ci: use AOSP clang in Docker image, fix kmod build

- Add Google's AOSP clang (clang-r487747c, same as Pixel kernel build) to the CI Docker image via sparse checkout. Distro clang caused ABI mismatches leading to bootloops on device. - Update kmod workflow to use the Docker image + AOSP clang instead of system clang from apt. - Replace symvers with real vmlinux.symvers from Pixel kernel build (8050 symbols vs 4060 from device .ko extraction). - Add kmod build deps (bc, kmod, cpio, binutils-aarch64) to Docker image.
2026-04-29 15:12:31 +00:00 · 2026-04-11 20:53:20 +03:00 · 2026-04-11 20:53:20 +03:00 · 5ee50935c4
commit 5ee50935c4
parent a49c8bfea7
3 changed files with 8069 additions and 4034 deletions
--- a/.github/docker/ci/Dockerfile
+++ b/.github/docker/ci/Dockerfile
@ -1,9 +1,11 @@
-# CI image for vpnhide-zygisk.
+# CI image for vpnhide.
 #
-# Bakes in everything build-zip.sh needs so each CI run skips ~3-5
-# minutes of NDK download + apt installs + cargo-install. Rebuilt by
-# the ci-image.yml workflow when this Dockerfile changes (and once a
-# month on schedule).
+# Bakes in everything needed for all three modules:
+#   - Rust + NDK + cargo-ndk (zygisk)
+#   - JDK 17 (lsposed, test-app)
+#   - Google AOSP clang + cross-compile tools (kmod)
+#
+# Rebuilt by ci-image.yml when this Dockerfile changes (and monthly).

 FROM ubuntu:24.04

@ -15,9 +17,12 @@ RUN apt-get update && \
        build-essential pkg-config \
        cmake ninja-build \
        openjdk-17-jdk-headless \
+        bc kmod cpio \
+        binutils-aarch64-linux-gnu \
        git && \
    rm -rf /var/lib/apt/lists/*

+# ── Rust toolchain (for zygisk) ──────────────────────────────────────
 ENV RUSTUP_HOME=/usr/local/rustup \
    CARGO_HOME=/usr/local/cargo \
    PATH=/usr/local/cargo/bin:$PATH
@ -28,6 +33,7 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
    cargo install cargo-ndk --locked && \
    chmod -R a+w /usr/local/rustup /usr/local/cargo

+# ── Android NDK (for zygisk) ─────────────────────────────────────────
 ENV ANDROID_NDK_VERSION=r28b
 ENV ANDROID_NDK_HOME=/opt/android-ndk

@ -35,6 +41,20 @@ RUN curl -fsSL -o /tmp/ndk.zip \
        "https://dl.google.com/android/repository/android-ndk-${ANDROID_NDK_VERSION}-linux.zip" && \
    unzip -q /tmp/ndk.zip -d /opt && \
    mv "/opt/android-ndk-${ANDROID_NDK_VERSION}" "${ANDROID_NDK_HOME}" && \
-    rm /tmp/ndk.zip
+    rm /tmp/ndk.zip && \
+    chmod -R a+rx "${ANDROID_NDK_HOME}"

-RUN chmod -R a+rx "${ANDROID_NDK_HOME}"
+# ── Google AOSP clang (for kmod) ─────────────────────────────────────
+# Same toolchain that built the Pixel GKI kernel — avoids ABI mismatches
+# that cause bootloops with distro clang.
+ENV AOSP_CLANG_VERSION=clang-r487747c
+ENV AOSP_CLANG_DIR=/opt/aosp-clang
+
+RUN git clone --depth=1 --filter=blob:none --sparse \
+        https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86 \
+        /tmp/clang-repo && \
+    cd /tmp/clang-repo && \
+    git sparse-checkout set ${AOSP_CLANG_VERSION} && \
+    mv ${AOSP_CLANG_VERSION} ${AOSP_CLANG_DIR} && \
+    rm -rf /tmp/clang-repo && \
+    chmod -R a+rx ${AOSP_CLANG_DIR}
--- a/.github/workflows/kmod.yml
+++ b/.github/workflows/kmod.yml
@ -5,6 +5,7 @@ on:
    paths:
      - 'kmod/**'
      - '.github/workflows/kmod.yml'
+      - '.github/docker/ci/Dockerfile'
  pull_request:
    paths:
      - 'kmod/**'
@ -13,32 +14,38 @@ on:

 permissions:
  contents: write
+  packages: read

 jobs:
  build:
    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/${{ github.repository }}/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
    strategy:
      matrix:
        gki:
          - branch: android14-6.1
            symvers: kmod/symvers/android14-6.1.symvers

+    env:
+      CLANG_DIR: /opt/aosp-clang/bin
+
    steps:
      - uses: actions/checkout@v4

-      - name: Install build dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
-              bc kmod clang lld llvm \
-              binutils-aarch64-linux-gnu
+      - name: Mark workspace safe
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

      - name: Cache kernel source
        uses: actions/cache@v4
        id: kernel-cache
        with:
          path: kernel-source
-          key: kernel-${{ matrix.gki.branch }}-v1
+          key: kernel-${{ matrix.gki.branch }}-v2

      - name: Clone kernel source (shallow)
        if: steps.kernel-cache.outputs.cache-hit != 'true'
@ -52,35 +59,53 @@ jobs:
          cd kernel-source

          make ARCH=arm64 LLVM=1 LLVM_IAS=1 \
+              CC=$CLANG_DIR/clang LD=$CLANG_DIR/ld.lld \
+              AR=$CLANG_DIR/llvm-ar NM=$CLANG_DIR/llvm-nm \
+              OBJCOPY=$CLANG_DIR/llvm-objcopy \
+              OBJDUMP=$CLANG_DIR/llvm-objdump \
+              STRIP=$CLANG_DIR/llvm-strip \
              CROSS_COMPILE=aarch64-linux-gnu- \
              gki_defconfig

          touch abi_symbollist.raw

          make ARCH=arm64 LLVM=1 LLVM_IAS=1 \
+              CC=$CLANG_DIR/clang LD=$CLANG_DIR/ld.lld \
+              AR=$CLANG_DIR/llvm-ar NM=$CLANG_DIR/llvm-nm \
+              OBJCOPY=$CLANG_DIR/llvm-objcopy \
+              OBJDUMP=$CLANG_DIR/llvm-objdump \
+              STRIP=$CLANG_DIR/llvm-strip \
              CROSS_COMPILE=aarch64-linux-gnu- \
              olddefconfig prepare || true

-          clang -E -Wp,-MD,scripts/.module.lds.d -nostdinc \
-              -I arch/arm64/include -I arch/arm64/include/generated \
-              -I include -I include/generated \
-              -include include/linux/kconfig.h \
-              -D__KERNEL__ -DCC_USING_PATCHABLE_FUNCTION_ENTRY \
-              --target=aarch64-linux-gnu -x c scripts/module.lds.S \
-              2>/dev/null | grep -v '^#' > scripts/module.lds
-          sed -i 's/((1UL) << 12)/4096/g' scripts/module.lds
+          # Generate module.lds (make prepare sometimes skips this)
+          if [ ! -f scripts/module.lds ]; then
+              $CLANG_DIR/clang -E -Wp,-MD,scripts/.module.lds.d -nostdinc \
+                  -I arch/arm64/include -I arch/arm64/include/generated \
+                  -I include -I include/generated \
+                  -include include/linux/kconfig.h \
+                  -D__KERNEL__ -DCC_USING_PATCHABLE_FUNCTION_ENTRY \
+                  --target=aarch64-linux-gnu -x c scripts/module.lds.S \
+                  2>/dev/null | grep -v '^#' > scripts/module.lds
+              sed -i 's/((1UL) << 12)/4096/g' scripts/module.lds
+          fi

          cp "$GITHUB_WORKSPACE/${{ matrix.gki.symvers }}" Module.symvers

-          PLACEHOLDER="6.1.999-placeholder-$(printf 'x%.0s' $(seq 1 100))"
-          echo "#define UTS_RELEASE \"$PLACEHOLDER\"" \
+          echo '#define UTS_RELEASE "6.1.0-vpnhide-ci"' \
              > include/generated/utsrelease.h
-          echo -n "$PLACEHOLDER" > include/config/kernel.release
+          echo -n "6.1.0-vpnhide-ci" > include/config/kernel.release

      - name: Build kernel module
        run: |
-          make -C kernel-source M=$GITHUB_WORKSPACE/kmod \
+          export KERNEL_SRC=$GITHUB_WORKSPACE/kernel-source
+          make -C $KERNEL_SRC M=$GITHUB_WORKSPACE/kmod \
              ARCH=arm64 LLVM=1 LLVM_IAS=1 \
+              CC=$CLANG_DIR/clang LD=$CLANG_DIR/ld.lld \
+              AR=$CLANG_DIR/llvm-ar NM=$CLANG_DIR/llvm-nm \
+              OBJCOPY=$CLANG_DIR/llvm-objcopy \
+              OBJDUMP=$CLANG_DIR/llvm-objdump \
+              STRIP=$CLANG_DIR/llvm-strip \
              CROSS_COMPILE=aarch64-linux-gnu- \
              modules
          ls -lh kmod/vpnhide_kmod.ko