[CI] Enable RWX verification for all binaries

Signed-off-by: Mariusz Zaborski <oshogbo@invisiblethingslab.com>
gramineproject · Jan 4, 2024 · 1f72aaf · 1f72aaf
1 parent 5d38bb1
commit 1f72aaf
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 6 deletions.
diff --git a/.ci/check-rwx.py b/.ci/check-rwx.py
@@ -13,5 +13,5 @@
 elf = ELFFile(args.infile)
 for i, segment in enumerate(elf.iter_segments()):
     if segment.header.p_flags & P_FLAGS.PF_X and segment.header.p_flags & P_FLAGS.PF_W:
-        print(f"error: segment {i} is both writable and executable")
+        print(f"error in {args.infile.name}: segment {i} is both writable and executable")
         sys.exit(1)
diff --git a/.ci/lib/stage-build-nosgx.jenkinsfile b/.ci/lib/stage-build-nosgx.jenkinsfile
@@ -47,6 +47,7 @@ stage('build') {
         | jq -r '(map(select(.name == "prefix")) + map(select(.name == "libdir"))) | map(.value) | join("/")'
     ''').trim()
 
+    env.GRAMINE_LIBDIR = libdir
     env.GRAMINE_PKGLIBDIR = libdir + '/gramine'
 
     // In CI we install to non-standard --prefix (see above). This makes sure the libraries are

diff --git a/.ci/lib/stage-build-sgx-vm.jenkinsfile b/.ci/lib/stage-build-sgx-vm.jenkinsfile
@@ -85,6 +85,7 @@ stage('build') {
         | jq -r '(map(select(.name == "prefix")) + map(select(.name == "libdir"))) | map(.value) | join("/")'
     ''').trim()
 
+    env.GRAMINE_LIBDIR = libdir
     env.GRAMINE_PKGLIBDIR = libdir + '/gramine'
 
     // In CI we install to non-standard --prefix (see above). This makes sure the libraries are

diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile
@@ -68,6 +68,7 @@ stage('build') {
         | jq -r '(map(select(.name == "prefix")) + map(select(.name == "libdir"))) | map(.value) | join("/")'
     ''').trim()
 
+    env.GRAMINE_LIBDIR = libdir
     env.GRAMINE_PKGLIBDIR = libdir + '/gramine'
 
     // In CI we install to non-standard --prefix (see above). This makes sure the libraries are

diff --git a/.ci/lib/stage-test-direct.jenkinsfile b/.ci/lib/stage-test-direct.jenkinsfile
@@ -1,7 +1,9 @@
 stage('test-direct') {
     sh '''
-        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/libsysdb.so
-        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/direct/libpal.so
+        find ${GRAMINE_LIBDIR} -exec file {} \\; | \
+            grep ELF | \
+            cut -d':' -f1 | \
+            xargs -L1 .ci/check-rwx.py
     '''
 
     try {

diff --git a/.ci/lib/stage-test-sgx.jenkinsfile b/.ci/lib/stage-test-sgx.jenkinsfile
@@ -1,8 +1,9 @@
 stage('test-sgx') {
     sh '''
-        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/libsysdb.so
-        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/sgx/loader
-        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/sgx/libpal.so
+        find ${GRAMINE_LIBDIR} -exec file {} \\; | \
+            grep ELF | \
+            cut -d':' -f1 | \
+            xargs -L1 .ci/check-rwx.py
         if test -f "$GRAMINE_PKGLIBDIR"/runtime/glibc/libc.so.6
         then
             .ci/check-no-syscall.sh "$GRAMINE_PKGLIBDIR"/runtime/glibc/libc.so.6