Draft: Use sydbox to verify ghcup behaves well

.gitlab-ci.yml

@@ -16,7 +16,7 @@ variables:
 ############################################################
 
 .debian:
-  image: "registry.gitlab.haskell.org/ghc/ci-images/x86_64-linux-deb10:$DOCKER_REV"
+  image: "debian:11"
   tags:
     - x86_64-linux
   variables:
@@ -44,7 +44,7 @@ variables:
     CABAL_DIR: "$CI_PROJECT_DIR/cabal"
 
 .linux:armv7:
-  image: "registry.gitlab.haskell.org/ghc/ci-images/armv7-linux-deb10:$DOCKER_REV"
+  image: "arm32v7/debian:11"
   tags:
     - armv7-linux
   variables:
@@ -54,7 +54,7 @@ variables:
   retry: 2
 
 .linux:aarch64:
-  image: "registry.gitlab.haskell.org/ghc/ci-images/aarch64-linux-deb10:$DOCKER_REV"
+  image: "aarch64/debian:11"
   tags:
     - aarch64-linux
   variables:

.gitlab/before_script/linux/install_deps.sh

@@ -6,16 +6,49 @@ set -eux
 
 mkdir -p "${TMPDIR}"
 
-sudo apt-get update -y
-sudo apt-get install -y libnuma-dev zlib1g-dev libgmp-dev libgmp10 libssl-dev liblzma-dev libbz2-dev git wget lsb-release software-properties-common gnupg2 apt-transport-https gcc autoconf automake build-essential
+apt-get update -y
+apt-get install -y \
+    apt-transport-https \
+    autoconf \
+    automake \
+    build-essential \
+    curl \
+    gcc \
+    git \
+    gnupg2 \
+    libbz2-dev \
+    libffi-dev \
+    libffi7 \
+    libgmp-dev \
+    libgmp10 \
+    liblzma-dev \
+    libncurses-dev \
+    libncurses5 \
+    libnuma-dev \
+    libssl-dev \
+    libtinfo5 \
+    lsb-release \
+    pkg-config \
+    software-properties-common \
+    wget \
+    zlib1g-dev
+
 
 if [ "${CROSS}" = "arm-linux-gnueabihf" ] ; then
-	sudo apt-get install -y gcc-arm-linux-gnueabihf
-	sudo dpkg --add-architecture armhf
-	sudo apt-get update -y
-	sudo apt-get install -y libncurses-dev:armhf
+    apt-get install -y gcc-arm-linux-gnueabihf
+    dpkg --add-architecture armhf
+    apt-get update -y
+    apt-get install -y libncurses-dev:armhf
 fi
 
+apt-get install -y libseccomp-dev
+curl -L https://dev.exherbo.org/~alip/sydbox/sydbox-2.1.0.tar.bz2 | tar -xj
+cd sydbox-2.1.0
+./configure
+make
+make install
+cd ..
+
 export BOOTSTRAP_HASKELL_NONINTERACTIVE=1
 export BOOTSTRAP_HASKELL_GHC_VERSION=$GHC_VERSION
 export BOOTSTRAP_HASKELL_CABAL_VERSION=$CABAL_VERSION

.gitlab/script/ghcup_version.sh

@@ -15,14 +15,100 @@ ecabal() {
 }
 
 raw_eghcup() {
-	ghcup -v -c "$@"
+	if command -v sydbox 1>/dev/null ; then
+        sydbox \
+            -m core/sandbox/read:deny \
+            -m core/sandbox/write:deny \
+            -m core/sandbox/network:allow \
+            -m allowlist/read+/usr/lib/os-release \
+            -m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
+            -m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
+            -m "allowlist/read+${TMPDIR}/***" \
+            -m "allowlist/write+${TMPDIR}/***" \
+            -m "allowlist/read+/usr/lib/***" \
+            -m 'allowlist/read+/etc/ld.so.cache' \
+            -m "allowlist/read+/lib/***" \
+            -m 'allowlist/read+/etc/ssl/openssl.cnf' \
+            -m 'allowlist/read+/proc/sys/crypto/fips_enabled' \
+            -m 'allowlist/read+/etc/nsswitch.conf' \
+            -m 'allowlist/read+/etc/host.conf' \
+            -m 'allowlist/read+/etc/resolv.conf' \
+            -m 'allowlist/read+/etc/hosts' \
+            -m 'allowlist/read+/etc/gai.conf' \
+            -m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \
+            -m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \
+            -m 'allowlist/read+/dev/urandom' \
+            -m 'core/violation/decision:killall' \
+		    -- ghcup -v -c "$@"
+	else
+		ghcup -v -c "$@"
+	fi
 }
 
 eghcup() {
 	if [ "${OS}" = "WINDOWS" ] ; then
+        sydbox \
+            -m core/sandbox/read:deny \
+            -m core/sandbox/write:deny \
+            -m core/sandbox/network:allow \
+            -m allowlist/read+/usr/lib/os-release \
+            -m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
+            -m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
+            -m "allowlist/read+${TMPDIR}/***" \
+            -m "allowlist/write+${TMPDIR}/***" \
+            -m "allowlist/read+/usr/lib/***" \
+            -m 'allowlist/read+/etc/ld.so.cache' \
+            -m "allowlist/read+/lib/***" \
+            -m 'allowlist/read+/etc/ssl/openssl.cnf' \
+            -m 'allowlist/read+/proc/sys/crypto/fips_enabled' \
+            -m 'allowlist/read+/etc/nsswitch.conf' \
+            -m 'allowlist/read+/etc/host.conf' \
+            -m 'allowlist/read+/etc/resolv.conf' \
+            -m 'allowlist/read+/etc/hosts' \
+            -m 'allowlist/read+/etc/gai.conf' \
+            -m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \
+            -m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \
+            -m 'allowlist/read+/dev/urandom' \
+            -m 'core/violation/decision:killall' \
+
 		ghcup -v -c -s file:/$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
 	else
-		ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
+		if command -v sydbox 1>/dev/null ; then
+			ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
+		else
+			ghcup -v -c -s file://$CI_PROJECT_DIR/data/metadata/ghcup-${JSON_VERSION}.yaml "$@"
+		fi
+	fi
+}
+
+eghcup_offline() {
+	if command -v sydbox 1>/dev/null ; then
+        sydbox \
+            -m core/sandbox/read:deny \
+            -m core/sandbox/write:deny \
+            -m core/sandbox/network:deny \
+            -m allowlist/read+/usr/lib/os-release \
+            -m "allowlist/read+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
+            -m "allowlist/write+${GHCUP_INSTALL_BASE_PREFIX}/.ghcup/***" \
+            -m "allowlist/read+${TMPDIR}/***" \
+            -m "allowlist/write+${TMPDIR}/***" \
+            -m "allowlist/read+/usr/lib/***" \
+            -m 'allowlist/read+/etc/ld.so.cache' \
+            -m "allowlist/read+/lib/***" \
+            -m 'allowlist/read+/etc/ssl/openssl.cnf' \
+            -m 'allowlist/read+/proc/sys/crypto/fips_enabled' \
+            -m 'allowlist/read+/etc/nsswitch.conf' \
+            -m 'allowlist/read+/etc/host.conf' \
+            -m 'allowlist/read+/etc/resolv.conf' \
+            -m 'allowlist/read+/etc/hosts' \
+            -m 'allowlist/read+/etc/gai.conf' \
+            -m 'allowlist/read+/etc/ssl/certs/ca-certificates.crt' \
+            -m 'allowlist/read+/usr/share/zoneinfo/Etc/UTC' \
+            -m 'allowlist/read+/dev/urandom' \
+            -m 'core/violation/decision:killall' \
+			-- ghcup -v --offline "$@"
+	else
+		ghcup -v --offline "$@"
 	fi
 }
 
@@ -133,7 +219,7 @@ else
 	# https://gitlab.haskell.org/haskell/ghcup-hs/issues/7
 	if [ "${OS}" = "LINUX" ] ; then
 		eghcup --downloader=wget prefetch ghc 8.10.3
-		eghcup --offline install ghc 8.10.3
+		eghcup_offline install ghc 8.10.3
 		if [ "${ARCH}" = "64" ] ; then
 			expected=$(cat "$( cd "$(dirname "$0")" ; pwd -P )/../ghc-8.10.3-linux.files" | sort)
 			actual=$(cd "${GHCUP_DIR}/ghc/8.10.3/" && find | sort)
@@ -142,25 +228,25 @@ else
 		fi
 	elif [ "${OS}" = "WINDOWS" ] ; then
 		eghcup prefetch ghc 8.10.3
-		eghcup --offline install ghc 8.10.3
+		eghcup_offline install ghc 8.10.3
 		expected=$(cat "$( cd "$(dirname "$0")" ; pwd -P )/../ghc-8.10.3-windows.files" | sort)
 		actual=$(cd "${GHCUP_DIR}/ghc/8.10.3/" && find | sort)
 		[ "${actual}" = "${expected}" ]
 		unset actual expected
 	else
 		eghcup prefetch ghc 8.10.3
-		eghcup --offline install ghc 8.10.3
+		eghcup_offline install ghc 8.10.3
 	fi
 	[ "$(ghc --numeric-version)" = "${ghc_ver}" ]
-	eghcup --offline set 8.10.3
+	eghcup_offline set 8.10.3
 	eghcup set 8.10.3
 	[ "$(ghc --numeric-version)" = "8.10.3" ]
 	eghcup set ${GHC_VERSION}
 	[ "$(ghc --numeric-version)" = "${ghc_ver}" ]
 	eghcup unset ghc
     "$GHCUP_BIN"/ghc --numeric-version && exit || echo yes
 	eghcup set ${GHC_VERSION}
-	eghcup --offline rm 8.10.3
+	eghcup_offline rm 8.10.3
 	[ "$(ghc --numeric-version)" = "${ghc_ver}" ]