Add make test-annocheck to detect security issues.

* Note that as the annocheck binary package is not available on Ubuntu, and it is working in progress in Debian, the script uses Fedora container, and it requires docker or podman command. https://www.debian.org/devel/wnpp/itp.en.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470 * .github/workflows/compilers.yml: Add "gcc-11 annocheck" case. To pass the CI, set `TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes"` for now. See <https://bugs.ruby-lang.org/issues/18061>. * Skip MJIT tests in case of annocheck case. The MJIT tests fail in the annocheck case. See <https://bugs.ruby-lang.org/issues/18781>.
Merged: https://github.com/ruby/ruby/pull/5900
2022-11-09 12:17:21 -05:00 · 2022-05-10 16:34:08 +02:00 · 2022-05-10 16:34:08 +02:00 · dccfff943c · 2022-05-16 17:10:46 +09:00
commit dccfff943c
parent 36efb2a146
5 changed files with 73 additions and 0 deletions
--- a/.github/workflows/compilers.yml
+++ b/.github/workflows/compilers.yml
@ -60,6 +60,8 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
+        env:
+          - {}
        entry:
          - { key: default_cc, name: gcc-11,    value: gcc-11,    container: gcc-11 }
          - { key: default_cc, name: gcc-10,    value: gcc-10,    container: gcc-10 }
@ -75,6 +77,18 @@ jobs:
            container: gcc-11
            configure_append: '--disable-shared optflags=-O2'
            # check: true
+          - key: default_cc
+            name: 'gcc-11 annocheck'
+            # Minimal flags to pass the check.
+            value: 'gcc-11 -O2 -fcf-protection -Wl,-z,now'
+            container: gcc-11
+            env:
+              # FIXME: Drop skiping options
+              # https://bugs.ruby-lang.org/issues/18061
+              # https://sourceware.org/annobin/annobin.html/Test-pie.html
+              # https://sourceware.org/annobin/annobin.html/Test-notes.html
+              TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes"
+            check: true
          - { key: default_cc, name: clang-15,  value: clang-15,  container: clang-15 }
          - { key: default_cc, name: clang-14,  value: clang-14,  container: clang-14 }
          - { key: default_cc, name: clang-13,  value: clang-13,  container: clang-13 }
@ -199,6 +213,7 @@ jobs:
      image: ghcr.io/ruby/ruby-ci-image:${{ matrix.entry.container || 'clang-14' }}
      options: --user root
    if: ${{ !startsWith(github.event.head_commit.message, '[DOC]') && !contains(github.event.pull_request.labels.*.name, 'Documentation') }}
+    env: ${{ matrix.entry.env || matrix.env }}
    steps:
      - run: id
        working-directory:
@ -233,10 +248,19 @@ jobs:
        if: ${{ matrix.entry.check }}
      - run: make test-tool
        if: ${{ matrix.entry.check }}
+      # FIXME: Skip MJIT tests failing in the annocheck case.
+      # https://bugs.ruby-lang.org/issues/18781
+      - run: |
+          rm test/ruby/test_jit.rb
+          rm test/ruby/test_rubyvm_jit.rb
+        if: ${{ endsWith(matrix.entry.name, 'annocheck') }}
+        working-directory: src
      - run: make test-all TESTS='-- ruby -ext-'
        if: ${{ matrix.entry.check }}
      - run: make test-spec
        if: ${{ matrix.entry.check }}
+      - run: make test-annocheck
+        if: ${{ matrix.entry.check && endsWith(matrix.entry.name, 'annocheck') }}

      - uses: k0kubun/action-slack@v2.0.0
        with:
--- a/common.mk
+++ b/common.mk
@ -1447,6 +1447,11 @@ yes-test-bundler-parallel: yes-test-bundler-prepare
 		$(PARALLELRSPECOPTS) $(srcdir)/spec/bundler/$(BUNDLER_SPECS)
 no-test-bundler-parallel:

+test-annocheck: $(TEST_RUNNABLE)-test-annocheck
+yes-test-annocheck: $(PROGRAM)
+	$(tooldir)/test-annocheck.sh $(PROGRAM)
+no-test-annocheck: PHONY
+
 GEM = up
 sync-default-gems:
 	$(Q) $(XRUBY) -C "$(srcdir)" tool/sync_default_gems.rb $(GEM)
--- a/tool/annocheck/Dockerfile
+++ b/tool/annocheck/Dockerfile
@ -0,0 +1,4 @@
+FROM docker.io/fedora:latest
+
+RUN dnf -y install annobin-annocheck
+WORKDIR /work
--- a/tool/annocheck/Dockerfile-copy
+++ b/tool/annocheck/Dockerfile-copy
@ -0,0 +1,7 @@
+FROM docker.io/fedora:latest
+ARG FILES
+
+RUN dnf -y install annobin-annocheck
+RUN mkdir /work
+COPY ${FILES} /work
+WORKDIR /work
--- a/tool/test-annocheck.sh
+++ b/tool/test-annocheck.sh
@ -0,0 +1,33 @@
+#!/bin/sh -eu
+# Run the `tool/test-annocheck.sh [binary files]` to check security issues
+# by annocheck <https://sourceware.org/annobin/>.
+#
+# E.g. `tool/test-annocheck.sh ruby libruby.so.3.2.0`.
+#
+# Note that as the annocheck binary package is not available on Ubuntu, and it
+# is working in progress in Debian, this script uses Fedora container for now.
+# It requires docker or podman.
+# https://www.debian.org/devel/wnpp/itp.en.html
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470
+
+set -x
+
+DOCKER="$(command -v docker || command -v podman)"
+TAG=ruby-fedora-annocheck
+TOOL_DIR=$(dirname "${0}")
+DOCKER_RUN_VOLUME_OPTS=
+
+if [ -z "${CI-}" ]; then
+  # Use a volume option on local (non-CI).
+  DOCKER_RUN_VOLUME_OPTS="-v $(pwd):/work"
+  "${DOCKER}" build --rm -t "${TAG}" ${TOOL_DIR}/annocheck/
+else
+  # TODO: A temporary workaround on CI to build by copying binary files from
+  # host to container without volume option, as I couldn't find a way to use
+  # volume in container in container on GitHub Actions
+  # <.github/workflows/compilers.yml>.
+  TAG="${TAG}-copy"
+  "${DOCKER}" build --rm -t "${TAG}" --build-arg=FILES="${*}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy .
+fi
+
+"${DOCKER}" run --rm -t ${DOCKER_RUN_VOLUME_OPTS} "${TAG}" annocheck --verbose ${TEST_ANNOCHECK_OPTS-} "${@}"