From 1f72aaf8148a7712c5c8bad1da9839e2bcc5c633 Mon Sep 17 00:00:00 2001 From: Mariusz Zaborski Date: Thu, 4 Jan 2024 12:53:24 +0100 Subject: [PATCH] [CI] Enable RWX verification for all binaries Signed-off-by: Mariusz Zaborski --- .ci/check-rwx.py | 2 +- .ci/lib/stage-build-nosgx.jenkinsfile | 1 + .ci/lib/stage-build-sgx-vm.jenkinsfile | 1 + .ci/lib/stage-build-sgx.jenkinsfile | 1 + .ci/lib/stage-test-direct.jenkinsfile | 6 ++++-- .ci/lib/stage-test-sgx.jenkinsfile | 7 ++++--- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.ci/check-rwx.py b/.ci/check-rwx.py index 7e71542164..f786e92b18 100755 --- a/.ci/check-rwx.py +++ b/.ci/check-rwx.py @@ -13,5 +13,5 @@ elf = ELFFile(args.infile) for i, segment in enumerate(elf.iter_segments()): if segment.header.p_flags & P_FLAGS.PF_X and segment.header.p_flags & P_FLAGS.PF_W: - print(f"error: segment {i} is both writable and executable") + print(f"error in {args.infile.name}: segment {i} is both writable and executable") sys.exit(1) diff --git a/.ci/lib/stage-build-nosgx.jenkinsfile b/.ci/lib/stage-build-nosgx.jenkinsfile index 13a6129ba6..141efccef8 100644 --- a/.ci/lib/stage-build-nosgx.jenkinsfile +++ b/.ci/lib/stage-build-nosgx.jenkinsfile @@ -47,6 +47,7 @@ stage('build') { | jq -r '(map(select(.name == "prefix")) + map(select(.name == "libdir"))) | map(.value) | join("/")' ''').trim() + env.GRAMINE_LIBDIR = libdir env.GRAMINE_PKGLIBDIR = libdir + '/gramine' // In CI we install to non-standard --prefix (see above). This makes sure the libraries are diff --git a/.ci/lib/stage-build-sgx-vm.jenkinsfile b/.ci/lib/stage-build-sgx-vm.jenkinsfile index d48b6a950d..bed7701eac 100644 --- a/.ci/lib/stage-build-sgx-vm.jenkinsfile +++ b/.ci/lib/stage-build-sgx-vm.jenkinsfile @@ -85,6 +85,7 @@ stage('build') { | jq -r '(map(select(.name == "prefix")) + map(select(.name == "libdir"))) | map(.value) | join("/")' ''').trim() + env.GRAMINE_LIBDIR = libdir env.GRAMINE_PKGLIBDIR = libdir + '/gramine' // In CI we install to non-standard --prefix (see above). This makes sure the libraries are diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile index e8e402744d..f625e159ff 100644 --- a/.ci/lib/stage-build-sgx.jenkinsfile +++ b/.ci/lib/stage-build-sgx.jenkinsfile @@ -68,6 +68,7 @@ stage('build') { | jq -r '(map(select(.name == "prefix")) + map(select(.name == "libdir"))) | map(.value) | join("/")' ''').trim() + env.GRAMINE_LIBDIR = libdir env.GRAMINE_PKGLIBDIR = libdir + '/gramine' // In CI we install to non-standard --prefix (see above). This makes sure the libraries are diff --git a/.ci/lib/stage-test-direct.jenkinsfile b/.ci/lib/stage-test-direct.jenkinsfile index 3b1fff4ef5..6f723f8c27 100644 --- a/.ci/lib/stage-test-direct.jenkinsfile +++ b/.ci/lib/stage-test-direct.jenkinsfile @@ -1,7 +1,9 @@ stage('test-direct') { sh ''' - .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/libsysdb.so - .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/direct/libpal.so + find ${GRAMINE_LIBDIR} -exec file {} \\; | \ + grep ELF | \ + cut -d':' -f1 | \ + xargs -L1 .ci/check-rwx.py ''' try { diff --git a/.ci/lib/stage-test-sgx.jenkinsfile b/.ci/lib/stage-test-sgx.jenkinsfile index abe17e32d1..a9df2ade3b 100644 --- a/.ci/lib/stage-test-sgx.jenkinsfile +++ b/.ci/lib/stage-test-sgx.jenkinsfile @@ -1,8 +1,9 @@ stage('test-sgx') { sh ''' - .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/libsysdb.so - .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/sgx/loader - .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/sgx/libpal.so + find ${GRAMINE_LIBDIR} -exec file {} \\; | \ + grep ELF | \ + cut -d':' -f1 | \ + xargs -L1 .ci/check-rwx.py if test -f "$GRAMINE_PKGLIBDIR"/runtime/glibc/libc.so.6 then .ci/check-no-syscall.sh "$GRAMINE_PKGLIBDIR"/runtime/glibc/libc.so.6