appsec/waf: enable linux and darwin on arm64 targets (#1494)

DataDog · Oct 4, 2022 · c07d238 · c07d238
1 parent 77945bc
commit c07d238
Show file tree

Hide file tree

Showing 12 changed files with 103 additions and 28 deletions.
diff --git a/.github/workflows/appsec.yml b/.github/workflows/appsec.yml
@@ -98,3 +98,19 @@ jobs:
           dd-api-key: ${{ secrets.DD_CI_API_KEY }}
           files: ${{ env.JUNIT_REPORT }}
           tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }},distribution:${{ runner.distribution }}
+
+  linux-arm64:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Go modules cache
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: go-pkg-mod-${{ hashFiles('**/go.sum') }}
+          restore-keys: go-pkg-mod-
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: arm64
+      - run: docker run --platform=linux/arm64 -v $PWD:$PWD -w $PWD golang go test -v -tags appsec $TO_TEST
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,21 +1,22 @@
 # Note: Later matches take precedence
 
 # default owner
-*                         @DataDog/apm-go
+*                               @DataDog/apm-go
 
 # tracing
-/contrib                  @DataDog/tracing-go
-/ddtrace                  @DataDog/tracing-go
-/internal                 @DataDog/tracing-go
+/contrib                        @DataDog/tracing-go
+/ddtrace                        @DataDog/tracing-go
+/internal                       @DataDog/tracing-go
 
 # profiling
-/profiler                 @DataDog/profiling-go
-/internal/traceprof       @DataDog/profiling-go
+/profiler                       @DataDog/profiling-go
+/internal/traceprof             @DataDog/profiling-go
 
 # appsec
-/appsec                   @DataDog/appsec-go
-/internal/appsec          @DataDog/appsec-go
-/contrib/**/appsec.go     @DataDog/appsec-go
+/appsec                         @DataDog/appsec-go
+/internal/appsec                @DataDog/appsec-go
+/contrib/**/appsec.go           @DataDog/appsec-go
+/.github/workflows/appsec.yml   @DataDog/appsec-go
 
 # telemetry
-/internal/telemetry       @DataDog/apm-go
+/internal/telemetry             @DataDog/apm-go
diff --git a/internal/appsec/_tools/libddwaf-updater/update.sh b/internal/appsec/_tools/libddwaf-updater/update.sh
@@ -31,10 +31,32 @@ echo Updating to libddwaf v$version
 tmpdir=$(mktemp -d /tmp/libddwaf-XXXXXXXX)
 echo Using $tmpdir
 
+LD_REQUIRED_DEFINED="--require-defined=ddwaf_init \
+                    --require-defined=ddwaf_get_version \
+                    --require-defined=ddwaf_destroy \
+                    --require-defined=ddwaf_context_init \
+                    --require-defined=ddwaf_context_destroy \
+                    --require-defined=ddwaf_required_addresses \
+                    --require-defined=ddwaf_result_free \
+                    --require-defined=ddwaf_update_rule_data"
+
 run_binutils() {
-  docker run -it --rm -v $bindings_dir:$bindings_dir -v $tmpdir:$tmpdir -w $PWD ghcr.io/datadog/binutils-gdb:2.37 $@
+  docker run -it --rm -v $bindings_dir:$bindings_dir -v $tmpdir:$tmpdir -w $PWD ghcr.io/datadog/binutils-gdb:2.38 $@
+}
+
+run_strip() {
+  run_binutils $1-strip --strip-dwo --strip-unneeded --strip-debug $2
 }
 
+#
+# darwin/arm64
+#
+
+echo Updating libddwaf for darwin/arm64
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libddwaf-$version-darwin-arm64.tar.gz | tar -xz -C$tmpdir
+echo Copying the darwin/arm64 library
+cp -v $tmpdir/libddwaf-$version-darwin-arm64/lib/libddwaf.a $bindings_dir/lib/darwin-arm64
+
 #
 # darwin/amd64
 #
@@ -59,14 +81,30 @@ curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libc++-st
 #  object file by using ld -r
 run_binutils x86_64-linux-gnu-ld \
    -r -o $bindings_dir/lib/linux-amd64/libddwaf.a \
-   --require-defined=ddwaf_init \
-   --require-defined=ddwaf_get_version \
-   --require-defined=ddwaf_destroy \
-   --require-defined=ddwaf_context_init \
-   --require-defined=ddwaf_result_free \
-   --require-defined=ddwaf_context_destroy \
-   --require-defined=ddwaf_required_addresses \
+   $LD_REQUIRED_DEFINED \
    $tmpdir/libddwaf-$version-linux-x86_64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $libcxx_dir/libunwind.a
+# 4. Strip
+run_strip x86_64-linux-gnu $bindings_dir/lib/linux-amd64/libddwaf.a
+
+#
+# linux/arm64
+#
+
+echo Updating libddwaf for linux/arm64
+# 1. Download the libddwaf build
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libddwaf-$version-linux-aarch64.tar.gz | tar -xz -C$tmpdir
+# 2. Download the libc++ build
+libcxx_dir=$tmpdir/libc++-aarch64-linux
+mkdir $libcxx_dir
+curl -L https://github.com/DataDog/libddwaf/releases/download/$version/libc++-static-aarch64-linux.tar.gz | tar -xz -C$libcxx_dir
+# 3. Combine libddwaf.a + libc++.a + libc++abi.a + libunwind.a in a single
+#  object file by using ld -r
+run_binutils aarch64-linux-gnu-ld \
+   -r -o $bindings_dir/lib/linux-arm64/libddwaf.a \
+   $LD_REQUIRED_DEFINED \
+   $tmpdir/libddwaf-$version-linux-aarch64/lib/libddwaf.a $libcxx_dir/libc++.a $libcxx_dir/libc++abi.a $libcxx_dir/libunwind.a
+# 4. Strip
+run_strip aarch64-linux-gnu $bindings_dir/lib/linux-arm64/libddwaf.a
 
 #
 # ddwaf.h

diff --git a/internal/appsec/waf/lib/darwin-arm64/libddwaf.a b/internal/appsec/waf/lib/darwin-arm64/libddwaf.a
diff --git a/internal/appsec/waf/lib/darwin-arm64/vendor.go b/internal/appsec/waf/lib/darwin-arm64/vendor.go
@@ -0,0 +1,8 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
+
+// Package vendor is required to help go tools support vendoring.
+// DO NOT REMOVE
+package vendor
diff --git a/internal/appsec/waf/lib/linux-arm64/libddwaf.a b/internal/appsec/waf/lib/linux-arm64/libddwaf.a
diff --git a/internal/appsec/waf/lib/linux-arm64/vendor.go b/internal/appsec/waf/lib/linux-arm64/vendor.go
@@ -0,0 +1,8 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
+
+// Package vendor is required to help go tools support vendoring.
+// DO NOT REMOVE
+package vendor
diff --git a/internal/appsec/waf/waf.go b/internal/appsec/waf/waf.go
@@ -3,11 +3,11 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016 Datadog, Inc.
 
-//go:build appsec && cgo && !windows && amd64 && (linux || darwin)
+//go:build appsec && cgo && !windows && (amd64 || arm64) && (linux || darwin)
 // +build appsec
 // +build cgo
 // +build !windows
-// +build amd64
+// +build amd64 arm64
 // +build linux darwin
 
 package waf
@@ -22,7 +22,9 @@ package waf
 // void go_ddwaf_object_free(ddwaf_object*);
 // #cgo CFLAGS: -I${SRCDIR}/include
 // #cgo linux,amd64 LDFLAGS: -L${SRCDIR}/lib/linux-amd64 -lddwaf -lm -ldl -Wl,-rpath=/lib64:/usr/lib64:/usr/local/lib64:/lib:/usr/lib:/usr/local/lib
+// #cgo linux,arm64 LDFLAGS: -L${SRCDIR}/lib/linux-arm64 -lddwaf -lm -ldl -Wl,-rpath=/lib64:/usr/lib64:/usr/local/lib64:/lib:/usr/lib:/usr/local/lib
 // #cgo darwin,amd64 LDFLAGS: -L${SRCDIR}/lib/darwin-amd64 -lddwaf -lstdc++
+// #cgo darwin,arm64 LDFLAGS: -L${SRCDIR}/lib/darwin-arm64 -lddwaf -lstdc++
 import "C"
 
 import (
@@ -43,7 +45,9 @@ import (
 	// header file and the static libraries.
 	_ "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/waf/include"
 	_ "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/waf/lib/darwin-amd64"
+	_ "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/waf/lib/darwin-arm64"
 	_ "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/waf/lib/linux-amd64"
+	_ "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/waf/lib/linux-arm64"
 )
 
 var wafVersion = getWAFVersion()

diff --git a/internal/appsec/waf/waf_disabled.go b/internal/appsec/waf/waf_disabled.go
@@ -4,8 +4,8 @@
 // Copyright 2016 Datadog, Inc.
 
 // Build when CGO is disabled or the target OS or Arch are not supported
-//go:build !appsec || !cgo || windows || !amd64
-// +build !appsec !cgo windows !amd64
+//go:build !appsec || !cgo || windows || !(amd64 || arm64)
+// +build !appsec !cgo windows !amd64,!arm64
 
 package waf
 

diff --git a/internal/appsec/waf/waf_disabled_target.go b/internal/appsec/waf/waf_disabled_target.go
@@ -4,10 +4,10 @@
 // Copyright 2016 Datadog, Inc.
 
 // Build when CGO is enabled but the target OS or architecture are not supported
-//go:build appsec && cgo && (windows || !amd64)
+//go:build appsec && cgo && (windows || !(amd64 || arm64))
 // +build appsec
 // +build cgo
-// +build windows !amd64
+// +build windows !amd64,!arm64
 
 package waf
 

diff --git a/internal/appsec/waf/waf_disabled_test.go b/internal/appsec/waf/waf_disabled_test.go
@@ -4,8 +4,8 @@
 // Copyright 2016 Datadog, Inc.
 
 // Build when CGO is disabled or the target OS or Arch are not supported
-//go:build !appsec || !cgo || windows || !amd64
-// +build !appsec !cgo windows !amd64
+//go:build !appsec || !cgo || windows || !(amd64 || arm64)
+// +build !appsec !cgo windows !amd64,!arm64
 
 package waf
 

diff --git a/internal/appsec/waf/waf_test.go b/internal/appsec/waf/waf_test.go
@@ -3,11 +3,11 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016 Datadog, Inc.
 
-//go:build appsec && cgo && !windows && amd64 && (linux || darwin)
+//go:build appsec && cgo && !windows && (amd64 || arm64) && (linux || darwin)
 // +build appsec
 // +build cgo
 // +build !windows
-// +build amd64
+// +build amd64 arm64
 // +build linux darwin
 
 package waf