lotus/snap/snapcraft.yaml
Ian Davis ab611199fd Set noexecstack on snapcraft builds
We're currently failing the auoptmated security review on snapcraft
because the lotus binary has the execstack value set:
  https://linux.die.net/man/8/execstack

This commit passes the appropriate flags to ld to disable the execstack
flag when building the binaries for snapcraft:
  https://linux.die.net/man/1/ld

We may want to consider disabling this as part of the main build.
Research seems to indicate that allow the executable stack can lead to
security issues, but I am not enough of a security expert to know for
sure what the right call here is:
  https://f0rm2l1n.github.io/2022-04-02-What-is-happended-to-execstack/
2022-12-13 17:56:28 -08:00

97 lines
2.5 KiB
YAML

name: lotus-filecoin
base: core20
version: latest
summary: filecoin daemon/client
icon: snap/local/icon.svg
description: |
Filecoin is a peer-to-peer network that stores files on the internet
with built-in economic incentives to ensure files are stored reliably over time
For documentation and additional information, please see the following resources
https://filecoin.io
https://fil.org
https://lotus.filecoin.io
https://github.com/filecoin-project/lotus
confinement: strict
parts:
lotus:
plugin: make
source: ./
build-snaps:
- go
- rustup
build-packages:
- git
- jq
- libhwloc-dev
- ocl-icd-opencl-dev
- pkg-config
stage-packages:
- libhwloc15
- ocl-icd-libopencl1
override-build: |
LDFLAGS="-z noexecstack" make lotus lotus-miner lotus-worker
cp lotus lotus-miner lotus-worker $SNAPCRAFT_PART_INSTALL
cp scripts/snap-lotus-entrypoint.sh $SNAPCRAFT_PART_INSTALL
layout:
/var/lib/lotus:
symlink: $SNAP_COMMON/lotus
/var/lib/lotus-miner:
symlink: $SNAP_COMMON/lotus-miner
/var/lib/lotus-worker:
symlink: $SNAP_COMMON/lotus-worker
apps:
lotus:
command: lotus
plugs:
- network
- network-bind
- home
environment:
FIL_PROOFS_PARAMETER_CACHE: $SNAP_USER_COMMON/filecoin-proof-parameters
LOTUS_PATH: $SNAP_COMMON/lotus
LOTUS_MINER_PATH: $SNAP_COMMON/lotus-miner
LOTUS_WORKER_PATH: $SNAP_COMMON/lotus-worker
lotus-miner:
command: lotus-miner
plugs:
- network
- network-bind
- opengl
environment:
FIL_PROOFS_PARAMETER_CACHE: $SNAP_USER_COMMON/filecoin-proof-parameters
LOTUS_PATH: $SNAP_COMMON/lotus
LOTUS_MINER_PATH: $SNAP_COMMON/lotus-miner
LOTUS_WORKER_PATH: $SNAP_COMMON/lotus-worker
lotus-worker:
command: lotus-worker
plugs:
- network
- network-bind
- opengl
environment:
FIL_PROOFS_PARAMETER_CACHE: $SNAP_USER_COMMON/filecoin-proof-parameters
LOTUS_PATH: $SNAP_COMMON/lotus
LOTUS_MINER_PATH: $SNAP_COMMON/lotus-miner
LOTUS_WORKER_PATH: $SNAP_COMMON/lotus-worker
lotus-daemon:
command: snap-lotus-entrypoint.sh
daemon: simple
install-mode: disable
plugs:
- network
- network-bind
environment:
FIL_PROOFS_PARAMETER_CACHE: $SNAP_COMMON/filecoin-proof-parameters
LOTUS_PATH: $SNAP_COMMON/lotus
LOTUS_MINER_PATH: $SNAP_COMMON/lotus-miner
LOTUS_WORKER_PATH: $SNAP_COMMON/lotus-worker