Skip to content

systemd service enrichment #505

systemd service enrichment

systemd service enrichment #505

Workflow file for this run

on:
push:
paths:
- src/**
- audit-specs/**
- syscall-tables/**
- build.rs
- Cargo.*
- .github/workflows/build.yml
pull_request:
paths:
- src/**
- audit-specs/**
- syscall-tables/**
- build.rs
- Cargo.*
- .github/workflows/build.yml
jobs:
check-fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
- run: cargo fmt --check
build-test:
runs-on: ubuntu-latest
container: ubuntu:latest
steps:
- uses: actions/checkout@v2
- name: Install dependency
run: |
apt-get -qq update
apt-get -qqy dist-upgrade
apt-get -qqy install curl build-essential libclang-dev libacl1-dev libgoogle-perftools-dev
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: "${{ runner.os }}-test-cargo-${{ hashFiles('**/Cargo.lock') }}"
restore-keys: ${{ runner.os }}-test-cargo-
- run: cargo build
- run: cargo test --no-default-features
- run: cargo test
- run: cargo bench --no-run
build-x86_64-gnu:
needs: [ check-fmt, build-test ]
runs-on: ubuntu-latest
container: debian:bullseye
steps:
- uses: actions/checkout@v2
- name: Install dependency
run: |
apt-get -qq update
apt-get -qqy dist-upgrade
apt-get -qqy install curl build-essential libclang-dev libacl1-dev
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: "${{ runner.os }}-x86_64-gnu-cargo-${{ hashFiles('**/Cargo.lock') }}"
restore-keys: ${{ runner.os }}-cargo-x86_64-gnu-
- name: Build
run: cargo build --target=x86_64-unknown-linux-gnu --release
- uses: actions/upload-artifact@v4
with:
name: binaries-x86_64-gnu
path: |
target/*/release/laurel*
!target/*/release/*.*
if-no-files-found: error
build-x86_64-musl:
needs: [ check-fmt, build-test ]
runs-on: ubuntu-latest
container: alpine:3.21
steps:
- uses: actions/checkout@v2
- name: Install dependency
run: |
apk add git ca-certificates tar rust cargo clang-dev acl-dev acl-static musl-dev linux-headers
apk add binutils file
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: "${{ runner.os }}-x86_64-musl-cargo-${{ hashFiles('**/Cargo.lock') }}"
restore-keys: ${{ runner.os }}-cargo-x86_64-musl-
- name: Build
run: |
RUSTFLAGS='-C target-feature=+crt-static -L/usr/lib -l static=acl' \
cargo build --target x86_64-alpine-linux-musl --release
- name: Show binary charcteristics
run: |
set -x
file target/x86_64-alpine-linux-musl/release/laurel
ldd target/x86_64-alpine-linux-musl/release/laurel
objdump -x target/x86_64-alpine-linux-musl/release/laurel | grep NEEDED || true
set +x
if [ -n "$(objdump -x target/x86_64-alpine-linux-musl/debug/laurel | grep NEEDED)" ]; then
echo "laurel is linked against shared libraries" >&2
exit 1
fi
- uses: actions/upload-artifact@v4
with:
name: binaries-x86_64-musl
path: |
target/*/release/laurel*
!target/*/release/*.*
if-no-files-found: error
build-aarch64-gnu:
needs: [ check-fmt, build-test ]
runs-on: ubuntu-latest
container: debian:bullseye
steps:
- uses: actions/checkout@v2
- name: Install dependency
run: |
dpkg --add-architecture arm64
apt-get -qq update
apt-get -qqy dist-upgrade
apt-get -qqy install curl build-essential libclang-dev gcc-aarch64-linux-gnu libacl1-dev:arm64
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
target: aarch64-unknown-linux-gnu
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: "${{ runner.os }}-aarch64-gnu-cargo-${{ hashFiles('**/Cargo.lock') }}"
restore-keys: ${{ runner.os }}-cargo-aarch64-gnu-
- name: Build
run: cargo build --target=aarch64-unknown-linux-gnu --release
- uses: actions/upload-artifact@v4
with:
name: binaries-aarch64-gnu
path: |
target/*/release/laurel*
!target/*/release/*.*
if-no-files-found: error
build-armv7-gnueabihf:
needs: [ check-fmt, build-test ]
runs-on: ubuntu-latest
container: debian:bullseye
steps:
- uses: actions/checkout@v2
- name: Install dependency
run: |
dpkg --add-architecture armhf
apt-get -qq update
apt-get -qqy dist-upgrade
apt-get -qqy install curl build-essential libclang-dev gcc-arm-linux-gnueabihf libacl1-dev:armhf
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
target: armv7-unknown-linux-gnueabihf
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: "${{ runner.os }}-armv7-gnueabihf-cargo-${{ hashFiles('**/Cargo.lock') }}"
restore-keys: ${{ runner.os }}-armv7-gnueabihf-cargo-
- name: Build
run: cargo build --target=armv7-unknown-linux-gnueabihf --release
- uses: actions/upload-artifact@v4
with:
name: binaries-armv7-gnueabihf
path: |
target/*/release/laurel*
!target/*/release/*.*
if-no-files-found: error
build-man:
runs-on: ubuntu-latest
container: debian:bullseye
steps:
- uses: actions/checkout@v2
- name: Install dependency
run: |
apt-get -qq update
apt-get -qqy dist-upgrade
apt-get -qqy install make pandoc
- run: make -C man
- uses: actions/upload-artifact@v4
with:
name: manpages
path: |
man/*.7
man/*.8
if-no-files-found: error
build-tarballs:
runs-on: ubuntu-latest
needs:
- build-x86_64-gnu
- build-x86_64-musl
- build-aarch64-gnu
- build-armv7-gnueabihf
- build-man
steps:
- uses: actions/checkout@v2
- uses: actions/download-artifact@v4
with:
merge-multiple: true
path: artifacts
- name: Collect/Build
run: |
version="$(cargo read-manifest | jq -r '.version')"
find -type f '(' -name laurel2audit -or -name laurel ')'
for arch in x86_64-glibc x86_64-musl aarch64-glibc armv7-glibc; do
tgt=${arch/-glibc/-unknown-linux-gnu}
tgt=${tgt/-musl/-alpine-linux-musl}
case $tgt in armv7*gnu) tgt=${tgt}eabihf ;; esac
mkdir -p pack/laurel-$version-$arch/bin \
pack/laurel-$version-$arch/etc/{audit/plugins.d,laurel} \
pack/laurel-$version-$arch/man/man{7,8} \
pack/laurel-$version-$arch/doc
install -m644 etc/audit/plugins.d/laurel.conf pack/laurel-$version-$arch/etc/audit/plugins.d/
install -m644 etc/laurel/config.toml pack/laurel-$version-$arch/etc/laurel/
install -m644 *.md pack/laurel-$version-$arch/doc/
install -m755 artifacts/$tgt/release/laurel* pack/laurel-$version-$arch/bin
install -m644 artifacts/*.7 pack/laurel-$version-$arch/man/man7/
install -m644 artifacts/*.8 pack/laurel-$version-$arch/man/man8/
done
cd pack
find -mindepth 1 -maxdepth 1 -type d | xargs -ti tar -czf {}.tar.gz {}
- uses: actions/upload-artifact@v4
with:
name: tarballs
path: pack/*.tar.gz
compression-level: 0
if-no-files-found: error
release:
runs-on: ubuntu-latest
needs: build-tarballs
if: ${{ startsWith(github.ref, 'refs/tags/') }}
steps:
- uses: actions/checkout@v2
- name: Get Version
id: get_version
run: |
version_git=$(echo "$GITHUB_REF" | sed -e 's/refs\/tags\///')
version_cargo="v$(cargo read-manifest | jq -r '.version')"
if [ "$version_git" != "$version_cargo" ]; then
echo "git != cargo: $version_git != $version_cargo" >&2
exit 1
fi
echo "git_version=$version_git" >> $GITHUB_OUTPUT
- uses: actions/download-artifact@v4
with:
name: tarballs
- uses: softprops/action-gh-release@v2
with:
files: laurel-*.tar.gz
fail_on_unmatched_files: true
draft: true