5 files changed, 73 insertions, 0 deletions

diff --git a/.github/workflows/compilers.yml b/.github/workflows/compilers.yml
index 9aa7d407f4..ddb53cadb8 100644
--- a/.github/workflows/compilers.yml
+++ b/.github/workflows/compilers.yml
@@ -60,6 +60,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        env:
+          - {}
         entry:
           - { key: default_cc, name: gcc-11,    value: gcc-11,    container: gcc-11 }
           - { key: default_cc, name: gcc-10,    value: gcc-10,    container: gcc-10 }
@@ -75,6 +77,18 @@ jobs:
             container: gcc-11
             configure_append: '--disable-shared optflags=-O2'
             # check: true
+          - key: default_cc
+            name: 'gcc-11 annocheck'
+            # Minimal flags to pass the check.
+            value: 'gcc-11 -O2 -fcf-protection -Wl,-z,now'
+            container: gcc-11
+            env:
+              # FIXME: Drop skiping options
+              # https://bugs.ruby-lang.org/issues/18061
+              # https://sourceware.org/annobin/annobin.html/Test-pie.html
+              # https://sourceware.org/annobin/annobin.html/Test-notes.html
+              TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes"
+            check: true
           - { key: default_cc, name: clang-15,  value: clang-15,  container: clang-15 }
           - { key: default_cc, name: clang-14,  value: clang-14,  container: clang-14 }
           - { key: default_cc, name: clang-13,  value: clang-13,  container: clang-13 }
@@ -199,6 +213,7 @@ jobs:
       image: ghcr.io/ruby/ruby-ci-image:${{ matrix.entry.container || 'clang-14' }}
       options: --user root
     if: ${{ !startsWith(github.event.head_commit.message, '[DOC]') && !contains(github.event.pull_request.labels.*.name, 'Documentation') }}
+    env: ${{ matrix.entry.env || matrix.env }}
     steps:
       - run: id
         working-directory:
@@ -233,10 +248,19 @@ jobs:
         if: ${{ matrix.entry.check }}
       - run: make test-tool
         if: ${{ matrix.entry.check }}
+      # FIXME: Skip MJIT tests failing in the annocheck case.
+      # https://bugs.ruby-lang.org/issues/18781
+      - run: |
+          rm test/ruby/test_jit.rb
+          rm test/ruby/test_rubyvm_jit.rb
+        if: ${{ endsWith(matrix.entry.name, 'annocheck') }}
+        working-directory: src
       - run: make test-all TESTS='-- ruby -ext-'
         if: ${{ matrix.entry.check }}
       - run: make test-spec
         if: ${{ matrix.entry.check }}
+      - run: make test-annocheck
+        if: ${{ matrix.entry.check && endsWith(matrix.entry.name, 'annocheck') }}
 
       - uses: k0kubun/action-slack@v2.0.0
         with:
diff --git a/common.mk b/common.mk
index 905bb929c9..dffceef2b8 100644
--- a/common.mk
+++ b/common.mk
@@ -1447,6 +1447,11 @@ yes-test-bundler-parallel: yes-test-bundler-prepare
 		$(PARALLELRSPECOPTS) $(srcdir)/spec/bundler/$(BUNDLER_SPECS)
 no-test-bundler-parallel:
 
+test-annocheck: $(TEST_RUNNABLE)-test-annocheck
+yes-test-annocheck: $(PROGRAM)
+	$(tooldir)/test-annocheck.sh $(PROGRAM)
+no-test-annocheck: PHONY
+
 GEM = up
 sync-default-gems:
 	$(Q) $(XRUBY) -C "$(srcdir)" tool/sync_default_gems.rb $(GEM)
diff --git a/tool/annocheck/Dockerfile b/tool/annocheck/Dockerfile
new file mode 100644
index 0000000000..138adc48de
--- /dev/null
+++ b/tool/annocheck/Dockerfile
@@ -0,0 +1,4 @@
+FROM docker.io/fedora:latest
+
+RUN dnf -y install annobin-annocheck
+WORKDIR /work
diff --git a/tool/annocheck/Dockerfile-copy b/tool/annocheck/Dockerfile-copy
new file mode 100644
index 0000000000..e658d12ddc
--- /dev/null
+++ b/tool/annocheck/Dockerfile-copy
@@ -0,0 +1,7 @@
+FROM docker.io/fedora:latest
+ARG FILES
+
+RUN dnf -y install annobin-annocheck
+RUN mkdir /work
+COPY ${FILES} /work
+WORKDIR /work
diff --git a/tool/test-annocheck.sh b/tool/test-annocheck.sh
new file mode 100755
index 0000000000..0224152d00
--- /dev/null
+++ b/tool/test-annocheck.sh
@@ -0,0 +1,33 @@
+#!/bin/sh -eu
+# Run the `tool/test-annocheck.sh [binary files]` to check security issues
+# by annocheck <https://sourceware.org/annobin/>.
+#
+# E.g. `tool/test-annocheck.sh ruby libruby.so.3.2.0`.
+#
+# Note that as the annocheck binary package is not available on Ubuntu, and it
+# is working in progress in Debian, this script uses Fedora container for now.
+# It requires docker or podman.
+# https://www.debian.org/devel/wnpp/itp.en.html
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470
+
+set -x
+
+DOCKER="$(command -v docker || command -v podman)"
+TAG=ruby-fedora-annocheck
+TOOL_DIR=$(dirname "${0}")
+DOCKER_RUN_VOLUME_OPTS=
+
+if [ -z "${CI-}" ]; then
+  # Use a volume option on local (non-CI).
+  DOCKER_RUN_VOLUME_OPTS="-v $(pwd):/work"
+  "${DOCKER}" build --rm -t "${TAG}" ${TOOL_DIR}/annocheck/
+else
+  # TODO: A temporary workaround on CI to build by copying binary files from
+  # host to container without volume option, as I couldn't find a way to use
+  # volume in container in container on GitHub Actions
+  # <.github/workflows/compilers.yml>.
+  TAG="${TAG}-copy"
+  "${DOCKER}" build --rm -t "${TAG}" --build-arg=FILES="${*}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy .
+fi
+
+"${DOCKER}" run --rm -t ${DOCKER_RUN_VOLUME_OPTS} "${TAG}" annocheck --verbose ${TEST_ANNOCHECK_OPTS-} "${@}"