[tbb-commits] [tor-browser-bundle/master] Bug 20683: Integrate Selfrando into alpha Linux builds

gk at torproject.org gk at torproject.org
Fri Apr 7 16:51:50 UTC 2017


commit 0ea68f848f54aaeceeeed22dc1496d3723cbe128
Author: Georg Koppen <gk at torproject.org>
Date:   Fri Apr 7 16:50:29 2017 +0000

    Bug 20683: Integrate Selfrando into alpha Linux builds
    
    Selfrando is a new defense against code reuse attacks developed by the
    Redactor and Readactor++ people. We should give it a wider testing
    audience by including it in the alpha series.
    
    This is currently only available for 64bit Linux builds, though.
    Supporting other platforms and architectures is work in progress.
---
 RelativeLink/start-tor-browser              |   1 +
 gitian/descriptors/linux/gitian-firefox.yml |  17 +++++++++++++
 gitian/descriptors/linux/gitian-utils.yml   |  38 ++++++++++++++++++++++++++++
 gitian/fetch-inputs.sh                      |   4 ++-
 gitian/gpg/ELFUTILS.gpg                     | Bin 0 -> 10483 bytes
 gitian/mkbundle-linux.sh                    |  13 ++++++----
 gitian/verify-tags.sh                       |   3 ++-
 gitian/versions.alpha                       |   4 +++
 gitian/versions.nightly                     |   4 +++
 9 files changed, 77 insertions(+), 7 deletions(-)

diff --git a/RelativeLink/start-tor-browser b/RelativeLink/start-tor-browser
index a78b367..2dd40fc 100755
--- a/RelativeLink/start-tor-browser
+++ b/RelativeLink/start-tor-browser
@@ -270,6 +270,7 @@ fi
 
 LD_LIBRARY_PATH="${HOME}/TorBrowser/Tor/"
 export LD_LIBRARY_PATH
+export SELFRANDO_write_layout_file=
 
 function setControlPortPasswd() {
     local ctrlPasswd=$1
diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml
index d607f6a..b20941a 100644
--- a/gitian/descriptors/linux/gitian-firefox.yml
+++ b/gitian/descriptors/linux/gitian-firefox.yml
@@ -27,6 +27,8 @@ reference_datetime: "2000-01-01 00:00:00"
 remotes:
 - "url": "https://git.torproject.org/tor-browser.git"
   "dir": "tor-browser"
+- "url": "https://github.com/immunant/selfrando.git"
+  "dir": "selfrando"
 files:
 - "binutils-linux32-utils.zip"
 - "binutils-linux64-utils.zip"
@@ -36,6 +38,8 @@ files:
 - "re-dzip.sh"
 - "dzip.sh"
 - "versions"
+# XXX: 64bits only for now :(, see #20683.
+- "selfrando-linux64-utils.zip"
 script: |
   source versions
   INSTDIR="$HOME/install"
@@ -53,6 +57,11 @@ script: |
   export DEB_BUILD_HARDENING_FORMAT=1
   export DEB_BUILD_HARDENING_PIE=1
   #
+  # XXX: 64bits only for now :(, see #20683.
+  if [ $GBUILD_BITS == "64" ];
+  then
+    unzip -d $INSTDIR selfrando-linux64-utils.zip
+  fi
   # Preparing Binutils and GCC for Tor Browser
   unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
   # Make sure gold is used with the hardening wrapper for full RELRO, see
@@ -94,6 +103,14 @@ script: |
   find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME"
   rm -f configure
   rm -f js/src/configure
+  # XXX: 64bits only for now :(, see #20683.
+  if [ $GBUILD_BITS == "64" ];
+  then
+    # Selfrando wrapper
+    export PATH="$HOME/build/selfrando/Tools/TorBrowser/tc-wrapper/:$PATH"
+    # We need to avoid the shuffling while building as this breaks compilation
+    export SELFRANDO_skip_shuffle=
+  fi
   make -f client.mk configure CONFIGURE_ARGS="--with-tor-browser-version=${TORBROWSER_VERSION} --with-distribution-id=org.torproject --enable-update-channel=${TORBROWSER_UPDATE_CHANNEL} --enable-bundled-fonts"
   find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME"
   make $MAKEOPTS -f client.mk build
diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml
index d10422b..1cadb61 100644
--- a/gitian/descriptors/linux/gitian-utils.yml
+++ b/gitian/descriptors/linux/gitian-utils.yml
@@ -24,10 +24,14 @@ packages:
 - "libssl-dev"
 # Needed for binutils (64bit) as we are building with PIE enabled.
 - "libstdc++6-4.7-pic"
+# Needed for Selfrando
+- "scons"
 reference_datetime: "2000-01-01 00:00:00"
 remotes:
 - "url": "https://github.com/libevent/libevent.git"
   "dir": "libevent"
+- "url": "https://github.com/immunant/selfrando.git"
+  "dir": "selfrando"
 files:
 - "binutils.tar.bz2"
 - "gcc.tar.bz2"
@@ -37,6 +41,7 @@ files:
 - "go.tar.gz"
 - "versions"
 - "dzip.sh"
+- "elfutils.tar.bz2"
 script: |
   INSTDIR="$HOME/install"
   source versions
@@ -52,6 +57,12 @@ script: |
   export DEB_BUILD_HARDENING_FORMAT=1
   export DEB_BUILD_HARDENING_PIE=1
 
+  ARCH=""
+  if [ $GBUILD_BITS == "64" ];
+  then
+    ARCH="64"
+  fi
+
   # Building Binutils
   tar xjf binutils.tar.bz2
   # The libstdc++ shipped by default is non-PIC which breaks the binutils build
@@ -86,6 +97,28 @@ script: |
   cd ..
 
   export DEB_BUILD_HARDENING_FORMAT=1
+  export PATH="$INSTDIR/binutils/bin:$INSTDIR/gcc/bin:$PATH"
+  export LD_LIBRARY_PATH="$INSTDIR/gcc/lib$ARCH"
+
+  # XXX: 64bits only for now :(, see #20683.
+  if [ $GBUILD_BITS == "64" ];
+  then
+    # Building Elfutils
+    tar xjf elfutils.tar.bz2
+    cd elfutils*/
+    ./configure --prefix=$INSTDIR/elfutils
+    make $MAKEOPTS
+    make install
+    cd ..
+
+    # Building Selfrando
+    cd selfrando
+    scons -Q arch=x86_64 LIBELF_PATH="$INSTDIR/elfutils" FORCE_INPLACE=1 DEBUG_LEVEL=env WRITE_LAYOUTS=env LOG=console
+    mkdir -p $INSTDIR/selfrando
+    cp out/x86_64/bin/* $INSTDIR/selfrando/
+    cd ..
+  fi
+
   # Building Libevent
   cd libevent
   ./autogen.sh
@@ -157,4 +190,9 @@ script: |
   ~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-linux$GBUILD_BITS-utils.zip libevent
   ~/build/dzip.sh gmp-$GMP_VER-linux$GBUILD_BITS-utils.zip gmp
   ~/build/dzip.sh go-$GO_VER-linux$GBUILD_BITS-utils.zip go
+  # XXX: 64bits only for now :(, see #20683.
+  if [ $GBUILD_BITS == "64" ];
+  then
+    ~/build/dzip.sh selfrando-$SELFRANDO_TAG-linux$GBUILD_BITS-utils.zip selfrando
+  fi
   cp *utils.zip $OUTDIR/
diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh
index b7fcf36..c110eb8 100755
--- a/gitian/fetch-inputs.sh
+++ b/gitian/fetch-inputs.sh
@@ -113,7 +113,7 @@ update_git() {
 
 ##############################################################################
 # Get+verify sigs that exist
-for i in OPENSSL BINUTILS GCC PYTHON_MSI GMP LLVM CFE LIBCXX LIBCXXABI
+for i in OPENSSL BINUTILS GCC PYTHON_MSI GMP LLVM CFE LIBCXX LIBCXXABI ELFUTILS
 do
   PACKAGE="${i}_PACKAGE"
   URL="${i}_URL"
@@ -252,6 +252,7 @@ ln -sf "$GO_PACKAGE" go.tar.gz
 ln -sf "$NSIS_PACKAGE" nsis.tar.bz2
 ln -sf "$NSIS_DEBIAN_PACKAGE" nsis-debian.tar.xz
 ln -sf "$YASM_PACKAGE" yasm.tar.gz
+ln -sf "$ELFUTILS_PACKAGE" elfutils.tar.bz2
 
 # Fetch latest gitian-builder itself
 # XXX - this is broken if a non-standard inputs dir is selected using the command line flag.
@@ -303,6 +304,7 @@ depot_tools           https://chromium.googlesource.com/chromium/tools/depot_too
 go-webrtc             https://github.com/keroserene/go-webrtc $GO_WEBRTC_TAG
 snowflake             https://git.torproject.org/pluggable-transports/snowflake.git $SNOWFLAKE_TAG
 uniuri                https://github.com/dchest/uniuri $UNIURI_TAG
+selfrando             https://github.com/immunant/selfrando.git $SELFRANDO_TAG
 EOF
 
 # HTTPS-Everywhere is special, too. We need to initialize the git submodules and
diff --git a/gitian/gpg/ELFUTILS.gpg b/gitian/gpg/ELFUTILS.gpg
new file mode 100644
index 0000000..f1cd4b3
Binary files /dev/null and b/gitian/gpg/ELFUTILS.gpg differ
diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh
index 6dbbe51..0a1613f 100755
--- a/gitian/mkbundle-linux.sh
+++ b/gitian/mkbundle-linux.sh
@@ -35,7 +35,7 @@ fi
 
 if [ -z "$VM_MEMORY" ];
 then
-  export VM_MEMORY=4000
+  export VM_MEMORY=6000
 fi
 
 ./make-vms.sh
@@ -99,7 +99,7 @@ then
 fi
 
 cd $GITIAN_DIR
-
+# XXX: 64bits selfrando only for now :(, see #20683.
 if [ ! -f inputs/binutils-$BINUTILS_VER-linux32-utils.zip -o \
      ! -f inputs/binutils-$BINUTILS_VER-linux64-utils.zip -o \
      ! -f inputs/gcc-$GCC_VER-linux32-utils.zip -o \
@@ -111,13 +111,14 @@ if [ ! -f inputs/binutils-$BINUTILS_VER-linux32-utils.zip -o \
      ! -f inputs/gmp-$GMP_VER-linux32-utils.zip -o \
      ! -f inputs/gmp-$GMP_VER-linux64-utils.zip -o \
      ! -f inputs/go-$GO_VER-linux32-utils.zip -o \
-     ! -f inputs/go-$GO_VER-linux64-utils.zip ];
+     ! -f inputs/go-$GO_VER-linux64-utils.zip -o \
+     ! -f inputs/selfrando-$SELFRANDO_TAG-linux64-utils.zip ];
 then
   echo
   echo "****** Starting Utilities Component of Linux Bundle (1/7 for Linux) ******"
   echo
 
-  ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit libevent=$LIBEVENT_TAG $DESCRIPTOR_DIR/linux/gitian-utils.yml
+  ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit libevent=$LIBEVENT_TAG,selfrando=$SELFRANDO_TAG $DESCRIPTOR_DIR/linux/gitian-utils.yml
   if [ $? -ne 0 ];
   then
     #mv var/build.log ./utils-fail-linux.log.`date +%Y%m%d%H%M%S`
@@ -138,6 +139,7 @@ then
   ln -sf gmp-$GMP_VER-linux64-utils.zip gmp-linux64-utils.zip
   ln -sf go-$GO_VER-linux32-utils.zip go-linux32-utils.zip
   ln -sf go-$GO_VER-linux64-utils.zip go-linux64-utils.zip
+  ln -sf selfrando-$SELFRANDO_TAG-linux64-utils.zip selfrando-linux64-utils.zip
   cd ..
   #cp -a result/utils-linux-res.yml inputs/
 else
@@ -159,6 +161,7 @@ else
   ln -sf gmp-$GMP_VER-linux64-utils.zip gmp-linux64-utils.zip
   ln -sf go-$GO_VER-linux32-utils.zip go-linux32-utils.zip
   ln -sf go-$GO_VER-linux64-utils.zip go-linux64-utils.zip
+  ln -sf selfrando-$SELFRANDO_TAG-linux64-utils.zip selfrando-linux64-utils.zip
   cd ..
 fi
 
@@ -193,7 +196,7 @@ then
   echo "****** Starting TorBrowser Component of Linux Bundle (3/7 for Linux) ******"
   echo
 
-  ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit tor-browser=$TORBROWSER_TAG,faketime=$FAKETIME_TAG $DESCRIPTOR_DIR/linux/gitian-firefox.yml
+  ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit tor-browser=$TORBROWSER_TAG,faketime=$FAKETIME_TAG,selfrando=$SELFRANDO_TAG $DESCRIPTOR_DIR/linux/gitian-firefox.yml
   if [ $? -ne 0 ];
   then
     #mv var/build.log ./firefox-fail-linux.log.`date +%Y%m%d%H%M%S`
diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh
index dc207f5..7d551b8 100755
--- a/gitian/verify-tags.sh
+++ b/gitian/verify-tags.sh
@@ -125,10 +125,11 @@ depot_tools             $DEPOT_TOOLS_TAG
 go-webrtc               $GO_WEBRTC_TAG
 snowflake               $SNOWFLAKE_TAG
 uniuri                  $UNIURI_TAG
+selfrando               $SELFRANDO_TAG
 EOF
 
 # Verify signatures on signed packages
-for i in OPENSSL BINUTILS GCC PYTHON_MSI GMP LLVM CFE LIBCXX LIBCXXABI
+for i in OPENSSL BINUTILS GCC PYTHON_MSI GMP LLVM CFE LIBCXX LIBCXXABI ELFUTILS
 do
   PACKAGE="${i}_PACKAGE"
   URL="${i}_URL"
diff --git a/gitian/versions.alpha b/gitian/versions.alpha
index 2e6fb2c..be79310 100755
--- a/gitian/versions.alpha
+++ b/gitian/versions.alpha
@@ -47,6 +47,7 @@ WEBRTC_TAG=c279861207c5b15fc51069e96595782350e0ac12 # https://chromium.googlesou
 GO_WEBRTC_TAG=ab1b64862e0c4b4182010699911c2c5818f0a101
 SNOWFLAKE_TAG=9f2e9a6ecb696149708716ca06ce842df03cf492
 UNIURI_TAG=8902c56451e9b58ff940bbe5fec35d5f9c04584a
+SELFRANDO_TAG=40bfacc7175301bcb9e01d2ad05e72c0e35291c8
 
 GITIAN_TAG=tor-browser-builder-4-2
 
@@ -71,6 +72,7 @@ GO14_VER=1.4.3
 GO_VER=1.7.5
 NSIS_VER=2.51
 YASM_VER=1.2.0
+ELFUTILS_VER=0.160
 
 ## File names for the source packages
 OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz
@@ -105,6 +107,7 @@ NOTOKRFONT_PACKAGE=NotoSansKR-Regular.otf
 NOTOSCFONT_PACKAGE=NotoSansSC-Regular.otf
 NOTOTCFONT_PACKAGE=NotoSansTC-Regular.otf
 YASM_PACKAGE=yasm-${YASM_VER}.tar.gz
+ELFUTILS_PACKAGE=elfutils-${ELFUTILS_VER}.tar.bz2
 
 # Hashes for packages with weak sigs or no sigs
 OPENSSL_HASH=6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0
@@ -167,3 +170,4 @@ NOTOKRFONT_URL=${NOTOCJKBASE_URL}/${NOTOKRFONT_PACKAGE}
 NOTOSCFONT_URL=${NOTOCJKBASE_URL}/${NOTOSCFONT_PACKAGE}
 NOTOTCFONT_URL=${NOTOCJKBASE_URL}/${NOTOTCFONT_PACKAGE}
 YASM_URL=https://www.tortall.net/projects/yasm/releases/${YASM_PACKAGE}
+ELFUTILS_URL=https://fedorahosted.org/releases/e/l/elfutils/${ELFUTILS_VER}/${ELFUTILS_PACKAGE}
diff --git a/gitian/versions.nightly b/gitian/versions.nightly
index b45e7d6..43c5234 100755
--- a/gitian/versions.nightly
+++ b/gitian/versions.nightly
@@ -54,6 +54,7 @@ WEBRTC_TAG=c279861207c5b15fc51069e96595782350e0ac12 # https://chromium.googlesou
 GO_WEBRTC_TAG=master
 SNOWFLAKE_TAG=master
 UNIURI_TAG=master
+SELFRANDO_TAG=62932627f30551e7b0b8e12d0453100f0eede017
 
 GITIAN_TAG=tor-browser-builder-4
 
@@ -78,6 +79,7 @@ GO14_VER=1.4.3
 GO_VER=1.7.5
 NSIS_VER=2.51
 YASM_VER=1.2.0
+ELFUTILS_VER=0.166
 
 ## File names for the source packages
 OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz
@@ -112,6 +114,7 @@ NOTOKRFONT_PACKAGE=NotoSansKR-Regular.otf
 NOTOSCFONT_PACKAGE=NotoSansSC-Regular.otf
 NOTOTCFONT_PACKAGE=NotoSansTC-Regular.otf
 YASM_PACKAGE=yasm-${YASM_VER}.tar.gz
+ELFUTILS_PACKAGE=elfutils-${ELFUTILS_VER}.tar.bz2
 
 # Hashes for packages with weak sigs or no sigs
 OPENSSL_HASH=6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0
@@ -174,3 +177,4 @@ NOTOKRFONT_URL=${NOTOCJKBASE_URL}/${NOTOKRFONT_PACKAGE}
 NOTOSCFONT_URL=${NOTOCJKBASE_URL}/${NOTOSCFONT_PACKAGE}
 NOTOTCFONT_URL=${NOTOCJKBASE_URL}/${NOTOTCFONT_PACKAGE}
 YASM_URL=https://www.tortall.net/projects/yasm/releases/${YASM_PACKAGE}
+ELFUTILS_URL=https://fedorahosted.org/releases/e/l/elfutils/${ELFUTILS_VER}/${ELFUTILS_PACKAGE}



More information about the tbb-commits mailing list