH export CHUTNEY_PATH

4
tests/chutney/test
View File

@ -1,4 +1,6 @@
#!/bin/bash -xe #!/bin/bash
set -xeuo pipefail
curl http://example.com -vs --socks5-hostname 127.0.0.1:9150 -o /dev/null curl http://example.com -vs --socks5-hostname 127.0.0.1:9150 -o /dev/null