umu-static-bundler: update to latest and harden binary

whrvt · Dec 7, 2024 · e15722a · e15722a
1 parent b988daf
commit e15722a
Show file tree

Hide file tree

Showing 8 changed files with 47 additions and 75 deletions.
diff --git a/umu-static-bundler/build.sh b/umu-static-bundler/build.sh
@@ -24,8 +24,8 @@ source "${PROJECT_ROOT}/lib/messaging.sh"
 source "${PROJECT_ROOT}/lib/git-utils.sh"
 
 # Source versions
-readonly PYTHON_VERSION="3.13.0"
-readonly STATIC_PYTHON_URL="https://github.com/indygreg/python-build-standalone/releases/download/20241016/cpython-${PYTHON_VERSION}+20241016-x86_64-unknown-linux-musl-install_only_stripped.tar.gz"
+readonly PYTHON_VERSION="3.13.1"
+readonly STATIC_PYTHON_URL="https://github.com/indygreg/python-build-standalone/releases/download/20241206/cpython-${PYTHON_VERSION}+20241206-x86_64-unknown-linux-musl-install_only_stripped.tar.gz"
 readonly LIBARCHIVE_VERSION="3.7.7"
 readonly LIBARCHIVE_URL="https://github.com/libarchive/libarchive/releases/download/v${LIBARCHIVE_VERSION}/libarchive-${LIBARCHIVE_VERSION}.tar.gz"
 readonly ZSTD_VERSION="1.5.6"
@@ -159,7 +159,7 @@ _cleanup_python_dist() {
     _message "Initial Python distribution size: ${original_size}"
 
     _message "Running Python distribution cleaner..."
-    "${CACHE_DIR}/cleanup_python/bin/python3" "${BUILDER_DIR}/python/cleaner.py" \
+    "${CACHE_DIR}/cleanup_python${PYTHON_VERSION}/bin/python3" "${BUILDER_DIR}/python/cleaner.py" \
         "${WORK_DIR}/python" \
         "${WORK_DIR}/umu-launcher" \
         --config "${BUILDER_DIR}/python/config.py" \
@@ -193,16 +193,16 @@ prepare_sources() {
     fi
 
     # Setup Python environment for cleanup
-    if [[ ! -d "${CACHE_DIR}/cleanup_python" ]]; then
+    if [[ ! -d "${CACHE_DIR}/cleanup_python${PYTHON_VERSION}" ]]; then
         _message "Extracting Python distribution..."
-        mkdir -p "${CACHE_DIR}/cleanup_python"
+        mkdir -p "${CACHE_DIR}/cleanup_python${PYTHON_VERSION}"
         tar xf "${CACHE_DIR}/python-standalone-${PYTHON_VERSION}.tar.gz" \
-            -C "${CACHE_DIR}/cleanup_python" --strip-components=1
+            -C "${CACHE_DIR}/cleanup_python${PYTHON_VERSION}" --strip-components=1
     fi
 
     # Prepare Python distribution
     mkdir -p "${WORK_DIR}/python"
-    rsync -a "${CACHE_DIR}/cleanup_python"/* "${WORK_DIR}/python"
+    rsync -a "${CACHE_DIR}/cleanup_python${PYTHON_VERSION}"/* "${WORK_DIR}/python"
     _cleanup_python_dist
 
     # Extract build dependencies

diff --git a/umu-static-bundler/builder/docker/Dockerfile b/umu-static-bundler/builder/docker/Dockerfile
@@ -7,8 +7,8 @@ ENV CC=clang \
     AR=llvm-ar \
     NM=llvm-nm \
     RANLIB=llvm-ranlib \
-    CFLAGS="-static -fPIC --target=x86_64-alpine-linux-musl -Oz -ffunction-sections -fdata-sections" \
-    CXXFLAGS="-static -fPIC --target=x86_64-alpine-linux-musl -Oz -ffunction-sections -fdata-sections" \
+    CFLAGS="-march=x86-64 -static -fPIC --target=x86_64-alpine-linux-musl -Oz -ffunction-sections -fdata-sections" \
+    CXXFLAGS="-march=x86-64 -static -fPIC --target=x86_64-alpine-linux-musl -Oz -ffunction-sections -fdata-sections" \
     LDFLAGS="-static -Wl,--gc-sections,--strip-all" \
     PKG_CONFIG="pkg-config --static"
 
@@ -84,10 +84,6 @@ ENV PATH="/opt/build-env/bin:$PATH" \
 # Runtime dependencies 
 RUN apk add --no-cache \
     build-base \
-    clang \
-    clang-dev \
-    llvm17 \
-    lld \
     musl-dev \
     python3 \
     python3-dev \

diff --git a/umu-static-bundler/builder/docker/Makefile b/umu-static-bundler/builder/docker/Makefile
@@ -1,24 +1,26 @@
 # Build configuration
-CC = clang
-TARGET = --target=x86_64-alpine-linux-musl
+CC = gcc
 INCLUDES = -I/usr/local/include -Iinclude
 LIBDIRS = -L/usr/local/lib
 
 # Output configuration
 BINARY_NAME ?= wrapper
-PYTHON_VERSION ?= 3.13.0
+PYTHON_VERSION ?= 3.13.1
 VERSION_FILE ?= version.json
 VERSION_FILE_NAME ?= $(VERSION_FILE)
 
 # Compiler flags
-CFLAGS = -static $(TARGET) \
+CFLAGS = -static \
+		 -march=x86-64 \
 		 -Oz \
-		 -fno-stack-protector \
 		 -ffunction-sections \
 		 -fdata-sections \
 		 -fmerge-all-constants \
-		 -fno-unwind-tables \
-		 -fno-asynchronous-unwind-tables \
+		 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \
+		 -fstrict-flex-arrays=3 \
+		 -fcf-protection=full -fstack-clash-protection -fstack-protector-all \
+		 -fexceptions \
+		 -fPIE \
 		 -Wall \
 		 -Wextra \
 		 -Wpedantic \
@@ -27,15 +29,22 @@ CFLAGS = -static $(TARGET) \
 		 -Wstring-compare \
 		 -Wmissing-declarations \
 		 -Wwrite-strings \
-		 -Wa,--noexecstack \
-		 -Wl,--section-start=.note.GNU-stack=0 \
+		 -Wtrampolines \
 		 $(INCLUDES)
 
 # Linker flags
-LDFLAGS = -static \
+LDFLAGS = -static-pie -fPIE \
+		  -fcf-protection=full -fstack-clash-protection -fstack-protector-all \
+		  -fexceptions \
+		  -Wall \
+		  -Wextra \
+		  -Wpedantic \
+		  -Wtrampolines \
 		  -Wl,--gc-sections \
 		  -Wl,--strip-all \
-		  -Wl,--section-start=.note.GNU-stack=0 \
+		  -Wl,-z,nodlopen -Wl,-z,noexecstack \
+		  -Wl,-z,relro,-z,now \
+		  -Wl,--as-needed -Wl,--no-copy-dt-needed-entries \
 		  -Wl,--whole-archive \
 		  -l:libarchive.a \
 		  -Wl,--no-whole-archive \

diff --git a/umu-static-bundler/builder/docker/docker-build.sh b/umu-static-bundler/builder/docker/docker-build.sh
@@ -24,11 +24,11 @@ HOME=${OLDHOME}
 readonly _VERSION_FILE="${UMU_DIR}/umu/umu_version.json"
 readonly STAGED_VERSION="${WORK_DIR}/umu_version.json"
 
-if [[ ! -f "${_VERSION_FILE}" ]]; then
-    _warning "umu_version.json not found at ${_VERSION_FILE}"
-else 
-    cp "${_VERSION_FILE}" "${STAGED_VERSION}"
+if [ ! -f "${_VERSION_FILE}" ]; then
+    DATE=$(date)
+    printf '%s %s' "${DATE}" "$(echo -n "${DATE}" | sha512sum -)" > "${_VERSION_FILE}"
 fi
+cp "${_VERSION_FILE}" "${STAGED_VERSION}"
 
 # Build static wrapper
 _message "Building static wrapper..."

diff --git a/...tatic-bundler/patches/umu/0001-umu_run-Rely-on-an-external-wrapper-to-set-PR_SET_CH.patch b/...tatic-bundler/patches/umu/0001-umu_run-Rely-on-an-external-wrapper-to-set-PR_SET_CH.patch
@@ -12,31 +12,32 @@ This allows a fully statically linked umu-launcher to still have this prctl call
  3 files changed, 2 insertions(+), 70 deletions(-)
 
 diff --git a/umu/umu_run.py b/umu/umu_run.py
-index 9e584bb..77ee9ec 100755
+index d90c6a8..a74ab8a 100755
 --- a/umu/umu_run.py
 +++ b/umu/umu_run.py
-@@ -5,12 +5,10 @@ import sys
+@@ -2,13 +2,11 @@ import os
+ import sys
  import threading
  import time
- import zipfile
 -from _ctypes import CFuncPtr
- from argparse import ArgumentParser, Namespace, RawTextHelpFormatter
+ from argparse import Namespace
+ from array import array
  from collections.abc import MutableMapping
  from concurrent.futures import Future, ThreadPoolExecutor
  from contextlib import suppress
 -from ctypes import CDLL, c_int, c_ulong
  from errno import ENETUNREACH
+ from zipfile import Path as ZipPath
 
- try:
-@@ -46,7 +44,6 @@ from umu.umu_plugins import set_env_toml
+@@ -50,7 +48,6 @@ from umu.umu_plugins import set_env_toml
  from umu.umu_proton import get_umu_proton
  from umu.umu_runtime import setup_umu
  from umu.umu_util import (
 -    get_libc,
      get_library_paths,
+     has_umu_setup,
      is_installed_verb,
-     is_winetricks_verb,
-@@ -730,12 +727,9 @@ def run_in_steammode(proc: Popen) -> int:
+@@ -678,12 +675,9 @@ def run_in_steammode(proc: Popen) -> int:
 
  def run_command(command: tuple[Path | str, ...]) -> int:
      """Run the executable using Proton within the Steam Runtime."""
@@ -46,10 +47,10 @@ index 9e584bb..77ee9ec 100755
      ret: int = 0
 -    prctl_ret: int = 0
 -    libc: str = get_libc()
-
      is_gamescope_session: bool = (
          os.environ.get("XDG_CURRENT_DESKTOP") == "gamescope"
-@@ -759,18 +753,6 @@ def run_command(command: tuple[Path | str, ...]) -> int:
+         or os.environ.get("XDG_SESSION_DESKTOP") == "gamescope"
+@@ -705,18 +699,6 @@ def run_command(command: tuple[Path | str, ...]) -> int:
      else:
          cwd = Path.cwd()
 

diff --git a/umu-static-bundler/patches/umu/0002-Don-t-hardcode-python-paths.patch b/umu-static-bundler/patches/umu/0002-Don-t-hardcode-python-paths.patch
diff --git a/umu-static-bundler/wrapper/include/pathutils.h b/umu-static-bundler/wrapper/include/pathutils.h
@@ -32,6 +32,8 @@ wrp_status_t path_is_directory(const char *path, int *is_dir);
 wrp_status_t path_is_executable(const char *path, int *is_exec);
 wrp_status_t path_is_absolute(const char *path, int *is_absolute);
 wrp_status_t path_is_relative(const char *path, int *is_relative);
+wrp_status_t path_has_extension(const char *path, const char *ext,
+                                int *has_ext);
 wrp_status_t path_is_subpath(const char *parent, const char *child,
                              int *is_subpath);
 wrp_status_t path_is_symlink(const char *path, int *is_symlink);

diff --git a/umu-static-bundler/wrapper/src/archive.c b/umu-static-bundler/wrapper/src/archive.c
@@ -208,7 +208,7 @@ static wrp_status_t extract_archive_section(const char *self_path,
   struct archive_context ctx;
   wrp_status_t status;
   long archive_start;
-  unsigned long long archive_size;
+  unsigned long long archive_size = 0;
   int r;
 
   /* Initialize extraction context */