Download raw body.
[fix] www/anubis v1.17.1p0, add pledge() and unveil()
Am 02.05.25 um 17:51 schrieb Christoph Liebender:
> Hi @ports,
>
> I recently submitted a patch to update www/anubis to v1.17.0 that also
> got applied to 7.7-stable. Turns out that the build produces an
> executable that does not work correctly. Cause being upstream deciding
> to complicate the build process, such that just go.port.mk is not enough
> to build the package. Upstream provides a Makefile that includes the
> required steps to produce a working binary. However, this involves more
> build dependencies, and most notably, npm packages, for which the ports
> system doesn't have a module... (right?)
>
> In any case, by submitting the initial faulty patch I feel responsible
> for the port's breakage, which is why attached you will find another
> patch for v1.17.0p0 that, at least, produces a working binary. However,
> I am not sure if the way I'm calling npm is the proper way, so the
> "comments?" really applies this time :)
>
> In any case, go-away [1] might be worth to check out for a less
> opinionated, simpler setup alternative to anubis.
>
> comments, ok?
>
> - Christoph
>
> [1] https://git.gammaspectra.live/git/go-away
I had some time on my hands and added unveil(2) and pledge(2) calls to
anubis. Attached as a diff. I've tested this on my box, runs ok. This
probably needs more testing though.
comments, testers, ok?
- Christoph
diff --git a/www/anubis/Makefile b/www/anubis/Makefile
index fe090f96c21..67885f77fa5 100644
--- a/www/anubis/Makefile
+++ b/www/anubis/Makefile
@@ -3,7 +3,9 @@ COMMENT= proof-of-work proxy to protect web resources from scrapers
MODGO_MODNAME= github.com/TecharoHQ/anubis
MODGO_VERSION= v1.17.1
-DISTNAME= anubis-${MODGO_VERSION}
+DISTNAME= ${MODGO_MODNAME}@${MODGO_VERSION}
+PKGNAME= anubis-${MODGO_VERSION:S/v//}
+REVISION= 0
CATEGORIES= www
@@ -12,12 +14,25 @@ HOMEPAGE= https://anubis.techaro.lol/
# MIT
PERMIT_PACKAGE= Yes
+# uses pledge() and unveil()
WANTLIB= c pthread
+BUILD_DEPENDS= devel/esbuild archivers/zstd archivers/brotli shells/bash \
+ lang/node
+
MODULES= lang/go
MODGO_LDFLAGS= -X github.com/TecharoHQ/anubis.Version=${MODGO_VERSION:S/v//}
+pre-build:
+ sh -c "cd ${WRKSRC}; npm ci --cache ${WRKSRC}/npm-cache"
+
+ bash ${WRKSRC}/web/build.sh
+
+ # contents of ${WRKSRC}/xess/build.sh
+ node ${WRKSRC}/node_modules/.bin/postcss ${WRKSRC}/xess/xess.css \
+ -o ${WRKSRC}/xess/xess.min.css
+
post-install:
rm ${PREFIX}/bin/containerbuild
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/anubis
diff --git a/www/anubis/distinfo b/www/anubis/distinfo
index d30549eb668..fa616815832 100644
--- a/www/anubis/distinfo
+++ b/www/anubis/distinfo
@@ -1,4 +1,4 @@
-SHA256 (anubis-v1.17.1.zip) = WV4kXqYnSNoWbEtNLqCR38FDY21YcPZibcgWkg4j7Fw=
+SHA256 (github.com/!techaro!h!q/anubis@v1.17.1.zip) = WV4kXqYnSNoWbEtNLqCR38FDY21YcPZibcgWkg4j7Fw=
SHA256 (go_modules/github.com/!burnt!sushi/toml/@v/v1.4.1-0.20240526193622-a339e1f7089c.mod) = RdeLgFcZmbaiWNoPIWc9o55rUBNJwDOkrNFpQ3QR1zM=
SHA256 (go_modules/github.com/!burnt!sushi/toml/@v/v1.4.1-0.20240526193622-a339e1f7089c.zip) = 8V8Mp6PFpCddPVYCNvF46dc1oIRTS/O2hexfZ2gGIwo=
SHA256 (go_modules/github.com/a-h/htmlformat/@v/v0.0.0-20250209131833-673be874c677.mod) = 4hCmNckY4iRhPrRZUTfxS/DlElcNBssp8VG4GmA22EI=
@@ -296,7 +296,7 @@ SHA256 (go_modules/sigs.k8s.io/structured-merge-diff/v4/@v/v4.4.2.mod) = O1bdGEw
SHA256 (go_modules/sigs.k8s.io/structured-merge-diff/v4/@v/v4.4.2.zip) = GIWNlp+dDOCaXOZeRiFU9/y85ijc78xxjLutrCAsRZ0=
SHA256 (go_modules/sigs.k8s.io/yaml/@v/v1.4.0.mod) = CZ2G+OBNET1A9KFSzf4AFxFtfv6mjkF6nGRthgJj174=
SHA256 (go_modules/sigs.k8s.io/yaml/@v/v1.4.0.zip) = 7wMf94/5twNuF07vSd+9d0aNxPCvtzpjm2H4qzocxCU=
-SIZE (anubis-v1.17.1.zip) = 830455
+SIZE (github.com/!techaro!h!q/anubis@v1.17.1.zip) = 830455
SIZE (go_modules/github.com/!burnt!sushi/toml/@v/v1.4.1-0.20240526193622-a339e1f7089c.mod) = 43
SIZE (go_modules/github.com/!burnt!sushi/toml/@v/v1.4.1-0.20240526193622-a339e1f7089c.zip) = 397057
SIZE (go_modules/github.com/a-h/htmlformat/@v/v0.0.0-20250209131833-673be874c677.mod) = 117
diff --git a/www/anubis/patches/patch-cmd_anubis_main_go b/www/anubis/patches/patch-cmd_anubis_main_go
new file mode 100644
index 00000000000..6bef6f8aa8f
--- /dev/null
+++ b/www/anubis/patches/patch-cmd_anubis_main_go
@@ -0,0 +1,61 @@
+Index: cmd/anubis/main.go
+--- cmd/anubis/main.go.orig
++++ cmd/anubis/main.go
+@@ -37,6 +37,9 @@ import (
+ "github.com/prometheus/client_golang/prometheus/promhttp"
+ )
+
++// #include <unistd.h>
++import "C"
++
+ var (
+ basePrefix = flag.String("base-prefix", "", "base prefix (root URL) the application is served under e.g. /myapp")
+ bind = flag.String("bind", ":8923", "network address to bind HTTP to")
+@@ -335,6 +338,47 @@ func main() {
+ log.Printf("cannot shut down: %v", err)
+ }
+ }()
++
++ pledges := "stdio"
++ bindUnix := *bindNetwork == "unix"
++ targetUnix := strings.HasPrefix(*target, "unix://")
++ targetIP := net.ParseIP(*target) != nil
++ if bindUnix || targetUnix {
++ pledges += " unix"
++ }
++ if bindUnix {
++ pledges += " cpath"
++ C.unveil(C.CString(*bind), C.CString("c"))
++ }
++ if targetUnix || !targetIP {
++ pledges += " rpath"
++ }
++ if targetUnix {
++ pledges += " wpath"
++ C.unveil(C.CString(strings.TrimPrefix(*target, "unix://")), C.CString("rw"))
++ }
++ if !bindUnix || strings.HasPrefix(*target, "http") || targetIP {
++ pledges += " inet"
++ }
++ if !targetUnix && !targetIP {
++ pledges += " dns"
++ rpaths := []string{
++ "/etc/resolv.conf",
++ "/etc/hosts",
++ "/etc/ssl/openssl.cnf",
++ "/etc/ssl/cert.pem",
++ }
++ for _, rpath := range rpaths {
++ C.unveil(C.CString(rpath), C.CString("r"))
++ }
++ }
++
++ v, err := C.pledge(C.CString(pledges), nil)
++ if v == -1 {
++ log.Fatal(err)
++ } else {
++ slog.Info("applied pledge(" + pledges + ")")
++ }
+
+ if err := srv.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
+ log.Fatal(err)
[fix] www/anubis v1.17.1p0, add pledge() and unveil()