CTSRD-CHERI · brooksdavis · Mar 24, 2025 · Mar 24, 2025 · Mar 24, 2025 · Mar 24, 2025
diff --git a/Makefile.local b/Makefile.local
@@ -0,0 +1 @@
+SUBDIR += cheri-demos
diff --git a/Mk/Uses/vulnerable.mk b/Mk/Uses/vulnerable.mk
@@ -0,0 +1,28 @@
+# handle ports containing deliberate vulnerabilities
+#
+# Features:	vulnerable
+# Usage:	USES=vulnerable
+# Valid ARGS:	<none>
+#
+# It is sometimes useful to demonstrate software that contains
+# unpatched or deliberately introduced vulnerabilities, but doing so is
+# risky.  When ports are labled vulnerable they can not be built
+# unless ALLOW_DELIBERATE_VULNERABILITIES is defined and when built
+# they contain a warning to this effect.
+
+.if !include(_INCLUDE_USES_VULNERABLE_MK)
+_INCLUDE_USES_VULNERABLE_MK=	yes
+
+_VULNS_VAR=	ALLOW_DELIBERATE_VULNERABILITIES
+
+.  if emptry(vulnerable_ARGS)
+
+BROKEN=
+.  else
+.    ifndef ${_VULNS_VAR}
+BROKEN=	Contains deliberate vulnerabilities (define ${_VULNS_VAR} to build)
+.    endif
+_PKGMESSAGES+=	${PORTSDIR}/Templates/pkg-message-vulnerable
+PKGNAMEPREFIX=	vulnerable-
+.  endif
+.endif
diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk
@@ -2675,6 +2675,8 @@ VALID_CATEGORIES+= accessibility afterstep arabic archivers astro audio \
 	x11 x11-clocks x11-drivers x11-fm x11-fonts x11-servers x11-themes \
 	x11-toolkits x11-wm xfce zope base
 
+VALID_CATEGORIES+=	cheri-demos
+
 check-categories:
 .      for cat in ${CATEGORIES}
 .        if empty(VALID_CATEGORIES:M${cat})

diff --git a/Templates/pkg-message-vulnerable b/Templates/pkg-message-vulnerable
@@ -0,0 +1,23 @@
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+          __        __               _             _
+          \ \      / /_ _ _ __ _ __ (_)_ __   __ _| |
+           \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | |
+            \ V  V / (_| | |  | | | | | | | | (_| |_|
+             \_/\_/ \__,_|_|  |_| |_|_|_| |_|\__, (_)
+                                             |___/
+
+
+This port/package contaings unpatched or deliberately introduced
+vulnerabilities to demonstrate security features.
+
+Do not use in production or otherwise expose to the network without a
+clear understanding of the risks.
+
+          __        __               _             _
+          \ \      / /_ _ _ __ _ __ (_)_ __   __ _| |
+           \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | |
+            \ V  V / (_| | |  | | | | | | | | (_| |_|
+             \_/\_/ \__,_|_|  |_| |_|_|_| |_|\__, (_)
+                                             |___/
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
diff --git a/cheri-demos/Makefile b/cheri-demos/Makefile
@@ -0,0 +1,6 @@
+    COMMENT = Assorted CHERI demos (WARNING: may contain vulnerabilities!)
+
+    SUBDIR += cheri-demos
+    SUBDIR += nginx-aixcc
+
+.include <bsd.port.subdir.mk>
diff --git a/cheri-demos/cheri-demos/Makefile b/cheri-demos/cheri-demos/Makefile
@@ -0,0 +1,24 @@
+PORTNAME=	cheri-demos
+PORTVERSION=	0.1
+CATEGORIES=	cheri-demos
+MASTER_SITES=	# none
+
+MAINTAINER=	brooks@FreeBSD.org
+COMMENT=	Meta-port for CHERI demos
+WWW=		https://cheribsd.org/
+
+LICENSE=	NONE
+
+USES=		metaport
+
+# XXX: we probably want hybrid and purecap versions of default
+FLAVORS=	default vulnerable
+FLAVOR?=	${FLAVORS:[1]}
+default_RUN_DEPENDS=	git:devel/git
+vulnerable_RUN_DEPENDS=
+
+.if ${FLAVOR} == "vulnerable"
+USES+=	vulnerable
+.endif
+
+.include <bsd.port.mk>
diff --git a/cheri-demos/cheri-demos/pkg-descr b/cheri-demos/cheri-demos/pkg-descr
@@ -0,0 +1,6 @@
+Meta-port to pull in assorted CHERI demos.  The default flavor pulls in
+harmless demos and their dependencies.
+
+The vulnerable flavor includes more risky software such as network
+servers with unpatched or deliberately introduced vulnerabilities and
+should be used with great care.
diff --git a/cheri-demos/nginx-aixcc/Makefile b/cheri-demos/nginx-aixcc/Makefile
@@ -0,0 +1,43 @@
+PORTNAME=	nginx-aixcc
+PORTVERSION=	${NGINX_RELEASE}.d${SNAPDATE}
+PORTREVISION=	0
+CATEGORIES=	www
+
+MAINTAINER=	alfredo.mazzinghi@cl.cam.ac.uk
+COMMENT=	CHERI port of the nginx WWW server with vulnerabilities added by the DARPA AIxCC program.
+WWW=		https://cheribsd.org/
+
+USES+=	vulnerable
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	CTSRD-CHERI
+GH_PROJECT=	nginx
+GH_TAGNAME=	${NGINX_COMMIT}
+
+FLAVORS=	default subobject
+FLAVOR?=${FLAVORS:[1]}
+subobject_PKGNAMESUFFIX=	-subobject
+
+CONFIGURE_SCRIPT=	auto/configure
+.if ${FLAVOR:U} == subobject
+CFLAGS+=	-cheri-bounds=subobject-safe -DWITH_SUBOBJECT_SAFE
+.endif
+
+.include "${.CURDIR}/Makefile.snapshot"
+
+MASTERDIR=	${.CURDIR}/../../www/nginx
+DISTINFO_FILE=	${.CURDIR}/distinfo
+
+# The HTTPV3 option must be excluded as it is not supported by the
+# CHERI patches yet.
+OPTIONS_EXCLUDE=	HTTPV3 HTTPV3_BORING HTTPV3_LSSL HTTPV3_QTLS
+# Override MODULESDIR to not depend on PORTNAME
+DSO_VARS=		MODULESDIR=${PREFIX}/libexec/nginx
+
+# The nginx package expects the configure, LICENSE and html files to be
+# in the top-level WRKSRC directory. This is done in nginx release tarballs.
+post-extract:
+	${LN} -s ${WRKSRC}/docs/text/LICENSE ${WRKSRC}/LICENSE
+	${LN} -s ${WRKSRC}/docs/html ${WRKSRC}/html
+
+.include "${MASTERDIR}/Makefile"
diff --git a/cheri-demos/nginx-aixcc/Makefile.snapshot b/cheri-demos/nginx-aixcc/Makefile.snapshot
@@ -0,0 +1,4 @@
+NGINX_RELEASE= 1.24.0
+SNAPDATE= 20241216
+
+NGINX_COMMIT= cd88c8839e68c5b882f9a7850d772cab4468a2dd
diff --git a/cheri-demos/nginx-aixcc/distinfo b/cheri-demos/nginx-aixcc/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1734348928
+SHA256 (CTSRD-CHERI-nginx-1.24.0.d20241216-cd88c8839e68c5b882f9a7850d772cab4468a2dd_GH0.tar.gz) = 7e892561f161f2c94cec65dab30a8a3154265a46f428b04a55f93332f8431506
+SIZE (CTSRD-CHERI-nginx-1.24.0.d20241216-cd88c8839e68c5b882f9a7850d772cab4468a2dd_GH0.tar.gz) = 1129786
diff --git a/www/nginx-cheri/Makefile b/www/nginx-cheri/Makefile
@@ -3,15 +3,15 @@ PORTVERSION=	${NGINX_RELEASE}.d${SNAPDATE}
 PORTREVISION=	0
 CATEGORIES=	www
 
+MAINTAINER=	alfredo.mazzinghi@cl.cam.ac.uk
+COMMENT=	CHERI port of the nginx WWW server
+WWW=		https://cheribsd.org/
+
 USE_GITHUB=	yes
 GH_ACCOUNT=	CTSRD-CHERI
 GH_PROJECT=	nginx
 GH_TAGNAME=	${NGINX_COMMIT}
 
-MAINTAINER=	alfredo.mazzinghi@cl.cam.ac.uk
-COMMENT=	CHERI port of the nginx WWW server
-WWW=		https://cheribsd.org/
-
 FLAVORS=	default subobject
 FLAVOR?=${FLAVORS:[1]}
 subobject_PKGNAMESUFFIX=	-subobject
@@ -23,11 +23,8 @@ CFLAGS+=	-cheri-bounds=subobject-safe -DWITH_SUBOBJECT_SAFE
 
 .include "${.CURDIR}/Makefile.snapshot"
 
-NGINXDIR=	${.CURDIR}/../nginx
-FILESDIR=	${NGINXDIR}/files
-DESCR=      ${NGINXDIR}/pkg-descr
-PLIST=      ${NGINXDIR}/pkg-plist
-SLAVE_PORT?=	${PORTNAME}
+MASTERDIR=	${.CURDIR}/../nginx
+DISTINFO_FILE=	${.CURDIR}/distinfo
 
 # The HTTPV3 option must be excluded as it is not supported by the
 # CHERI patches yet.
@@ -38,7 +35,7 @@ DSO_VARS=		MODULESDIR=${PREFIX}/libexec/nginx
 # The nginx package expects the configure, LICENSE and html files to be
 # in the top-level WRKSRC directory. This is done in nginx release tarballs.
 post-extract:
-	cp ${WRKSRC}/docs/text/LICENSE ${WRKSRC}/LICENSE
-	cp -r ${WRKSRC}/docs/html ${WRKSRC}/html
+	${LN} -s ${WRKSRC}/docs/text/LICENSE ${WRKSRC}/LICENSE
+	${LN} -s ${WRKSRC}/docs/html ${WRKSRC}/html
 
-.include "${NGINXDIR}/Makefile"
+.include "${MASTERDIR}/Makefile"
diff --git a/www/nginx/Makefile b/www/nginx/Makefile
@@ -1,4 +1,4 @@
-.ifndef SLAVE_PORT
+.ifndef MASTERDIR
 IGNORE=		is replaced by www/nginx-meta on CheriBSD
 
 PORTNAME=	nginx
@@ -22,11 +22,11 @@ CONFLICTS_INSTALL=	nginx-devel
 
 PORTSCOUT=	limit:^1\.24\.[0-9]*
 
-USES=		cpe
+USES+=		cpe
 
 CPE_VENDOR=	f5
 CPE_PRODUCT=	nginx
-.ifndef SLAVE_PORT
+.ifndef MASTERDIR
 USE_GITHUB=	nodefault
 .endif