apple/foundationdb
1
0
Fork 0
mirror of https://github.com/apple/foundationdb.git synced 2025-06-02 11:15:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6120 from sfc-gh-anoyes/anoyes/noexecstack

Browse Source 
Link libfdb_c with `-z noexecstack`
This commit is contained in:
Andrew Noyes 2021-12-14 09:53:02 -08:00 committed by GitHub
commit 1452680d54
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bindings/c/CMakeLists.txt
View File

@ -63,7 +63,7 @@ if(APPLE)
target_link_options(fdb_c PRIVATE "LINKER:-no_weak_exports,-exported_symbols_list,${symbols}") target_link_options(fdb_c PRIVATE "LINKER:-no_weak_exports,-exported_symbols_list,${symbols}")
elseif(WIN32) elseif(WIN32)
else() else()
target_link_options(fdb_c PRIVATE "LINKER:--version-script=${CMAKE_CURRENT_SOURCE_DIR}/fdb_c.map,-z,nodelete") target_link_options(fdb_c PRIVATE "LINKER:--version-script=${CMAKE_CURRENT_SOURCE_DIR}/fdb_c.map,-z,nodelete,-z,noexecstack")
endif() endif()
target_include_directories(fdb_c PUBLIC target_include_directories(fdb_c PUBLIC
$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}> $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>

28
contrib/pkg_tester/__snapshots__/test_fdb_pkgs.ambr
View File

@ -46,6 +46,34 @@
' '
--- ---
# name: test_execstack_permissions_libfdb_c[centos-versioned]
'
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x0
'
---
# name: test_execstack_permissions_libfdb_c[centos]
'
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x0
'
---
# name: test_execstack_permissions_libfdb_c[ubuntu-versioned]
'
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x0
'
---
# name: test_execstack_permissions_libfdb_c[ubuntu]
'
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x0
'
---
# name: test_fdbcli_help_text[centos-versioned] # name: test_fdbcli_help_text[centos-versioned]
' '
FoundationDB CLI 7.1 (v7.1.0) FoundationDB CLI 7.1 (v7.1.0)

19
contrib/pkg_tester/test_fdb_pkgs.py
View File

@ -54,7 +54,9 @@ class Container:
# https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container#the_quest # https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container#the_quest
extra_initd_args = [] extra_initd_args = []
if initd: if initd:
extra_initd_args = "--tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro".split() extra_initd_args = (
"--tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro".split()
)
self.uid = str(uuid.uuid4()) self.uid = str(uuid.uuid4())
@ -103,6 +105,8 @@ def ubuntu_image_with_fdb_helper(versioned: bool) -> Iterator[Optional[Image]]:
container = Container("ubuntu") container = Container("ubuntu")
for deb in debs: for deb in debs:
container.copy_to(deb, "/opt") container.copy_to(deb, "/opt")
container.run(["bash", "-c", "apt-get update"])
container.run(["bash", "-c", "apt-get install --yes binutils"]) # this is for testing libfdb_c execstack permissions
container.run(["bash", "-c", "dpkg -i /opt/*.deb"]) container.run(["bash", "-c", "dpkg -i /opt/*.deb"])
container.run(["bash", "-c", "rm /opt/*.deb"]) container.run(["bash", "-c", "rm /opt/*.deb"])
image = container.commit() image = container.commit()
@ -146,6 +150,8 @@ def centos_image_with_fdb_helper(versioned: bool) -> Iterator[Optional[Image]]:
container = Container("centos", initd=True) container = Container("centos", initd=True)
for rpm in rpms: for rpm in rpms:
container.copy_to(rpm, "/opt") container.copy_to(rpm, "/opt")
container.run(["bash", "-c", "yum update -y"])
container.run(["bash", "-c", "yum install -y binutils"]) # this is for testing libfdb_c execstack permissions
container.run(["bash", "-c", "yum install -y /opt/*.rpm"]) container.run(["bash", "-c", "yum install -y /opt/*.rpm"])
container.run(["bash", "-c", "rm /opt/*.rpm"]) container.run(["bash", "-c", "rm /opt/*.rpm"])
image = container.commit() image = container.commit()
@ -235,6 +241,17 @@ def test_fdbcli_help_text(linux_container: Container, snapshot):
assert snapshot == linux_container.run(["fdbcli", "--help"]) assert snapshot == linux_container.run(["fdbcli", "--help"])
def test_execstack_permissions_libfdb_c(linux_container: Container, snapshot):
linux_container.run(["ldconfig"])
assert snapshot == linux_container.run(
[
"bash",
"-c",
"readelf -l $(ldconfig -p | grep libfdb_c | awk '{print $(NF)}') | grep -A1 GNU_STACK",
]
)
def test_backup_restore(linux_container: Container, snapshot, tmp_path: pathlib.Path): def test_backup_restore(linux_container: Container, snapshot, tmp_path: pathlib.Path):
linux_container.run(["fdbcli", "--exec", "writemode on; set x y"]) linux_container.run(["fdbcli", "--exec", "writemode on; set x y"])
assert snapshot == linux_container.run( assert snapshot == linux_container.run(