diff options
-rw-r--r-- | .github/workflows/compilers.yml | 24 | ||||
-rw-r--r-- | common.mk | 5 | ||||
-rw-r--r-- | tool/annocheck/Dockerfile | 4 | ||||
-rw-r--r-- | tool/annocheck/Dockerfile-copy | 7 | ||||
-rwxr-xr-x | tool/test-annocheck.sh | 33 |
5 files changed, 73 insertions, 0 deletions
diff --git a/.github/workflows/compilers.yml b/.github/workflows/compilers.yml index 9aa7d407f4..ddb53cadb8 100644 --- a/.github/workflows/compilers.yml +++ b/.github/workflows/compilers.yml @@ -60,6 +60,8 @@ jobs: strategy: fail-fast: false matrix: + env: + - {} entry: - { key: default_cc, name: gcc-11, value: gcc-11, container: gcc-11 } - { key: default_cc, name: gcc-10, value: gcc-10, container: gcc-10 } @@ -75,6 +77,18 @@ jobs: container: gcc-11 configure_append: '--disable-shared optflags=-O2' # check: true + - key: default_cc + name: 'gcc-11 annocheck' + # Minimal flags to pass the check. + value: 'gcc-11 -O2 -fcf-protection -Wl,-z,now' + container: gcc-11 + env: + # FIXME: Drop skiping options + # https://bugs.ruby-lang.org/issues/18061 + # https://sourceware.org/annobin/annobin.html/Test-pie.html + # https://sourceware.org/annobin/annobin.html/Test-notes.html + TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes" + check: true - { key: default_cc, name: clang-15, value: clang-15, container: clang-15 } - { key: default_cc, name: clang-14, value: clang-14, container: clang-14 } - { key: default_cc, name: clang-13, value: clang-13, container: clang-13 } @@ -199,6 +213,7 @@ jobs: image: ghcr.io/ruby/ruby-ci-image:${{ matrix.entry.container || 'clang-14' }} options: --user root if: ${{ !startsWith(github.event.head_commit.message, '[DOC]') && !contains(github.event.pull_request.labels.*.name, 'Documentation') }} + env: ${{ matrix.entry.env || matrix.env }} steps: - run: id working-directory: @@ -233,10 +248,19 @@ jobs: if: ${{ matrix.entry.check }} - run: make test-tool if: ${{ matrix.entry.check }} + # FIXME: Skip MJIT tests failing in the annocheck case. + # https://bugs.ruby-lang.org/issues/18781 + - run: | + rm test/ruby/test_jit.rb + rm test/ruby/test_rubyvm_jit.rb + if: ${{ endsWith(matrix.entry.name, 'annocheck') }} + working-directory: src - run: make test-all TESTS='-- ruby -ext-' if: ${{ matrix.entry.check }} - run: make test-spec if: ${{ matrix.entry.check }} + - run: make test-annocheck + if: ${{ matrix.entry.check && endsWith(matrix.entry.name, 'annocheck') }} - uses: k0kubun/action-slack@v2.0.0 with: @@ -1447,6 +1447,11 @@ yes-test-bundler-parallel: yes-test-bundler-prepare $(PARALLELRSPECOPTS) $(srcdir)/spec/bundler/$(BUNDLER_SPECS) no-test-bundler-parallel: +test-annocheck: $(TEST_RUNNABLE)-test-annocheck +yes-test-annocheck: $(PROGRAM) + $(tooldir)/test-annocheck.sh $(PROGRAM) +no-test-annocheck: PHONY + GEM = up sync-default-gems: $(Q) $(XRUBY) -C "$(srcdir)" tool/sync_default_gems.rb $(GEM) diff --git a/tool/annocheck/Dockerfile b/tool/annocheck/Dockerfile new file mode 100644 index 0000000000..138adc48de --- /dev/null +++ b/tool/annocheck/Dockerfile @@ -0,0 +1,4 @@ +FROM docker.io/fedora:latest + +RUN dnf -y install annobin-annocheck +WORKDIR /work diff --git a/tool/annocheck/Dockerfile-copy b/tool/annocheck/Dockerfile-copy new file mode 100644 index 0000000000..e658d12ddc --- /dev/null +++ b/tool/annocheck/Dockerfile-copy @@ -0,0 +1,7 @@ +FROM docker.io/fedora:latest +ARG FILES + +RUN dnf -y install annobin-annocheck +RUN mkdir /work +COPY ${FILES} /work +WORKDIR /work diff --git a/tool/test-annocheck.sh b/tool/test-annocheck.sh new file mode 100755 index 0000000000..0224152d00 --- /dev/null +++ b/tool/test-annocheck.sh @@ -0,0 +1,33 @@ +#!/bin/sh -eu +# Run the `tool/test-annocheck.sh [binary files]` to check security issues +# by annocheck <https://sourceware.org/annobin/>. +# +# E.g. `tool/test-annocheck.sh ruby libruby.so.3.2.0`. +# +# Note that as the annocheck binary package is not available on Ubuntu, and it +# is working in progress in Debian, this script uses Fedora container for now. +# It requires docker or podman. +# https://www.debian.org/devel/wnpp/itp.en.html +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470 + +set -x + +DOCKER="$(command -v docker || command -v podman)" +TAG=ruby-fedora-annocheck +TOOL_DIR=$(dirname "${0}") +DOCKER_RUN_VOLUME_OPTS= + +if [ -z "${CI-}" ]; then + # Use a volume option on local (non-CI). + DOCKER_RUN_VOLUME_OPTS="-v $(pwd):/work" + "${DOCKER}" build --rm -t "${TAG}" ${TOOL_DIR}/annocheck/ +else + # TODO: A temporary workaround on CI to build by copying binary files from + # host to container without volume option, as I couldn't find a way to use + # volume in container in container on GitHub Actions + # <.github/workflows/compilers.yml>. + TAG="${TAG}-copy" + "${DOCKER}" build --rm -t "${TAG}" --build-arg=FILES="${*}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy . +fi + +"${DOCKER}" run --rm -t ${DOCKER_RUN_VOLUME_OPTS} "${TAG}" annocheck --verbose ${TEST_ANNOCHECK_OPTS-} "${@}" |