ruby-changes:71834

https://git.ruby-lang.org/ruby.git/commit/?id=dccfff943c

From dccfff943c3ea9defd91647cfa3fd8714041bb5a Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@r...>
Date: Tue, 10 May 2022 16:34:08 +0200
Subject: Add `make test-annocheck` to detect security issues.

* Note that as the annocheck binary package is not available on Ubuntu, and it
  is working in progress in Debian, the script uses Fedora container, and
  it requires docker or podman command.
  https://www.debian.org/devel/wnpp/itp.en.html
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470
* .github/workflows/compilers.yml: Add "gcc-11 annocheck" case.
  To pass the CI, set `TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes"` for now.
  See <https://bugs.ruby-lang.org/issues/18061>.
* Skip MJIT tests in case of annocheck case.
  The MJIT tests fail in the annocheck case.
  See <https://bugs.ruby-lang.org/issues/18781>.
---
 .github/workflows/compilers.yml | 24 ++++++++++++++++++++++++
 common.mk                       |  5 +++++
 tool/annocheck/Dockerfile       |  4 ++++
 tool/annocheck/Dockerfile-copy  |  7 +++++++
 tool/test-annocheck.sh          | 33 +++++++++++++++++++++++++++++++++
 5 files changed, 73 insertions(+)
 create mode 100644 tool/annocheck/Dockerfile
 create mode 100644 tool/annocheck/Dockerfile-copy
 create mode 100755 tool/test-annocheck.sh

diff --git a/.github/workflows/compilers.yml b/.github/workflows/compilers.yml
index 9aa7d407f4..ddb53cadb8 100644
--- a/.github/workflows/compilers.yml
+++ b/.github/workflows/compilers.yml
@@ -60,6 +60,8 @@ jobs: https://github.com/ruby/ruby/blob/trunk/.github/workflows/compilers.yml#L60
     strategy:
       fail-fast: false
       matrix:
+        env:
+          - {}
         entry:
           - { key: default_cc, name: gcc-11,    value: gcc-11,    container: gcc-11 }
           - { key: default_cc, name: gcc-10,    value: gcc-10,    container: gcc-10 }
@@ -75,6 +77,18 @@ jobs: https://github.com/ruby/ruby/blob/trunk/.github/workflows/compilers.yml#L77
             container: gcc-11
             configure_append: '--disable-shared optflags=-O2'
             # check: true
+          - key: default_cc
+            name: 'gcc-11 annocheck'
+            # Minimal flags to pass the check.
+            value: 'gcc-11 -O2 -fcf-protection -Wl,-z,now'
+            container: gcc-11
+            env:
+              # FIXME: Drop skiping options
+              # https://bugs.ruby-lang.org/issues/18061
+              # https://sourceware.org/annobin/annobin.html/Test-pie.html
+              # https://sourceware.org/annobin/annobin.html/Test-notes.html
+              TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes"
+            check: true
           - { key: default_cc, name: clang-15,  value: clang-15,  container: clang-15 }
           - { key: default_cc, name: clang-14,  value: clang-14,  container: clang-14 }
           - { key: default_cc, name: clang-13,  value: clang-13,  container: clang-13 }
@@ -199,6 +213,7 @@ jobs: https://github.com/ruby/ruby/blob/trunk/.github/workflows/compilers.yml#L213
       image: ghcr.io/ruby/ruby-ci-image:${{ matrix.entry.container || 'clang-14' }}
       options: --user root
     if: ${{ !startsWith(github.event.head_commit.message, '[DOC]') && !contains(github.event.pull_request.labels.*.name, 'Documentation') }}
+    env: ${{ matrix.entry.env || matrix.env }}
     steps:
       - run: id
         working-directory:
@@ -233,10 +248,19 @@ jobs: https://github.com/ruby/ruby/blob/trunk/.github/workflows/compilers.yml#L248
         if: ${{ matrix.entry.check }}
       - run: make test-tool
         if: ${{ matrix.entry.check }}
+      # FIXME: Skip MJIT tests failing in the annocheck case.
+      # https://bugs.ruby-lang.org/issues/18781
+      - run: |
+          rm test/ruby/test_jit.rb
+          rm test/ruby/test_rubyvm_jit.rb
+        if: ${{ endsWith(matrix.entry.name, 'annocheck') }}
+        working-directory: src
       - run: make test-all TESTS='-- ruby -ext-'
         if: ${{ matrix.entry.check }}
       - run: make test-spec
         if: ${{ matrix.entry.check }}
+      - run: make test-annocheck
+        if: ${{ matrix.entry.check && endsWith(matrix.entry.name, 'annocheck') }}
 
       - uses: k0kubun/action-slack@v...
         with:
diff --git a/common.mk b/common.mk
index 905bb929c9..dffceef2b8 100644
--- a/common.mk
+++ b/common.mk
@@ -1447,6 +1447,11 @@ yes-test-bundler-parallel: yes-test-bundler-prepare https://github.com/ruby/ruby/blob/trunk/common.mk#L1447
 		$(PARALLELRSPECOPTS) $(srcdir)/spec/bundler/$(BUNDLER_SPECS)
 no-test-bundler-parallel:
 
+test-annocheck: $(TEST_RUNNABLE)-test-annocheck
+yes-test-annocheck: $(PROGRAM)
+	$(tooldir)/test-annocheck.sh $(PROGRAM)
+no-test-annocheck: PHONY
+
 GEM = up
 sync-default-gems:
 	$(Q) $(XRUBY) -C "$(srcdir)" tool/sync_default_gems.rb $(GEM)
diff --git a/tool/annocheck/Dockerfile b/tool/annocheck/Dockerfile
new file mode 100644
index 0000000000..138adc48de
--- /dev/null
+++ b/tool/annocheck/Dockerfile
@@ -0,0 +1,4 @@ https://github.com/ruby/ruby/blob/trunk/tool/annocheck/Dockerfile#L1
+FROM docker.io/fedora:latest
+
+RUN dnf -y install annobin-annocheck
+WORKDIR /work
diff --git a/tool/annocheck/Dockerfile-copy b/tool/annocheck/Dockerfile-copy
new file mode 100644
index 0000000000..e658d12ddc
--- /dev/null
+++ b/tool/annocheck/Dockerfile-copy
@@ -0,0 +1,7 @@ https://github.com/ruby/ruby/blob/trunk/tool/annocheck/Dockerfile-copy#L1
+FROM docker.io/fedora:latest
+ARG FILES
+
+RUN dnf -y install annobin-annocheck
+RUN mkdir /work
+COPY ${FILES} /work
+WORKDIR /work
diff --git a/tool/test-annocheck.sh b/tool/test-annocheck.sh
new file mode 100755
index 0000000000..0224152d00
--- /dev/null
+++ b/tool/test-annocheck.sh
@@ -0,0 +1,33 @@ https://github.com/ruby/ruby/blob/trunk/tool/test-annocheck.sh#L1
+#!/bin/sh -eu
+# Run the `tool/test-annocheck.sh [binary files]` to check security issues
+# by annocheck <https://sourceware.org/annobin/>.
+#
+# E.g. `tool/test-annocheck.sh ruby libruby.so.3.2.0`.
+#
+# Note that as the annocheck binary package is not available on Ubuntu, and it
+# is working in progress in Debian, this script uses Fedora container for now.
+# It requires docker or podman.
+# https://www.debian.org/devel/wnpp/itp.en.html
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470
+
+set -x
+
+DOCKER="$(command -v docker || command -v podman)"
+TAG=ruby-fedora-annocheck
+TOOL_DIR=$(dirname "${0}")
+DOCKER_RUN_VOLUME_OPTS=
+
+if [ -z "${CI-}" ]; then
+  # Use a volume option on local (non-CI).
+  DOCKER_RUN_VOLUME_OPTS="-v $(pwd):/work"
+  "${DOCKER}" build --rm -t "${TAG}" ${TOOL_DIR}/annocheck/
+else
+  # TODO: A temporary workaround on CI to build by copying binary files from
+  # host to container without volume option, as I couldn't find a way to use
+  # volume in container in container on GitHub Actions
+  # <.github/workflows/compilers.yml>.
+  TAG="${TAG}-copy"
+  "${DOCKER}" build --rm -t "${TAG}" --build-arg=FILES="${*}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy .
+fi
+
+"${DOCKER}" run --rm -t ${DOCKER_RUN_VOLUME_OPTS} "${TAG}" annocheck --verbose ${TEST_ANNOCHECK_OPTS-} "${@}"
-- 
cgit v1.2.1


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/