From: Christoph Liebender Subject: Re: [fix] www/anubis v1.17.1p0, add pledge() and unveil() To: ports@openbsd.org Date: Sun, 4 May 2025 23:21:41 +0200 Am 02.05.25 um 17:51 schrieb Christoph Liebender: > Hi @ports, > > I recently submitted a patch to update www/anubis to v1.17.0 that also > got applied to 7.7-stable. Turns out that the build produces an > executable that does not work correctly. Cause being upstream deciding > to complicate the build process, such that just go.port.mk is not enough > to build the package. Upstream provides a Makefile that includes the > required steps to produce a working binary. However, this involves more > build dependencies, and most notably, npm packages, for which the ports > system doesn't have a module... (right?) > > In any case, by submitting the initial faulty patch I feel responsible > for the port's breakage, which is why attached you will find another > patch for v1.17.0p0 that, at least, produces a working binary. However, > I am not sure if the way I'm calling npm is the proper way, so the > "comments?" really applies this time :) > > In any case, go-away [1] might be worth to check out for a less > opinionated, simpler setup alternative to anubis. > > comments, ok? > > - Christoph > > [1] https://git.gammaspectra.live/git/go-away I had some time on my hands and added unveil(2) and pledge(2) calls to anubis. Attached as a diff. I've tested this on my box, runs ok. This probably needs more testing though. comments, testers, ok? - Christoph diff --git a/www/anubis/Makefile b/www/anubis/Makefile index fe090f96c21..67885f77fa5 100644 --- a/www/anubis/Makefile +++ b/www/anubis/Makefile @@ -3,7 +3,9 @@ COMMENT= proof-of-work proxy to protect web resources from scrapers MODGO_MODNAME= github.com/TecharoHQ/anubis MODGO_VERSION= v1.17.1 -DISTNAME= anubis-${MODGO_VERSION} +DISTNAME= ${MODGO_MODNAME}@${MODGO_VERSION} +PKGNAME= anubis-${MODGO_VERSION:S/v//} +REVISION= 0 CATEGORIES= www @@ -12,12 +14,25 @@ HOMEPAGE= https://anubis.techaro.lol/ # MIT PERMIT_PACKAGE= Yes +# uses pledge() and unveil() WANTLIB= c pthread +BUILD_DEPENDS= devel/esbuild archivers/zstd archivers/brotli shells/bash \ + lang/node + MODULES= lang/go MODGO_LDFLAGS= -X github.com/TecharoHQ/anubis.Version=${MODGO_VERSION:S/v//} +pre-build: + sh -c "cd ${WRKSRC}; npm ci --cache ${WRKSRC}/npm-cache" + + bash ${WRKSRC}/web/build.sh + + # contents of ${WRKSRC}/xess/build.sh + node ${WRKSRC}/node_modules/.bin/postcss ${WRKSRC}/xess/xess.css \ + -o ${WRKSRC}/xess/xess.min.css + post-install: rm ${PREFIX}/bin/containerbuild ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/anubis diff --git a/www/anubis/distinfo b/www/anubis/distinfo index d30549eb668..fa616815832 100644 --- a/www/anubis/distinfo +++ b/www/anubis/distinfo @@ -1,4 +1,4 @@ -SHA256 (anubis-v1.17.1.zip) = WV4kXqYnSNoWbEtNLqCR38FDY21YcPZibcgWkg4j7Fw= +SHA256 (github.com/!techaro!h!q/anubis@v1.17.1.zip) = WV4kXqYnSNoWbEtNLqCR38FDY21YcPZibcgWkg4j7Fw= SHA256 (go_modules/github.com/!burnt!sushi/toml/@v/v1.4.1-0.20240526193622-a339e1f7089c.mod) = RdeLgFcZmbaiWNoPIWc9o55rUBNJwDOkrNFpQ3QR1zM= SHA256 (go_modules/github.com/!burnt!sushi/toml/@v/v1.4.1-0.20240526193622-a339e1f7089c.zip) = 8V8Mp6PFpCddPVYCNvF46dc1oIRTS/O2hexfZ2gGIwo= SHA256 (go_modules/github.com/a-h/htmlformat/@v/v0.0.0-20250209131833-673be874c677.mod) = 4hCmNckY4iRhPrRZUTfxS/DlElcNBssp8VG4GmA22EI= @@ -296,7 +296,7 @@ SHA256 (go_modules/sigs.k8s.io/structured-merge-diff/v4/@v/v4.4.2.mod) = O1bdGEw SHA256 (go_modules/sigs.k8s.io/structured-merge-diff/v4/@v/v4.4.2.zip) = GIWNlp+dDOCaXOZeRiFU9/y85ijc78xxjLutrCAsRZ0= SHA256 (go_modules/sigs.k8s.io/yaml/@v/v1.4.0.mod) = CZ2G+OBNET1A9KFSzf4AFxFtfv6mjkF6nGRthgJj174= SHA256 (go_modules/sigs.k8s.io/yaml/@v/v1.4.0.zip) = 7wMf94/5twNuF07vSd+9d0aNxPCvtzpjm2H4qzocxCU= -SIZE (anubis-v1.17.1.zip) = 830455 +SIZE (github.com/!techaro!h!q/anubis@v1.17.1.zip) = 830455 SIZE (go_modules/github.com/!burnt!sushi/toml/@v/v1.4.1-0.20240526193622-a339e1f7089c.mod) = 43 SIZE (go_modules/github.com/!burnt!sushi/toml/@v/v1.4.1-0.20240526193622-a339e1f7089c.zip) = 397057 SIZE (go_modules/github.com/a-h/htmlformat/@v/v0.0.0-20250209131833-673be874c677.mod) = 117 diff --git a/www/anubis/patches/patch-cmd_anubis_main_go b/www/anubis/patches/patch-cmd_anubis_main_go new file mode 100644 index 00000000000..6bef6f8aa8f --- /dev/null +++ b/www/anubis/patches/patch-cmd_anubis_main_go @@ -0,0 +1,61 @@ +Index: cmd/anubis/main.go +--- cmd/anubis/main.go.orig ++++ cmd/anubis/main.go +@@ -37,6 +37,9 @@ import ( + "github.com/prometheus/client_golang/prometheus/promhttp" + ) + ++// #include ++import "C" ++ + var ( + basePrefix = flag.String("base-prefix", "", "base prefix (root URL) the application is served under e.g. /myapp") + bind = flag.String("bind", ":8923", "network address to bind HTTP to") +@@ -335,6 +338,47 @@ func main() { + log.Printf("cannot shut down: %v", err) + } + }() ++ ++ pledges := "stdio" ++ bindUnix := *bindNetwork == "unix" ++ targetUnix := strings.HasPrefix(*target, "unix://") ++ targetIP := net.ParseIP(*target) != nil ++ if bindUnix || targetUnix { ++ pledges += " unix" ++ } ++ if bindUnix { ++ pledges += " cpath" ++ C.unveil(C.CString(*bind), C.CString("c")) ++ } ++ if targetUnix || !targetIP { ++ pledges += " rpath" ++ } ++ if targetUnix { ++ pledges += " wpath" ++ C.unveil(C.CString(strings.TrimPrefix(*target, "unix://")), C.CString("rw")) ++ } ++ if !bindUnix || strings.HasPrefix(*target, "http") || targetIP { ++ pledges += " inet" ++ } ++ if !targetUnix && !targetIP { ++ pledges += " dns" ++ rpaths := []string{ ++ "/etc/resolv.conf", ++ "/etc/hosts", ++ "/etc/ssl/openssl.cnf", ++ "/etc/ssl/cert.pem", ++ } ++ for _, rpath := range rpaths { ++ C.unveil(C.CString(rpath), C.CString("r")) ++ } ++ } ++ ++ v, err := C.pledge(C.CString(pledges), nil) ++ if v == -1 { ++ log.Fatal(err) ++ } else { ++ slog.Info("applied pledge(" + pledges + ")") ++ } + + if err := srv.Serve(listener); !errors.Is(err, http.ErrServerClosed) { + log.Fatal(err)