Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases, add tests for stackclashprotection #253186

Merged
merged 3 commits into from
Jul 28, 2024
Merged

cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases, add tests for stackclashprotection #253186

merged 3 commits into from
Jul 28, 2024

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Sep 3, 2023
edited
Loading

Description of changes

A few fixups for the recently merged #217390, straightening out the expected behaviour of one test to match current reality and changing a few tests to use a _FORTIFY_SOURCE=1-protectable example program so that it can be more useful for testing clang's behaviour too.

Note there are two tests here that will (still) be failing on tests.hardeningFlags-clang until I can get the fix for that merged (#253194, but is headed for staging): fortify3EnabledEnvEnablesFortify1 and fortify3EnabledEnvEnablesFortify1ExecTest.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@risicle risicle added 6.topic: stdenv Standard environment 6.topic: testing Tooling for automated testing of packages and modules 8.has: tests This PR has tests labels Sep 3, 2023
@github-actions github-actions bot removed the 6.topic: stdenv Standard environment label Sep 3, 2023
@ofborg ofborg bot added 8.has: clean-up 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 11-100 labels Sep 3, 2023
This was referenced Sep 3, 2023
Merged
Open
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/2705

@risicle risicle mentioned this pull request Dec 10, 2023
Merged
12 tasks
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Mar 19, 2024
@risicle
cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases
ec8d29a 
also use fortify1-based tests in some places that it may allow us
to better test the behaviour of toolchains that only support that
@risicle risicle force-pushed the ris-hardening-tests-fixups branch from 2423b61 to ec8d29a Compare July 12, 2024 21:39
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 12, 2024
@github-actions github-actions bot removed the 6.topic: testing Tooling for automated testing of packages and modules label Jul 12, 2024
@risicle risicle requested a review from a team July 12, 2024 21:45
@risicle risicle changed the title cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases, add tests for stackclashprotection Jul 15, 2024
@risicle
Copy link
Contributor Author

risicle commented Jul 15, 2024

Have pushed some further fixes and added some tests for the recently added stackclashprotection flag.

Would love to get this merged and have a little more green around https://hydra.nixos.org/eval/1807613?filter=hardeningflags&compare=1807605&full=

risicle added 2 commits July 15, 2024 19:28
@risicle
cc-wrapper hardeningFlags tests: add tests for stackclashprotection
38b580b
@risicle
cc-wrapper hardeningFlags tests: fix stdenvUnsupport-based tests
2e0d7e2 
these were not updated to understand
hardeningUnsupportedFlagsByTargetPlatform when it was added
causing more tests to fail for clang than otherwise would
@risicle risicle force-pushed the ris-hardening-tests-fixups branch from 70ba12b to 2e0d7e2 Compare July 15, 2024 18:28
@emilazy
Copy link
Member

emilazy commented Jul 28, 2024

@ofborg build tests.hardeningFlags-gcc tests.hardeningFlags-clang

@emilazy
Copy link
Member

emilazy commented Jul 28, 2024

I successfully ran nom build --impure --expr 'let pkgs = (builtins.getFlake "github:NixOS/nixpkgs/pull/253186/merge").legacyPackages.${builtins.currentSystem}; in pkgs.lib.filterAttrs (k: v: (builtins.tryEval v).success && v ? drvPath && (builtins.tryEval v.drvPath).success) pkgs.tests.hardeningFlags-gcc' on x86_64-linux. -clang yields the following error:

test-pieExplicitDisabled> /nix/store/cjahfl54j3931zm56rvpcim3d4hyxpg9-test-bin/bin/test-bin:
test-pieExplicitDisabled>  Position Independent Executable: yes
test-pieExplicitDisabled>  Stack protected: yes
test-pieExplicitDisabled>  Fortify Source functions: yes
test-pieExplicitDisabled>  Read-only relocations: yes
test-pieExplicitDisabled>  Immediate binding: yes
test-pieExplicitDisabled>  Stack clash protection: unknown, no -fstack-clash-protection instructions found
test-pieExplicitDisabled>  Control flow integrity: no, not found! (ignored)
test-pieExplicitDisabled> ERROR: Expected hardening-check to fail, but it passed!

I just wanted to check if this is expected or not, as it’s not in your list of known failing tests.

@risicle
Copy link
Contributor Author

risicle commented Jul 28, 2024

I assume this is pkgs.tests.hardeningFlags-clang.pieExplicitDisabled failing, which fails for me too. I just haven't marked it as broken because ... I'm not really happy with it being broken ;)

Is it that it's not possible to disable pie on clang/linux? Are we just not supplying the right flags at the right point? Don't know - it's something we need to investigate at some point.

emilazy
emilazy approved these changes Jul 28, 2024
View reviewed changes
Copy link
Member

@emilazy emilazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m pretty sure you can turn off PIE with Clang? But yeah, I have no idea.

tests.hardeningFlags-clang builds on x86_64-darwin, tests.hardeningFlags-gcc doesn’t but that’s probably unrelated. Looks good to me!

@emilazy emilazy merged commit 4c89bb9 into NixOS:master Jul 28, 2024
25 of 27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emilazy emilazy emilazy approved these changes

Assignees
No one assigned
Labels
8.has: clean-up 8.has: package (new) This PR adds a new package 8.has: tests This PR has tests 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@risicle @nixos-discourse @emilazy @wegank