|
|
025a5f |
diff -up firefox-68.0/config/makefiles/rust.mk.rust-network-check firefox-68.0/config/makefiles/rust.mk
|
|
|
025a5f |
--- firefox-68.0/config/makefiles/rust.mk.rust-network-check 2019-06-06 10:29:18.984737603 +0200
|
|
|
025a5f |
+++ firefox-68.0/config/makefiles/rust.mk 2019-06-06 11:39:51.581028835 +0200
|
|
|
025a5f |
@@ -127,7 +127,7 @@ export RUST_BACKTRACE=full
|
|
|
025a5f |
export MOZ_TOPOBJDIR=$(topobjdir)
|
|
|
025a5f |
|
|
|
025a5f |
target_rust_ltoable := force-cargo-library-build
|
|
|
025a5f |
-target_rust_nonltoable := force-cargo-test-run force-cargo-library-check $(foreach b,build check,force-cargo-program-$(b))
|
|
|
025a5f |
+target_rust_nonltoable := force-cargo-test-run $(foreach b,build check,force-cargo-program-$(b))
|
|
|
025a5f |
|
|
|
025a5f |
$(target_rust_ltoable): RUSTFLAGS:=$(rustflags_override) $(RUSTFLAGS) $(if $(MOZ_LTO_RUST),-Clinker-plugin-lto)
|
|
|
025a5f |
$(target_rust_nonltoable): RUSTFLAGS:=$(rustflags_override) $(RUSTFLAGS)
|
|
|
025a5f |
@@ -238,19 +238,9 @@ force-cargo-library-build:
|
|
|
025a5f |
$(call CARGO_BUILD) --lib $(cargo_target_flag) $(rust_features_flag) -- $(cargo_rustc_flags)
|
|
|
025a5f |
|
|
|
025a5f |
$(RUST_LIBRARY_FILE): force-cargo-library-build
|
|
|
025a5f |
-# When we are building in --enable-release mode; we add an additional check to confirm
|
|
|
025a5f |
-# that we are not importing any networking-related functions in rust code. This reduces
|
|
|
025a5f |
-# the chance of proxy bypasses originating from rust code.
|
|
|
025a5f |
-ifndef DEVELOPER_OPTIONS
|
|
|
025a5f |
-ifndef MOZ_DEBUG_RUST
|
|
|
025a5f |
-ifeq ($(OS_ARCH), Linux)
|
|
|
025a5f |
- $(call py_action,check_binary,--target --networking $@)
|
|
|
025a5f |
-endif
|
|
|
025a5f |
-endif
|
|
|
025a5f |
-endif
|
|
|
025a5f |
|
|
|
025a5f |
force-cargo-library-check:
|
|
|
025a5f |
- $(call CARGO_CHECK) --lib $(cargo_target_flag) $(rust_features_flag)
|
|
|
025a5f |
+ @true
|
|
|
025a5f |
else
|
|
|
025a5f |
force-cargo-library-check:
|
|
|
025a5f |
@true
|
|
|
025a5f |
diff -up firefox-68.0/python/mozbuild/mozbuild/action/check_binary.py.rust-network-check firefox-68.0/python/mozbuild/mozbuild/action/check_binary.py
|
|
|
025a5f |
--- firefox-68.0/python/mozbuild/mozbuild/action/check_binary.py.rust-network-check 2019-05-20 18:17:57.000000000 +0200
|
|
|
025a5f |
+++ firefox-68.0/python/mozbuild/mozbuild/action/check_binary.py 2019-06-06 10:29:18.986737599 +0200
|
|
|
025a5f |
@@ -250,43 +250,6 @@ def check_mozglue_order(target, binary):
|
|
|
025a5f |
raise RuntimeError('Could not parse readelf output?')
|
|
|
025a5f |
|
|
|
025a5f |
|
|
|
025a5f |
-def check_networking(binary):
|
|
|
025a5f |
- retcode = 0
|
|
|
025a5f |
- networking_functions = set([
|
|
|
025a5f |
- # socketpair is not concerning; it is restricted to AF_UNIX
|
|
|
025a5f |
- "socket", "connect", "accept", "bind", "listen",
|
|
|
025a5f |
- "getsockname", "getsockopt", "setsockopt",
|
|
|
025a5f |
- "recv", "recvfrom",
|
|
|
025a5f |
- "send", "sendto",
|
|
|
025a5f |
- # We would be concerned by recvmsg and sendmsg; but we believe
|
|
|
025a5f |
- # they are okay as documented in 1376621#c23
|
|
|
025a5f |
- "gethostbyname", "gethostbyaddr", "gethostent", "sethostent", "endhostent",
|
|
|
025a5f |
- "gethostent_r", "gethostbyname2", "gethostbyaddr_r", "gethostbyname_r",
|
|
|
025a5f |
- "gethostbyname2_r",
|
|
|
025a5f |
- "getaddrinfo", "getservent", "getservbyname", "getservbyport", "setservent",
|
|
|
025a5f |
- "getprotoent", "getprotobyname", "getprotobynumber", "setprotoent",
|
|
|
025a5f |
- "endprotoent"])
|
|
|
025a5f |
- bad_occurences_names = set()
|
|
|
025a5f |
-
|
|
|
025a5f |
- try:
|
|
|
025a5f |
- for sym in at_least_one(iter_symbols(binary)):
|
|
|
025a5f |
- if sym['addr'] == 0 and sym['name'] in networking_functions:
|
|
|
025a5f |
- bad_occurences_names.add(sym['name'])
|
|
|
025a5f |
- except Empty:
|
|
|
025a5f |
- raise RuntimeError('Could not parse llvm-objdump output?')
|
|
|
025a5f |
-
|
|
|
025a5f |
- basename = os.path.basename(binary)
|
|
|
025a5f |
- if bad_occurences_names:
|
|
|
025a5f |
- s = 'TEST-UNEXPECTED-FAIL | check_networking | {} | Identified {} ' + \
|
|
|
025a5f |
- 'networking function(s) being imported in the rust static library ({})'
|
|
|
025a5f |
- print(s.format(basename, len(bad_occurences_names),
|
|
|
025a5f |
- ",".join(sorted(bad_occurences_names))),
|
|
|
025a5f |
- file=sys.stderr)
|
|
|
025a5f |
- retcode = 1
|
|
|
025a5f |
- elif buildconfig.substs.get('MOZ_AUTOMATION'):
|
|
|
025a5f |
- print('TEST-PASS | check_networking | {}'.format(basename))
|
|
|
025a5f |
- return retcode
|
|
|
025a5f |
-
|
|
|
025a5f |
def checks(target, binary):
|
|
|
025a5f |
# The clang-plugin is built as target but is really a host binary.
|
|
|
025a5f |
# Cheat and pretend we were passed the right argument.
|
|
|
025a5f |
@@ -330,8 +293,6 @@ def main(args):
|
|
|
025a5f |
help='Perform checks for a host binary')
|
|
|
025a5f |
parser.add_argument('--target', action='store_true',
|
|
|
025a5f |
help='Perform checks for a target binary')
|
|
|
025a5f |
- parser.add_argument('--networking', action='store_true',
|
|
|
025a5f |
- help='Perform checks for networking functions')
|
|
|
025a5f |
|
|
|
025a5f |
parser.add_argument('binary', metavar='PATH',
|
|
|
025a5f |
help='Location of the binary to check')
|
|
|
025a5f |
@@ -343,14 +304,7 @@ def main(args):
|
|
|
025a5f |
file=sys.stderr)
|
|
|
025a5f |
return 1
|
|
|
025a5f |
|
|
|
025a5f |
- if options.networking and options.host:
|
|
|
025a5f |
- print('--networking is only valid with --target',
|
|
|
025a5f |
- file=sys.stderr)
|
|
|
025a5f |
- return 1
|
|
|
025a5f |
-
|
|
|
025a5f |
- if options.networking:
|
|
|
025a5f |
- return check_networking(options.binary)
|
|
|
025a5f |
- elif options.host:
|
|
|
025a5f |
+ if options.host:
|
|
|
025a5f |
return checks(HOST, options.binary)
|
|
|
025a5f |
elif options.target:
|
|
|
025a5f |
return checks(TARGET, options.binary)
|