08b791a01b
A bit going on here. - Updating resholve from 0.5.1 -> 0.6.0 - adding a depdendency, `binlore`, to supply ~intel on executables that supports new functionality in resholve - adding a package, `yallback`, which provides rule-based callbacks for YARA rule matches (depdency of `binlore`). - automatically generating "lore" for each `input` to a solution in `resholvePackage`. - update README - restructuring some nix components to better support my local dev and CI workflows. - moved package tests into passthru/tests.nix (cuts `bats` out of resholve's immediate dependencies, makes it possible to add my existing Nix API test). - move my oil-dev patches out of resholve into a separate repo (no oil rebuild every time resholve's source changes). Also moving oil-dev into its own Nix file here, to ~track the default.nix in its own repo.
113 lines
3.7 KiB
Nix
113 lines
3.7 KiB
Nix
{ lib
|
|
, fetchFromGitHub
|
|
, runCommand
|
|
, yallback
|
|
, yara
|
|
}:
|
|
|
|
/* TODO/CAUTION:
|
|
|
|
I don't want to discourage use, but I'm not sure how stable
|
|
the API is. Have fun, but be prepared to track changes! :)
|
|
|
|
For _now_, binlore is basically a thin wrapper around
|
|
`<invoke yara> | <postprocess with yallback>` with support
|
|
for running it on a derivation, saving the result in the
|
|
store, and aggregating results from a set of packages.
|
|
|
|
In the longer term, I suspect there are more uses for this
|
|
general pattern (i.e., run some analysis tool that produces
|
|
a deterministic output and cache the result per package...).
|
|
|
|
I'm not sure how that'll look and if it'll be the case that
|
|
binlore automatically collects all of them, or if you'll be
|
|
configuring which "kind(s)" of lore it generates. Nailing
|
|
that down will almost certainly mean reworking the API.
|
|
|
|
*/
|
|
|
|
let
|
|
src = fetchFromGitHub {
|
|
owner = "abathur";
|
|
repo = "binlore";
|
|
rev = "v0.1.3";
|
|
hash = "sha256-+rgv8gAQ3ptOpL/EhbKr/jq+k/4Lpn06/2qON+Ps2wE=";
|
|
};
|
|
/*
|
|
binlore has one one more yallbacks responsible for
|
|
routing the appropriate lore to a named file in the
|
|
appropriate format. At some point I might try to do
|
|
something fancy with this, but for now the answer to
|
|
*all* questions about the lore are: the bare minimum
|
|
to get resholve over the next feature hump in time to
|
|
hopefully slip this feature in before the branch-off.
|
|
*/
|
|
# TODO: feeling really uninspired on the API
|
|
loreDef = {
|
|
# YARA rule file
|
|
rules = (src + /execers.yar);
|
|
# output filenames; "types" of lore
|
|
types = [ "execers" "wrappers" ];
|
|
# shell rule callbacks; see github.com/abathur/yallback
|
|
yallback = (src + /execers.yall);
|
|
# TODO:
|
|
# - echo for debug, can be removed at some point
|
|
# - I really just wanted to put the bit after the pipe
|
|
# in here, but I'm erring on the side of flexibility
|
|
# since this form will make it easier to pilot other
|
|
# uses of binlore.
|
|
callback = lore: drv: overrides: ''
|
|
if [[ -d "${drv}/bin" ]]; then
|
|
echo generating binlore for $drv by running:
|
|
echo "${yara}/bin/yara ${lore.rules} ${drv}/bin | ${yallback}/bin/yallback ${lore.yallback}"
|
|
else
|
|
echo "failed to generate binlore for $drv (${drv}/bin doesn't exist)"
|
|
fi
|
|
'' +
|
|
/*
|
|
Override lore for some packages. Unsure, but for now:
|
|
1. start with the ~name (pname-version)
|
|
2. remove characters from the end until we find a match
|
|
in overrides/
|
|
3. execute the override script with the list of expected
|
|
lore types
|
|
*/
|
|
''
|
|
i=''${#identifier}
|
|
filter=
|
|
while [[ $i > 0 ]] && [[ -z "$filter" ]]; do
|
|
if [[ -f "${overrides}/''${identifier:0:$i}" ]]; then
|
|
filter="${overrides}/''${identifier:0:$i}"
|
|
echo using "${overrides}/''${identifier:0:$i}" to generate overriden binlore for $drv
|
|
break
|
|
fi
|
|
((i--)) || true # don't break build
|
|
done # || true # don't break build
|
|
if [[ -d "${drv}/bin" ]]; then
|
|
${yara}/bin/yara ${lore.rules} ${drv}/bin | ${yallback}/bin/yallback ${lore.yallback} "$filter"
|
|
fi
|
|
'';
|
|
};
|
|
overrides = (src + /overrides);
|
|
|
|
in rec {
|
|
collect = { lore ? loreDef, drvs }: (runCommand "more-binlore" { } ''
|
|
mkdir $out
|
|
for lorefile in ${toString lore.types}; do
|
|
cat ${lib.concatMapStrings (x: x + "/$lorefile ") (map (make lore) (map lib.getBin drvs))} > $out/$lorefile
|
|
done
|
|
'');
|
|
# TODO: echo for debug, can be removed at some point
|
|
make = lore: drv: runCommand "${drv.name}-binlore" {
|
|
identifier = drv.name;
|
|
drv = drv;
|
|
} (''
|
|
mkdir $out
|
|
touch $out/{${builtins.concatStringsSep "," lore.types}}
|
|
|
|
${lore.callback lore drv overrides}
|
|
|
|
echo binlore for $drv written to $out
|
|
'');
|
|
}
|