Skip to content

cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases, add tests for stackclashprotection#253186

Merged
emilazy merged 3 commits intoNixOS:masterfrom
risicle:ris-hardening-tests-fixups
Jul 28, 2024
Merged

cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases, add tests for stackclashprotection#253186
emilazy merged 3 commits intoNixOS:masterfrom
risicle:ris-hardening-tests-fixups

Conversation

@risicle
Copy link
Contributor

@risicle risicle commented Sep 3, 2023
edited
Loading

Description of changes

A few fixups for the recently merged #217390, straightening out the expected behaviour of one test to match current reality and changing a few tests to use a _FORTIFY_SOURCE=1-protectable example program so that it can be more useful for testing clang's behaviour too.

Note there are two tests here that will (still) be failing on tests.hardeningFlags-clang until I can get the fix for that merged (#253194, but is headed for staging): fortify3EnabledEnvEnablesFortify1 and fortify3EnabledEnvEnablesFortify1ExecTest.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@risicle risicle added 6.topic: stdenv Standard environment 6.topic: testing Tooling for automated testing of packages and modules 8.has: tests This PR has tests labels Sep 3, 2023
@github-actions github-actions bot removed the 6.topic: stdenv Standard environment label Sep 3, 2023
@ofborg ofborg bot added 8.has: clean-up This PR removes packages or removes other cruft 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. labels Sep 3, 2023
This was referenced Sep 3, 2023
Merged
Closed
@nixos-discourse
Copy link

nixos-discourse commented Sep 30, 2023

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/2705

@risicle risicle mentioned this pull request Dec 10, 2023
Merged
12 tasks
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Mar 19, 2024
@risicle
cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases
ec8d29a 
also use fortify1-based tests in some places that it may allow us
to better test the behaviour of toolchains that only support that
@risicle risicle force-pushed the ris-hardening-tests-fixups branch from 2423b61 to ec8d29a Compare July 12, 2024 21:39
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 12, 2024
@github-actions github-actions bot removed the 6.topic: testing Tooling for automated testing of packages and modules label Jul 12, 2024
@risicle risicle requested a review from a team July 12, 2024 21:45
@risicle risicle changed the title cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases cc-wrapper hardeningFlags tests: fix expected behaviour in corner cases, add tests for stackclashprotection Jul 15, 2024
@risicle
Copy link
Contributor Author

risicle commented Jul 15, 2024

Have pushed some further fixes and added some tests for the recently added stackclashprotection flag.

Would love to get this merged and have a little more green around https://hydra.nixos.org/eval/1807613?filter=hardeningflags&compare=1807605&full=

risicle added 2 commits July 15, 2024 19:28
@risicle
cc-wrapper hardeningFlags tests: add tests for stackclashprotection
38b580b
@risicle
cc-wrapper hardeningFlags tests: fix stdenvUnsupport-based tests
2e0d7e2 
these were not updated to understand
hardeningUnsupportedFlagsByTargetPlatform when it was added
causing more tests to fail for clang than otherwise would
@risicle risicle force-pushed the ris-hardening-tests-fixups branch from 70ba12b to 2e0d7e2 Compare July 15, 2024 18:28
@ofborg ofborg bot added 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. and removed 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. labels Jul 15, 2024
@emilazy
Copy link
Member

emilazy commented Jul 28, 2024

@ofborg build tests.hardeningFlags-gcc tests.hardeningFlags-clang

@emilazy
Copy link
Member

emilazy commented Jul 28, 2024

I successfully ran nom build --impure --expr 'let pkgs = (builtins.getFlake "github:NixOS/nixpkgs/pull/253186/merge").legacyPackages.${builtins.currentSystem}; in pkgs.lib.filterAttrs (k: v: (builtins.tryEval v).success && v ? drvPath && (builtins.tryEval v.drvPath).success) pkgs.tests.hardeningFlags-gcc' on x86_64-linux. -clang yields the following error:

test-pieExplicitDisabled> /nix/store/cjahfl54j3931zm56rvpcim3d4hyxpg9-test-bin/bin/test-bin:
test-pieExplicitDisabled>  Position Independent Executable: yes
test-pieExplicitDisabled>  Stack protected: yes
test-pieExplicitDisabled>  Fortify Source functions: yes
test-pieExplicitDisabled>  Read-only relocations: yes
test-pieExplicitDisabled>  Immediate binding: yes
test-pieExplicitDisabled>  Stack clash protection: unknown, no -fstack-clash-protection instructions found
test-pieExplicitDisabled>  Control flow integrity: no, not found! (ignored)
test-pieExplicitDisabled> ERROR: Expected hardening-check to fail, but it passed!

I just wanted to check if this is expected or not, as it’s not in your list of known failing tests.

@risicle
Copy link
Contributor Author

risicle commented Jul 28, 2024

I assume this is pkgs.tests.hardeningFlags-clang.pieExplicitDisabled failing, which fails for me too. I just haven't marked it as broken because ... I'm not really happy with it being broken ;)

Is it that it's not possible to disable pie on clang/linux? Are we just not supplying the right flags at the right point? Don't know - it's something we need to investigate at some point.

emilazy
emilazy approved these changes Jul 28, 2024
View reviewed changes
Copy link
Member

@emilazy emilazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m pretty sure you can turn off PIE with Clang? But yeah, I have no idea.

tests.hardeningFlags-clang builds on x86_64-darwin, tests.hardeningFlags-gcc doesn’t but that’s probably unrelated. Looks good to me!

@emilazy emilazy merged commit 4c89bb9 into NixOS:master Jul 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emilazy emilazy emilazy approved these changes

Assignees

No one assigned

Labels

8.has: clean-up This PR removes packages or removes other cruft 8.has: package (new) This PR adds a new package 8.has: tests This PR has tests 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@risicle @nixos-discourse @emilazy @wegank