diff --git a/.github/actions/package/Dockerfile b/.github/actions/package/Dockerfile new file mode 100644 index 000000000..5d64022f0 --- /dev/null +++ b/.github/actions/package/Dockerfile @@ -0,0 +1,10 @@ +ARG BASE_IMAGE=rust:1.41.0-buster +FROM $BASE_IMAGE +WORKDIR /linkerd +RUN apt-get update && \ + apt-get install -y jq && \ + apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/ +# v2.1.0 +ARG CHECKSEC_SHA=04582bad41589ad479ca8b1f0170ed317475b5a5 +RUN (cd /usr/local/bin && curl -vsLO "https://github.com/slimm609/checksec.sh/blob/$CHECKSEC_SHA/checksec") +COPY expected-checksec.json validate-checksec.sh /linkerd/ diff --git a/.github/actions/package/expected-checksec.json b/.github/actions/package/expected-checksec.json new file mode 100644 index 000000000..b1ae5eae2 --- /dev/null +++ b/.github/actions/package/expected-checksec.json @@ -0,0 +1,10 @@ +{ + "canary": "yes", + "fortify_source": "yes", + "nx": "yes", + "pie": "yes", + "relro": "full", + "rpath": "no", + "runpath": "no", + "symbols": "no" +} diff --git a/.github/actions/package/validate-checksec.sh b/.github/actions/package/validate-checksec.sh new file mode 100755 index 000000000..fce436999 --- /dev/null +++ b/.github/actions/package/validate-checksec.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -eu + +if [ $# -ne 2 ]; then + ( + echo "usage: $0 EXPECTED RECEIVED" + echo + echo "Found $# args" + ) >&2 + exit 64 +fi + +expected_file="$1" +received_file="$2" +if [ ! -f "$expected_file" ]; then + echo "JSON output not found: $expected_file" >&2 + exit 1 +fi +if [ ! -f "$received_file" ]; then + echo "JSON output not found: $received_file" >&2 + exit 1 +fi + +jq -S '.' "$received_file" | diff -u "$expected_file" - >&2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 765442738..15bc470f6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,31 +3,41 @@ name: release on: push: tags: - - 'release/*' + - "release/*" jobs: package: runs-on: ubuntu-latest - container: - image: docker://rust:1.41.0-buster steps: - - name: git co - uses: actions/checkout@v1 - - name: meta - id: release-tag-meta - uses: ./.github/actions/release-tag-meta - with: - git-ref: ${{ github.ref }} - #- run: echo "${{ toJSON(steps.release-tag-meta) }}" - - name: make package - env: - CARGO_RELEASE: "1" - PACKAGE_VERSION: ${{ steps.release-tag-meta.outputs.name }} - run: make package - - name: release - uses: softprops/action-gh-release@b21b43d - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - name: ${{ steps.release-tag-meta.outputs.name }} - files: target/release/package/* + - name: git co + uses: actions/checkout@v1 + + - name: meta + id: release-tag-meta + uses: ./.github/actions/release-tag-meta + with: + git-ref: ${{ github.ref }} + #- run: echo "${{ toJSON(steps.release-tag-meta) }}" + + - name: package + env: + CARGO_RELEASE: "1" + PACKAGE_VERSION: test-0.0.0 # ${{ steps.release-tag-meta.outputs.name }} + uses: ./.github/actions/package + with: + entrypoint: make + args: package + + - name: checksec + uses: ./.github/actions/package + with: + entrypoint: /linkerd/validate-checksec.sh + args: /linkerd/expected-checksec.json "target/release/package/linkerd2-proxy-${{ steps.release-tag-meta.outputs.name }}-checksec.json" + + - name: release + uses: softprops/action-gh-release@b21b43d + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + name: ${{ steps.release-tag-meta.outputs.name }} + files: target/release/package/* diff --git a/Makefile b/Makefile index af4085280..f85e39d12 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,7 @@ TARGET_BIN = $(TARGET)/linkerd2-proxy PKG_ROOT = $(TARGET)/package PKG_NAME = linkerd2-proxy-$(PACKAGE_VERSION) PKG_BASE = $(PKG_ROOT)/$(PKG_NAME) +PKG_CHECKSEC = $(PKG_BASE)-checksec.json PKG = $(PKG_NAME).tar.gz SHASUM = shasum -a 256 @@ -40,7 +41,7 @@ endif $(TARGET_BIN): fetch $(CARGO_BUILD) -p linkerd2-proxy -$(PKG_ROOT)/$(PKG): $(TARGET_BIN) +$(PKG_ROOT)/$(PKG) $(PKG_CHECKSEC): $(TARGET_BIN) mkdir -p $(PKG_BASE)/bin cp LICENSE $(PKG_BASE) cp $(TARGET_BIN) $(PKG_BASE)/bin/linkerd2-proxy @@ -51,6 +52,7 @@ ifdef CARGO_DEBUG chmod 644 $(PKG_BASE)/linkerd2-proxy.obj ; \ fi endif + ./checksec.sh $(PKG_BASE)/bin/linkerd2-proxy >$(PKG_CHECKSEC) || true cd $(PKG_ROOT) && \ tar -czvf $(PKG) $(PKG_NAME) && \ ($(SHASUM) $(PKG) >$(PKG_NAME).txt) && \ diff --git a/checksec.sh b/checksec.sh new file mode 100755 index 000000000..d4dd1b161 --- /dev/null +++ b/checksec.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +set -eu + +require_from() { + if ! command -v "$1" >/dev/null 2>/dev/null ; then + echo "Please acquire $1 from $2" >&2 + exit 1 + fi +} + +require_from readelf binutils +require_from checksec https://github.com/slimm609/checksec.sh +require_from jq https://stedolan.github.io/jq/ + +if [ $# -ne 1 ]; then + echo "usage: $0 EXECUTABLE" >&2 + exit 64 +fi + +path="$1" +if [ ! -x "$path" ]; then + echo "Executable not found: $path" >&2 + exit 1 +fi + +out=$(checksec --output=json --file="$path") +echo "$out" | jq ".[\"$path\"] | del(.\"fortify-able\") | del(.fortified)" diff --git a/update-rust-version.sh b/update-rust-version.sh index 08013d6b6..91095f69d 100755 --- a/update-rust-version.sh +++ b/update-rust-version.sh @@ -16,5 +16,5 @@ fi echo "$VERSION" > rust-toolchain sed -i'' -Ee "s/rust:[0-9]+\.[0-9]+\.[0-9]+/rust:$VERSION/" Dockerfile -find .github -name \*.yml \ - -exec sed -i'' -Ee "s|docker://rust:[0-9]+\.[0-9]+\.[0-9]+|docker://rust:$VERSION|" '{}' \; +find .github -name \*.yml -or -name Dockerfile\* \ + -exec sed -i'' -Ee "s|rust:[0-9]+\.[0-9]+\.[0-9]+|rust:$VERSION|" '{}' \;