Integration Hillock

.cargo/config_mold.toml

@@ -0,0 +1,2 @@
+[build]
+rustflags = ["-C", "link-arg=-fuse-ld=mold"]

.devcontainer/Dockerfile

@@ -46,9 +46,13 @@ RUN groupadd --gid $USER_GID $USERNAME \
 # Copy bpftool binary to /usr/local/bin to avoid noexec issues with /tmp
 RUN cp /tmp/linux/tools/bpf/bpftool/bpftool /usr/local/bin/bpftool && chmod +x /usr/local/bin/bpftool
 
+# Install Rust for root so the devcontainer can run as root.
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ENV PATH="/root/.cargo/bin:${PATH}"
+
 # Install Rust for the vscode user (not root)
 USER $USERNAME
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 ENV PATH="/home/${USERNAME}/.cargo/bin:${PATH}"
 
-WORKDIR /home/$USERNAME/workspace
+WORKDIR /workspace

.devcontainer/devcontainer.json

@@ -12,7 +12,10 @@
   "runArgs": [
     "--privileged",
     "--cap-add=SYS_ADMIN",
-    "--cap-add=NET_ADMIN"
+    "--cap-add=NET_ADMIN",
+    "--cap-add=BPF",
+    "--cap-add=SYS_RESOURCE",
+    "--network=host"
   ],
   "customizations": {
     "vscode": {
@@ -28,8 +31,10 @@
       ]
     }
   },
-  "remoteUser": "vscode",
-  "postStartCommand": "sudo mount -t bpf bpf /sys/fs/bpf || true && sudo mount -t debugfs none /sys/kernel/debug || true && sudo sysctl -w kernel.unprivileged_bpf_disabled=0 || true && sudo ulimit -l unlimited || true",
-  "postCreateCommand": "if [ -r /sys/kernel/btf/vmlinux ]; then /usr/local/bin/bpftool btf dump file /sys/kernel/btf/vmlinux format c > /home/vscode/vmlinux.h; else echo 'Skipping vmlinux.h generation: /sys/kernel/btf/vmlinux is unavailable'; fi && git clone git@github.com:arxignis/citadel.git /home/vscode/workspace && mkdir -p /home/vscode/workspace/src/security/firewall/bpf/include && if [ -f /home/vscode/vmlinux.h ]; then cp /home/vscode/vmlinux.h /home/vscode/workspace/src/security/firewall/bpf/include/vmlinux.h; fi",
-  "workspaceFolder": "/home/vscode/workspace"
+  "containerUser": "root",
+  "remoteUser": "root",
+  "postStartCommand": "mount -t bpf bpf /sys/fs/bpf || true && mount -t debugfs none /sys/kernel/debug || true && sysctl -w kernel.unprivileged_bpf_disabled=0 || true && ulimit -l unlimited || true",
+  "postCreateCommand": "mkdir -p /workspace/src/security/firewall/bpf/include && if [ -r /sys/kernel/btf/vmlinux ]; then /usr/local/bin/bpftool btf dump file /sys/kernel/btf/vmlinux format c > /workspace/src/security/firewall/bpf/include/vmlinux.h; else echo 'Skipping vmlinux.h generation: /sys/kernel/btf/vmlinux is unavailable'; fi",
+  "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached",
+  "workspaceFolder": "/workspace"
 }

Cargo.toml

@@ -125,6 +125,8 @@ pingora-memory-cache = { git = "https://github.com/gen0sec/pingora", rev = "c921
 #nstealth = { path = "../nstealth" }
 nstealth = { git = "https://github.com/gen0sec/nstealth", rev = "3c87751b9d9537b055a119f155a730360a7d0078" }
 
+hillock = { git = "https://github.com/gen0sec/hillock.git", rev = "ac495d1f5b6dac69967b7fafdf3eccbdca91b4d4" }
+
 mimalloc = { version = "0.1.48", default-features = false }
 crossbeam-channel = "0.5"
 dashmap = "7.0.0-rc2"

config/security_rules.yaml

@@ -13,6 +13,20 @@ access_rules:
   id: "local-rules"
   name: "Local Access Rules"
   description: "Static access rules loaded from local configuration file"
+  config:
+    firewall_rules: []
+      # Example Hillock firewall rules:
+      # - direction: ingress
+      #   src_ip: "192.0.2.0/24"
+      #   dst_ip: "10.0.0.10/32"
+      #   dst_port: 443
+      #   protocol: tcp
+      #   action: block
+      # - direction: egress
+      #   dst_ip: "198.51.100.0/24"
+      #   dst_port: "80-443"
+      #   protocol: tcp
+      #   action: block
 
   # Allow list - IPs that are always allowed
   allow:

docker-compose.yml

@@ -1,5 +1,31 @@
 services:
 
+  synapse-dev:
+    build:
+      context: .
+      dockerfile: pkg/docker/build.Dockerfile
+      args:
+        REQUIRE_GITHUB_TOKEN: "0"
+    image: synapse-dev:latest
+    container_name: synapse-dev
+    privileged: true
+    cap_add:
+      - SYS_ADMIN
+      - NET_ADMIN
+      - BPF
+      - SYS_RESOURCE
+    network_mode: host
+    volumes:
+      - .:/workspace:cached
+    environment:
+      - RUST_LOG=debug
+      - CARGO_TERM_COLOR=always
+      - CARGO_NET_GIT_FETCH_WITH_CLI=true
+    working_dir: /workspace
+    command: ["/bin/bash"]
+    stdin_open: true
+    tty: true
+
   # synapse:
   #   build:
   #     context: .

pkg/deb/Dockerfile

@@ -12,9 +12,6 @@ RUN apt-get update && \
       curl \
       gnupg \
       lsb-release && \
-    curl -fsSL https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - && \
-    echo "deb http://apt.llvm.org/bionic/ llvm-toolchain-bionic-10 main" >> /etc/apt/sources.list.d/llvm.list && \
-    apt-get update && \
     apt-get install -y --no-install-recommends --allow-downgrades \
       libc6=2.27-3ubuntu1.5 \
       libc6-dev \
@@ -24,8 +21,6 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends \
       git \
       build-essential \
-      clang-10 \
-      llvm-10 \
       libelf-dev \
       libelf1 \
       libssl-dev \
@@ -37,9 +32,19 @@ RUN apt-get update && \
       rsync \
       devscripts \
       equivs \
-      debhelper && \
-    update-alternatives --install /usr/bin/clang clang /usr/bin/clang-10 100 && \
-    update-alternatives --install /usr/bin/llc llc /usr/bin/llc-10 100 && \
+      debhelper \
+      xz-utils && \
+    arch="$(dpkg --print-architecture)" && \
+    case "$arch" in \
+      arm64) llvm_pkg="clang+llvm-13.0.1-aarch64-linux-gnu.tar.xz" ;; \
+      amd64) llvm_pkg="clang+llvm-13.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz" ;; \
+      *) echo "Unsupported architecture for LLVM: $arch" >&2; exit 1 ;; \
+    esac && \
+    curl -fsSL "https://github.com/llvm/llvm-project/releases/download/llvmorg-13.0.1/${llvm_pkg}" -o "/tmp/${llvm_pkg}" && \
+    llvm_dir="$(tar -tJf "/tmp/${llvm_pkg}" | head -1 | cut -f1 -d'/')" && \
+    tar -xJf "/tmp/${llvm_pkg}" -C /opt && \
+    ln -sf "/opt/${llvm_dir}/bin/"* /usr/local/bin/ && \
+    rm "/tmp/${llvm_pkg}" && \
     rm -rf /var/lib/apt/lists/*
 
 RUN apt-get update && \

pkg/debug/build.Dockerfile

@@ -13,9 +13,6 @@ RUN apt-get update && \
       curl \
       gnupg \
       lsb-release && \
-    curl -fsSL https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - && \
-    echo "deb http://apt.llvm.org/bionic/ llvm-toolchain-bionic-10 main" >> /etc/apt/sources.list.d/llvm.list && \
-    apt-get update && \
     apt-get install -y --no-install-recommends --allow-downgrades \
       libc6=2.27-3ubuntu1.5 \
       libc6-dev \
@@ -25,8 +22,6 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends \
       git \
       build-essential \
-      clang-10 \
-      llvm-10 \
       libelf-dev \
       libelf1 \
       libssl-dev \
@@ -35,9 +30,19 @@ RUN apt-get update && \
       pkg-config \
       libcap-dev \
       binutils-multiarch-dev \
-      cmake && \
-    update-alternatives --install /usr/bin/clang clang /usr/bin/clang-10 100 && \
-    update-alternatives --install /usr/bin/llc llc /usr/bin/llc-10 100 && \
+      cmake \
+      xz-utils && \
+    arch="$(dpkg --print-architecture)" && \
+    case "$arch" in \
+      arm64) llvm_pkg="clang+llvm-13.0.1-aarch64-linux-gnu.tar.xz" ;; \
+      amd64) llvm_pkg="clang+llvm-13.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz" ;; \
+      *) echo "Unsupported architecture for LLVM: $arch" >&2; exit 1 ;; \
+    esac && \
+    curl -fsSL "https://github.com/llvm/llvm-project/releases/download/llvmorg-13.0.1/${llvm_pkg}" -o "/tmp/${llvm_pkg}" && \
+    llvm_dir="$(tar -tJf "/tmp/${llvm_pkg}" | head -1 | cut -f1 -d'/')" && \
+    tar -xJf "/tmp/${llvm_pkg}" -C /opt && \
+    ln -sf "/opt/${llvm_dir}/bin/"* /usr/local/bin/ && \
+    rm "/tmp/${llvm_pkg}" && \
     rm -rf /var/lib/apt/lists/*
 
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && \

pkg/docker/Dockerfile

@@ -15,9 +15,6 @@ RUN apt-get update && \
       curl \
       gnupg \
       lsb-release && \
-    curl -fsSL https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - && \
-    echo "deb http://apt.llvm.org/bionic/ llvm-toolchain-bionic-10 main" >> /etc/apt/sources.list.d/llvm.list && \
-    apt-get update && \
     apt-get install -y --no-install-recommends --allow-downgrades \
       libc6=2.27-3ubuntu1.5 \
       libc6-dev \
@@ -27,18 +24,26 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends \
       git \
       build-essential \
-      clang-10 \
-      llvm-10 \
       libelf-dev \
       libelf1 \
       libssl-dev \
       zlib1g-dev \
       libzstd-dev \
       pkg-config \
       libcap-dev \
-      binutils-multiarch-dev && \
-    update-alternatives --install /usr/bin/clang clang /usr/bin/clang-10 100 && \
-    update-alternatives --install /usr/bin/llc llc /usr/bin/llc-10 100 && \
+      binutils-multiarch-dev \
+      xz-utils && \
+    arch="$(dpkg --print-architecture)" && \
+    case "$arch" in \
+      arm64) llvm_pkg="clang+llvm-13.0.1-aarch64-linux-gnu.tar.xz" ;; \
+      amd64) llvm_pkg="clang+llvm-13.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz" ;; \
+      *) echo "Unsupported architecture for LLVM: $arch" >&2; exit 1 ;; \
+    esac && \
+    curl -fsSL "https://github.com/llvm/llvm-project/releases/download/llvmorg-13.0.1/${llvm_pkg}" -o "/tmp/${llvm_pkg}" && \
+    llvm_dir="$(tar -tJf "/tmp/${llvm_pkg}" | head -1 | cut -f1 -d'/')" && \
+    tar -xJf "/tmp/${llvm_pkg}" -C /opt && \
+    ln -sf "/opt/${llvm_dir}/bin/"* /usr/local/bin/ && \
+    rm "/tmp/${llvm_pkg}" && \
     rm -rf /var/lib/apt/lists/*
 
 RUN apt-get update && \