[tbb-commits] [tor-browser-bundle/master] Bug 20683: Integrate Selfrando into alpha Linux builds
gk at torproject.org
gk at torproject.org
Fri Apr 7 16:51:50 UTC 2017
commit 0ea68f848f54aaeceeeed22dc1496d3723cbe128
Author: Georg Koppen <gk at torproject.org>
Date: Fri Apr 7 16:50:29 2017 +0000
Bug 20683: Integrate Selfrando into alpha Linux builds
Selfrando is a new defense against code reuse attacks developed by the
Redactor and Readactor++ people. We should give it a wider testing
audience by including it in the alpha series.
This is currently only available for 64bit Linux builds, though.
Supporting other platforms and architectures is work in progress.
---
RelativeLink/start-tor-browser | 1 +
gitian/descriptors/linux/gitian-firefox.yml | 17 +++++++++++++
gitian/descriptors/linux/gitian-utils.yml | 38 ++++++++++++++++++++++++++++
gitian/fetch-inputs.sh | 4 ++-
gitian/gpg/ELFUTILS.gpg | Bin 0 -> 10483 bytes
gitian/mkbundle-linux.sh | 13 ++++++----
gitian/verify-tags.sh | 3 ++-
gitian/versions.alpha | 4 +++
gitian/versions.nightly | 4 +++
9 files changed, 77 insertions(+), 7 deletions(-)
diff --git a/RelativeLink/start-tor-browser b/RelativeLink/start-tor-browser
index a78b367..2dd40fc 100755
--- a/RelativeLink/start-tor-browser
+++ b/RelativeLink/start-tor-browser
@@ -270,6 +270,7 @@ fi
LD_LIBRARY_PATH="${HOME}/TorBrowser/Tor/"
export LD_LIBRARY_PATH
+export SELFRANDO_write_layout_file=
function setControlPortPasswd() {
local ctrlPasswd=$1
diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml
index d607f6a..b20941a 100644
--- a/gitian/descriptors/linux/gitian-firefox.yml
+++ b/gitian/descriptors/linux/gitian-firefox.yml
@@ -27,6 +27,8 @@ reference_datetime: "2000-01-01 00:00:00"
remotes:
- "url": "https://git.torproject.org/tor-browser.git"
"dir": "tor-browser"
+- "url": "https://github.com/immunant/selfrando.git"
+ "dir": "selfrando"
files:
- "binutils-linux32-utils.zip"
- "binutils-linux64-utils.zip"
@@ -36,6 +38,8 @@ files:
- "re-dzip.sh"
- "dzip.sh"
- "versions"
+# XXX: 64bits only for now :(, see #20683.
+- "selfrando-linux64-utils.zip"
script: |
source versions
INSTDIR="$HOME/install"
@@ -53,6 +57,11 @@ script: |
export DEB_BUILD_HARDENING_FORMAT=1
export DEB_BUILD_HARDENING_PIE=1
#
+ # XXX: 64bits only for now :(, see #20683.
+ if [ $GBUILD_BITS == "64" ];
+ then
+ unzip -d $INSTDIR selfrando-linux64-utils.zip
+ fi
# Preparing Binutils and GCC for Tor Browser
unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
# Make sure gold is used with the hardening wrapper for full RELRO, see
@@ -94,6 +103,14 @@ script: |
find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME"
rm -f configure
rm -f js/src/configure
+ # XXX: 64bits only for now :(, see #20683.
+ if [ $GBUILD_BITS == "64" ];
+ then
+ # Selfrando wrapper
+ export PATH="$HOME/build/selfrando/Tools/TorBrowser/tc-wrapper/:$PATH"
+ # We need to avoid the shuffling while building as this breaks compilation
+ export SELFRANDO_skip_shuffle=
+ fi
make -f client.mk configure CONFIGURE_ARGS="--with-tor-browser-version=${TORBROWSER_VERSION} --with-distribution-id=org.torproject --enable-update-channel=${TORBROWSER_UPDATE_CHANNEL} --enable-bundled-fonts"
find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME"
make $MAKEOPTS -f client.mk build
diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml
index d10422b..1cadb61 100644
--- a/gitian/descriptors/linux/gitian-utils.yml
+++ b/gitian/descriptors/linux/gitian-utils.yml
@@ -24,10 +24,14 @@ packages:
- "libssl-dev"
# Needed for binutils (64bit) as we are building with PIE enabled.
- "libstdc++6-4.7-pic"
+# Needed for Selfrando
+- "scons"
reference_datetime: "2000-01-01 00:00:00"
remotes:
- "url": "https://github.com/libevent/libevent.git"
"dir": "libevent"
+- "url": "https://github.com/immunant/selfrando.git"
+ "dir": "selfrando"
files:
- "binutils.tar.bz2"
- "gcc.tar.bz2"
@@ -37,6 +41,7 @@ files:
- "go.tar.gz"
- "versions"
- "dzip.sh"
+- "elfutils.tar.bz2"
script: |
INSTDIR="$HOME/install"
source versions
@@ -52,6 +57,12 @@ script: |
export DEB_BUILD_HARDENING_FORMAT=1
export DEB_BUILD_HARDENING_PIE=1
+ ARCH=""
+ if [ $GBUILD_BITS == "64" ];
+ then
+ ARCH="64"
+ fi
+
# Building Binutils
tar xjf binutils.tar.bz2
# The libstdc++ shipped by default is non-PIC which breaks the binutils build
@@ -86,6 +97,28 @@ script: |
cd ..
export DEB_BUILD_HARDENING_FORMAT=1
+ export PATH="$INSTDIR/binutils/bin:$INSTDIR/gcc/bin:$PATH"
+ export LD_LIBRARY_PATH="$INSTDIR/gcc/lib$ARCH"
+
+ # XXX: 64bits only for now :(, see #20683.
+ if [ $GBUILD_BITS == "64" ];
+ then
+ # Building Elfutils
+ tar xjf elfutils.tar.bz2
+ cd elfutils*/
+ ./configure --prefix=$INSTDIR/elfutils
+ make $MAKEOPTS
+ make install
+ cd ..
+
+ # Building Selfrando
+ cd selfrando
+ scons -Q arch=x86_64 LIBELF_PATH="$INSTDIR/elfutils" FORCE_INPLACE=1 DEBUG_LEVEL=env WRITE_LAYOUTS=env LOG=console
+ mkdir -p $INSTDIR/selfrando
+ cp out/x86_64/bin/* $INSTDIR/selfrando/
+ cd ..
+ fi
+
# Building Libevent
cd libevent
./autogen.sh
@@ -157,4 +190,9 @@ script: |
~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-linux$GBUILD_BITS-utils.zip libevent
~/build/dzip.sh gmp-$GMP_VER-linux$GBUILD_BITS-utils.zip gmp
~/build/dzip.sh go-$GO_VER-linux$GBUILD_BITS-utils.zip go
+ # XXX: 64bits only for now :(, see #20683.
+ if [ $GBUILD_BITS == "64" ];
+ then
+ ~/build/dzip.sh selfrando-$SELFRANDO_TAG-linux$GBUILD_BITS-utils.zip selfrando
+ fi
cp *utils.zip $OUTDIR/
diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh
index b7fcf36..c110eb8 100755
--- a/gitian/fetch-inputs.sh
+++ b/gitian/fetch-inputs.sh
@@ -113,7 +113,7 @@ update_git() {
##############################################################################
# Get+verify sigs that exist
-for i in OPENSSL BINUTILS GCC PYTHON_MSI GMP LLVM CFE LIBCXX LIBCXXABI
+for i in OPENSSL BINUTILS GCC PYTHON_MSI GMP LLVM CFE LIBCXX LIBCXXABI ELFUTILS
do
PACKAGE="${i}_PACKAGE"
URL="${i}_URL"
@@ -252,6 +252,7 @@ ln -sf "$GO_PACKAGE" go.tar.gz
ln -sf "$NSIS_PACKAGE" nsis.tar.bz2
ln -sf "$NSIS_DEBIAN_PACKAGE" nsis-debian.tar.xz
ln -sf "$YASM_PACKAGE" yasm.tar.gz
+ln -sf "$ELFUTILS_PACKAGE" elfutils.tar.bz2
# Fetch latest gitian-builder itself
# XXX - this is broken if a non-standard inputs dir is selected using the command line flag.
@@ -303,6 +304,7 @@ depot_tools https://chromium.googlesource.com/chromium/tools/depot_too
go-webrtc https://github.com/keroserene/go-webrtc $GO_WEBRTC_TAG
snowflake https://git.torproject.org/pluggable-transports/snowflake.git $SNOWFLAKE_TAG
uniuri https://github.com/dchest/uniuri $UNIURI_TAG
+selfrando https://github.com/immunant/selfrando.git $SELFRANDO_TAG
EOF
# HTTPS-Everywhere is special, too. We need to initialize the git submodules and
diff --git a/gitian/gpg/ELFUTILS.gpg b/gitian/gpg/ELFUTILS.gpg
new file mode 100644
index 0000000..f1cd4b3
Binary files /dev/null and b/gitian/gpg/ELFUTILS.gpg differ
diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh
index 6dbbe51..0a1613f 100755
--- a/gitian/mkbundle-linux.sh
+++ b/gitian/mkbundle-linux.sh
@@ -35,7 +35,7 @@ fi
if [ -z "$VM_MEMORY" ];
then
- export VM_MEMORY=4000
+ export VM_MEMORY=6000
fi
./make-vms.sh
@@ -99,7 +99,7 @@ then
fi
cd $GITIAN_DIR
-
+# XXX: 64bits selfrando only for now :(, see #20683.
if [ ! -f inputs/binutils-$BINUTILS_VER-linux32-utils.zip -o \
! -f inputs/binutils-$BINUTILS_VER-linux64-utils.zip -o \
! -f inputs/gcc-$GCC_VER-linux32-utils.zip -o \
@@ -111,13 +111,14 @@ if [ ! -f inputs/binutils-$BINUTILS_VER-linux32-utils.zip -o \
! -f inputs/gmp-$GMP_VER-linux32-utils.zip -o \
! -f inputs/gmp-$GMP_VER-linux64-utils.zip -o \
! -f inputs/go-$GO_VER-linux32-utils.zip -o \
- ! -f inputs/go-$GO_VER-linux64-utils.zip ];
+ ! -f inputs/go-$GO_VER-linux64-utils.zip -o \
+ ! -f inputs/selfrando-$SELFRANDO_TAG-linux64-utils.zip ];
then
echo
echo "****** Starting Utilities Component of Linux Bundle (1/7 for Linux) ******"
echo
- ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit libevent=$LIBEVENT_TAG $DESCRIPTOR_DIR/linux/gitian-utils.yml
+ ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit libevent=$LIBEVENT_TAG,selfrando=$SELFRANDO_TAG $DESCRIPTOR_DIR/linux/gitian-utils.yml
if [ $? -ne 0 ];
then
#mv var/build.log ./utils-fail-linux.log.`date +%Y%m%d%H%M%S`
@@ -138,6 +139,7 @@ then
ln -sf gmp-$GMP_VER-linux64-utils.zip gmp-linux64-utils.zip
ln -sf go-$GO_VER-linux32-utils.zip go-linux32-utils.zip
ln -sf go-$GO_VER-linux64-utils.zip go-linux64-utils.zip
+ ln -sf selfrando-$SELFRANDO_TAG-linux64-utils.zip selfrando-linux64-utils.zip
cd ..
#cp -a result/utils-linux-res.yml inputs/
else
@@ -159,6 +161,7 @@ else
ln -sf gmp-$GMP_VER-linux64-utils.zip gmp-linux64-utils.zip
ln -sf go-$GO_VER-linux32-utils.zip go-linux32-utils.zip
ln -sf go-$GO_VER-linux64-utils.zip go-linux64-utils.zip
+ ln -sf selfrando-$SELFRANDO_TAG-linux64-utils.zip selfrando-linux64-utils.zip
cd ..
fi
@@ -193,7 +196,7 @@ then
echo "****** Starting TorBrowser Component of Linux Bundle (3/7 for Linux) ******"
echo
- ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit tor-browser=$TORBROWSER_TAG,faketime=$FAKETIME_TAG $DESCRIPTOR_DIR/linux/gitian-firefox.yml
+ ./bin/gbuild -j $NUM_PROCS -m $VM_MEMORY --commit tor-browser=$TORBROWSER_TAG,faketime=$FAKETIME_TAG,selfrando=$SELFRANDO_TAG $DESCRIPTOR_DIR/linux/gitian-firefox.yml
if [ $? -ne 0 ];
then
#mv var/build.log ./firefox-fail-linux.log.`date +%Y%m%d%H%M%S`
diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh
index dc207f5..7d551b8 100755
--- a/gitian/verify-tags.sh
+++ b/gitian/verify-tags.sh
@@ -125,10 +125,11 @@ depot_tools $DEPOT_TOOLS_TAG
go-webrtc $GO_WEBRTC_TAG
snowflake $SNOWFLAKE_TAG
uniuri $UNIURI_TAG
+selfrando $SELFRANDO_TAG
EOF
# Verify signatures on signed packages
-for i in OPENSSL BINUTILS GCC PYTHON_MSI GMP LLVM CFE LIBCXX LIBCXXABI
+for i in OPENSSL BINUTILS GCC PYTHON_MSI GMP LLVM CFE LIBCXX LIBCXXABI ELFUTILS
do
PACKAGE="${i}_PACKAGE"
URL="${i}_URL"
diff --git a/gitian/versions.alpha b/gitian/versions.alpha
index 2e6fb2c..be79310 100755
--- a/gitian/versions.alpha
+++ b/gitian/versions.alpha
@@ -47,6 +47,7 @@ WEBRTC_TAG=c279861207c5b15fc51069e96595782350e0ac12 # https://chromium.googlesou
GO_WEBRTC_TAG=ab1b64862e0c4b4182010699911c2c5818f0a101
SNOWFLAKE_TAG=9f2e9a6ecb696149708716ca06ce842df03cf492
UNIURI_TAG=8902c56451e9b58ff940bbe5fec35d5f9c04584a
+SELFRANDO_TAG=40bfacc7175301bcb9e01d2ad05e72c0e35291c8
GITIAN_TAG=tor-browser-builder-4-2
@@ -71,6 +72,7 @@ GO14_VER=1.4.3
GO_VER=1.7.5
NSIS_VER=2.51
YASM_VER=1.2.0
+ELFUTILS_VER=0.160
## File names for the source packages
OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz
@@ -105,6 +107,7 @@ NOTOKRFONT_PACKAGE=NotoSansKR-Regular.otf
NOTOSCFONT_PACKAGE=NotoSansSC-Regular.otf
NOTOTCFONT_PACKAGE=NotoSansTC-Regular.otf
YASM_PACKAGE=yasm-${YASM_VER}.tar.gz
+ELFUTILS_PACKAGE=elfutils-${ELFUTILS_VER}.tar.bz2
# Hashes for packages with weak sigs or no sigs
OPENSSL_HASH=6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0
@@ -167,3 +170,4 @@ NOTOKRFONT_URL=${NOTOCJKBASE_URL}/${NOTOKRFONT_PACKAGE}
NOTOSCFONT_URL=${NOTOCJKBASE_URL}/${NOTOSCFONT_PACKAGE}
NOTOTCFONT_URL=${NOTOCJKBASE_URL}/${NOTOTCFONT_PACKAGE}
YASM_URL=https://www.tortall.net/projects/yasm/releases/${YASM_PACKAGE}
+ELFUTILS_URL=https://fedorahosted.org/releases/e/l/elfutils/${ELFUTILS_VER}/${ELFUTILS_PACKAGE}
diff --git a/gitian/versions.nightly b/gitian/versions.nightly
index b45e7d6..43c5234 100755
--- a/gitian/versions.nightly
+++ b/gitian/versions.nightly
@@ -54,6 +54,7 @@ WEBRTC_TAG=c279861207c5b15fc51069e96595782350e0ac12 # https://chromium.googlesou
GO_WEBRTC_TAG=master
SNOWFLAKE_TAG=master
UNIURI_TAG=master
+SELFRANDO_TAG=62932627f30551e7b0b8e12d0453100f0eede017
GITIAN_TAG=tor-browser-builder-4
@@ -78,6 +79,7 @@ GO14_VER=1.4.3
GO_VER=1.7.5
NSIS_VER=2.51
YASM_VER=1.2.0
+ELFUTILS_VER=0.166
## File names for the source packages
OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz
@@ -112,6 +114,7 @@ NOTOKRFONT_PACKAGE=NotoSansKR-Regular.otf
NOTOSCFONT_PACKAGE=NotoSansSC-Regular.otf
NOTOTCFONT_PACKAGE=NotoSansTC-Regular.otf
YASM_PACKAGE=yasm-${YASM_VER}.tar.gz
+ELFUTILS_PACKAGE=elfutils-${ELFUTILS_VER}.tar.bz2
# Hashes for packages with weak sigs or no sigs
OPENSSL_HASH=6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0
@@ -174,3 +177,4 @@ NOTOKRFONT_URL=${NOTOCJKBASE_URL}/${NOTOKRFONT_PACKAGE}
NOTOSCFONT_URL=${NOTOCJKBASE_URL}/${NOTOSCFONT_PACKAGE}
NOTOTCFONT_URL=${NOTOCJKBASE_URL}/${NOTOTCFONT_PACKAGE}
YASM_URL=https://www.tortall.net/projects/yasm/releases/${YASM_PACKAGE}
+ELFUTILS_URL=https://fedorahosted.org/releases/e/l/elfutils/${ELFUTILS_VER}/${ELFUTILS_PACKAGE}
More information about the tbb-commits
mailing list