From 8eb843f2af349e4dbbd377a4c16fa57094c90414 Mon Sep 17 00:00:00 2001 From: trinity-1686a Date: Wed, 25 May 2022 13:10:55 +0200 Subject: [PATCH 1/4] make almost all scripts use bash and set euo pipefail --- .gitlab-ci.yml | 3 ++- maint/binary_size | 4 ++-- maint/changed_crates | 6 ++++-- maint/check_licenses | 2 +- maint/coverage | 2 +- maint/coverage_fuzz_corpora | 6 +++--- maint/docker_reproducible_build | 6 ++++-- maint/downgrade_dependencies | 4 +++- maint/fuzz_it_all | 2 +- maint/hooks/pre-commit | 4 ++-- maint/hooks/pre-push | 4 ++-- maint/readmes | 4 ++-- maint/reproducible_build | 6 ++++-- maint/shellcheck_all | 4 +++- maint/with_coverage | 2 +- tests/chutney/setup | 4 ++-- tests/chutney/teardown | 4 ++-- tests/chutney/test | 4 +++- 18 files changed, 42 insertions(+), 29 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 31edc3c62..8b869d61e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -18,7 +18,7 @@ shellcheck: stage: check image: koalaman/shellcheck-alpine script: - - apk add git + - apk add git bash - ./maint/shellcheck_all rust-latest: @@ -117,6 +117,7 @@ build-repro: # If you upgrade this image, also change the one in docker_reproducible_build image: rust:1.59.0-alpine3.15 script: + - apk add bash - ./maint/reproducible_build linux windows macos artifacts: paths: diff --git a/maint/binary_size b/maint/binary_size index cba11a5fc..0fd793248 100755 --- a/maint/binary_size +++ b/maint/binary_size @@ -1,9 +1,9 @@ -#!/bin/sh +#!/bin/bash # # binary_size: Build arti with a given set of options, and # dump the binary size in a json format. -set -eu +set -euo pipefail ORIGDIR=$(pwd) TMPDIR=$(mktemp -d -t arti_binsize.XXXXXX) diff --git a/maint/changed_crates b/maint/changed_crates index 5b1c4cb20..33d13a029 100755 --- a/maint/changed_crates +++ b/maint/changed_crates @@ -1,8 +1,10 @@ -#!/bin/sh +#!/bin/bash + +set -euo pipefail TOP=$(dirname "$0")/.. -TAG="$1" +TAG="${1:-}" if [ -z "$TAG" ]; then echo "You need to give a git revision as an argument." diff --git a/maint/check_licenses b/maint/check_licenses index 1e169a0bb..ea7eda2c3 100755 --- a/maint/check_licenses +++ b/maint/check_licenses @@ -1,6 +1,6 @@ #!/bin/bash -set -e +set -euo pipefail # A list of the licenses that we currently allow in our code. # diff --git a/maint/coverage b/maint/coverage index baa9f77b3..8f088011e 100755 --- a/maint/coverage +++ b/maint/coverage @@ -22,7 +22,7 @@ Notes: EOF } -set -e +set -euo pipefail TOPDIR=$(dirname "$0")/.. cd "$TOPDIR" diff --git a/maint/coverage_fuzz_corpora b/maint/coverage_fuzz_corpora index 5a8ffda13..59ed8a7f4 100755 --- a/maint/coverage_fuzz_corpora +++ b/maint/coverage_fuzz_corpora @@ -1,8 +1,8 @@ #!/bin/bash -set -e +set -euo pipefail -if [ -z "$LLVM_PROFILE_FILE" ]; then +if [ -z "${LLVM_PROFILE_FILE:-}" ]; then echo "This script is meant to be run inside with_coverage" >&2 exit 1 fi @@ -28,7 +28,7 @@ for d in ./crates/*/fuzz; do mkdir -p "$TOPDIR/target/debug/$crate" mkdir -p "$coverage_dir/$crate" for fuzzer in $(cargo fuzz list); do - cargo fuzz coverage "$fuzzer" + cargo fuzz coverage "$fuzzer" --sanitizer=none # we copy binary and coverage data where with_coverage expect it to be cp "target-coverage/x86_64-unknown-linux-gnu/release/$fuzzer" "$TOPDIR/target/debug/$crate/$fuzzer" diff --git a/maint/docker_reproducible_build b/maint/docker_reproducible_build index 8c4177892..1604229a4 100755 --- a/maint/docker_reproducible_build +++ b/maint/docker_reproducible_build @@ -1,8 +1,10 @@ -#!/bin/sh +#!/bin/bash # # This script runs as the top level of our reproducible build process. # It launches the actual build script inside a docker container. +set -euo pipefail + ## use a fixed image to not suffer from image retaging when newer rustc or ## alpine emerges. Increase shm size for the reasons described in ## reproducible_build @@ -11,4 +13,4 @@ ## the build-repro job in .gitlab-ci.yml exec docker run --rm -i -v "$(git rev-parse --show-toplevel)":/builds/arti \ -w /builds/arti --shm-size=512m rust:1.59.0-alpine3.15 \ - ./maint/reproducible_build "$@" + sh -c "apk add bash && ./maint/reproducible_build" "$@" diff --git a/maint/downgrade_dependencies b/maint/downgrade_dependencies index eac6282de..120127ebb 100755 --- a/maint/downgrade_dependencies +++ b/maint/downgrade_dependencies @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Downgrades every one of our dependencies in Cargo.lock to the # earliest version listed in our Cargo.toml files. (And then @@ -11,6 +11,8 @@ # successfully with the versions listed in Cargo.lock, while declaring # support for versions of our dependencies that won't actually work. +set -euo pipefail + cargo +nightly update -Z minimal-versions cargo update \ -p crc32fast \ diff --git a/maint/fuzz_it_all b/maint/fuzz_it_all index dac52d640..dc60caee5 100755 --- a/maint/fuzz_it_all +++ b/maint/fuzz_it_all @@ -1,6 +1,6 @@ #!/bin/bash -set -e +set -euo pipefail echo "Using toolchain +${RUST_FUZZ_TOOLCHAIN:=nightly}. (Override with \$RUST_FUZZ_TOOLCHAIN)" diff --git a/maint/hooks/pre-commit b/maint/hooks/pre-commit index 413fe7155..0c50622a9 100755 --- a/maint/hooks/pre-commit +++ b/maint/hooks/pre-commit @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash -set -e +set -euo pipefail echo '+cargo fmt --all -- --check' cargo fmt --all -- --check diff --git a/maint/hooks/pre-push b/maint/hooks/pre-push index c0f90328c..d767d30c6 100755 --- a/maint/hooks/pre-push +++ b/maint/hooks/pre-push @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash -set -e +set -euo pipefail echo '+cargo fmt --all -- --check' cargo fmt --all -- --check diff --git a/maint/readmes b/maint/readmes index 27ef004d2..2355a9a35 100755 --- a/maint/readmes +++ b/maint/readmes @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash -set -e +set -euo pipefail cd "$(dirname "$0")/.." for subcargo in crates/*/Cargo.toml ; do diff --git a/maint/reproducible_build b/maint/reproducible_build index 336e30238..4f6d78fb8 100755 --- a/maint/reproducible_build +++ b/maint/reproducible_build @@ -1,9 +1,9 @@ -#!/bin/sh +#!/bin/bash # # This script is run inside a docker container as part of our # reproducible build process. # -set -xeu +set -xeuo pipefail if [ ! -f /.dockerenv ]; then echo Not running inside Docker, build will probably not be reproducible echo Use docker_reproducible_build instead to get the right environment @@ -103,6 +103,8 @@ EOF mv /arti/target/x86_64-apple-darwin/release/arti "$here"/arti-macos fi +git config --global --add safe.directory /arti + set +x echo "branch :" "$(git rev-parse --abbrev-ref HEAD)" echo "commit :" "$(git rev-parse HEAD)" diff --git a/maint/shellcheck_all b/maint/shellcheck_all index 0c7fc7fa3..7c7c24428 100755 --- a/maint/shellcheck_all +++ b/maint/shellcheck_all @@ -1,3 +1,5 @@ -#!/bin/sh +#!/bin/bash + +set -euo pipefail git grep -P --line-number '^#! ?/bin/(:?ba)?sh\b' | sed -n 's/:1:[^:]*$//p' | xargs shellcheck diff --git a/maint/with_coverage b/maint/with_coverage index eb988f611..059bc668d 100755 --- a/maint/with_coverage +++ b/maint/with_coverage @@ -1,6 +1,6 @@ #!/bin/bash -set -e +set -euo pipefail SCRIPT_NAME=$(basename "$0") diff --git a/tests/chutney/setup b/tests/chutney/setup index 7c2deb704..e3ae1e5d7 100755 --- a/tests/chutney/setup +++ b/tests/chutney/setup @@ -1,6 +1,6 @@ #!/bin/bash -set -xe +set -xeuo pipefail SCRIPT_NAME=$(basename "$0") @@ -52,7 +52,7 @@ target="networks/$NETWORK" cd "$(git rev-parse --show-toplevel)" echo "target=$target" > tests/chutney/arti.run -if [ -z "${CHUTNEY_PATH}" ]; then +if [ -z "${CHUTNEY_PATH:-}" ]; then # CHUTNEY_PATH isn't set; try cloning or updating a local chutney. if [ -d chutney ]; then (cd ./chutney && git pull) diff --git a/tests/chutney/teardown b/tests/chutney/teardown index 924a16208..e9405424c 100755 --- a/tests/chutney/teardown +++ b/tests/chutney/teardown @@ -1,9 +1,9 @@ #!/bin/bash -set -xe +set -xeuo pipefail cd "$(git rev-parse --show-toplevel)" -if [ -z "${CHUTNEY_PATH}" ]; then +if [ -z "${CHUTNEY_PATH:-}" ]; then # Use the default chutney path we set up before. CHUTNEY_PATH="$(pwd)/chutney" export CHUTNEY_PATH diff --git a/tests/chutney/test b/tests/chutney/test index 6fe76b92b..fe56369a8 100755 --- a/tests/chutney/test +++ b/tests/chutney/test @@ -1,4 +1,6 @@ -#!/bin/bash -xe +#!/bin/bash + +set -xeuo pipefail curl http://example.com -vs --socks5-hostname 127.0.0.1:9150 -o /dev/null From b380c25e6637b2cf48239eea8c4a3707eb3aa67e Mon Sep 17 00:00:00 2001 From: trinity-1686a Date: Wed, 25 May 2022 17:37:19 +0200 Subject: [PATCH 2/4] update readmes --- crates/arti-config/README.md | 2 ++ crates/fs-mistrust/README.md | 24 +++++++++++++++++------- crates/tor-persist/README.md | 2 +- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/crates/arti-config/README.md b/crates/arti-config/README.md index ade9b425d..39fbde7ec 100644 --- a/crates/arti-config/README.md +++ b/crates/arti-config/README.md @@ -8,3 +8,5 @@ implement [Tor](https://www.torproject.org/) in Rust. The project continues, but this particular crate is now superseded. This empty crate is published as a tombstone. + +License: MIT OR Apache-2.0 diff --git a/crates/fs-mistrust/README.md b/crates/fs-mistrust/README.md index 4eeae954d..c08134d0c 100644 --- a/crates/fs-mistrust/README.md +++ b/crates/fs-mistrust/README.md @@ -114,13 +114,12 @@ You can adjust the [`Mistrust`] object to change what it permits: ```rust use fs_mistrust::Mistrust; -let mut my_mistrust = Mistrust::new(); - -// Assume that our home directory and its parents are all well-configured. -my_mistrust.ignore_prefix("/home/doze/")?; - -// Assume that a given group will only contain trusted users. -my_mistrust.trust_group_id(413); +let my_mistrust = Mistrust::builder() + // Assume that our home directory and its parents are all well-configured. + .ignore_prefix("/home/doze/") + // Assume that a given group will only contain trusted users. + .trust_group(413) + .build()?; ``` See [`Mistrust`] for more options. @@ -193,6 +192,17 @@ systems, but we don't actually look at the details of any of these: * SELinux capabilities * POSIX (and other) ACLs. +We use a somewhat inaccurate heuristic when we're checking the permissions +of items _inside_ a target directory (using [`Verifier::check_content`] or +[`CheckedDir`]): we continue to forbid untrusted-writeable directories and +files, but we still allow readable ones, even if we insisted that the target +directory itself was required to to be unreadable. This is too permissive +in the case of readable objects with hard links: if there is a hard link to +the file somewhere else, then an untrusted user can read it. It is also too +restrictive in the case of writeable objects _without_ hard links: if +untrusted users have no path to those objects, they can't actually write +them. + On Windows, we accept all file permissions and owners. We don't check for mount-points and the privacy of filesystem devices diff --git a/crates/tor-persist/README.md b/crates/tor-persist/README.md index 903e7e514..c03cd9e20 100644 --- a/crates/tor-persist/README.md +++ b/crates/tor-persist/README.md @@ -7,7 +7,7 @@ This crate is part of implement [Tor](https://www.torproject.org/) in Rust. For now, users should construct storage objects directly with (for -example) [`FsStateMgr::from_path()`], but use them primarily via the +example) [`FsStateMgr::from_path_and_mistrust()`], but use them primarily via the interfaces of the [`StateMgr`] trait. License: MIT OR Apache-2.0 From 0f14847023b19e124c242837dd72dd95906287b2 Mon Sep 17 00:00:00 2001 From: trinity-1686a Date: Wed, 25 May 2022 22:29:04 +0200 Subject: [PATCH 3/4] update comments in coverage_fuzz_corpora --- maint/coverage_fuzz_corpora | 38 ++++++++++++++----------------------- 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/maint/coverage_fuzz_corpora b/maint/coverage_fuzz_corpora index 59ed8a7f4..3b3948124 100755 --- a/maint/coverage_fuzz_corpora +++ b/maint/coverage_fuzz_corpora @@ -12,32 +12,22 @@ coverage_dir=$(dirname "$LLVM_PROFILE_FILE") TOPDIR=$(realpath "$(dirname "$0")/..") cd "$TOPDIR" -# for some reason, compiling with coverage is very slow, especially for curve25519-dalek, -# and mixing normal runs and coverage runs trash the cache. Here we set an alternative -# target directory so it's possible to reuse cached artifacts between coverage runs. +# set an alternative target directory so it's possible to reuse cached artifacts between coverage +# runs of coverage and fuzzing. export CARGO_TARGET_DIR=${CARGO_TARGET_DIR:-target-coverage} -# remove comments starting with #@ to run in parallel. This makes output very messy, uses a lot more -# ram and make the load average go crazy, but it's also way faster both to compile (due to -# curve25519-dalek compilation being so slow, and it using a single core), and to run because it's -# essentially monothreaded too. for d in ./crates/*/fuzz; do - #@{ - pushd "$(dirname "$d")" - crate=$(basename "$(dirname "$d")") - mkdir -p "$TOPDIR/target/debug/$crate" - mkdir -p "$coverage_dir/$crate" - for fuzzer in $(cargo fuzz list); do - cargo fuzz coverage "$fuzzer" --sanitizer=none + pushd "$(dirname "$d")" + crate=$(basename "$(dirname "$d")") + mkdir -p "$TOPDIR/target/debug/$crate" + mkdir -p "$coverage_dir/$crate" + for fuzzer in $(cargo fuzz list); do + # disable sanitizer to work in stable. Also make curve25519-dalek compilation much faster + cargo fuzz coverage "$fuzzer" --sanitizer=none - # we copy binary and coverage data where with_coverage expect it to be - cp "target-coverage/x86_64-unknown-linux-gnu/release/$fuzzer" "$TOPDIR/target/debug/$crate/$fuzzer" - mv "fuzz/coverage/$fuzzer/raw" "$coverage_dir/$crate/$fuzzer" - done - popd - #@}& + # we copy binary and coverage data where with_coverage expect it to be + cp "target-coverage/x86_64-unknown-linux-gnu/release/$fuzzer" "$TOPDIR/target/debug/$crate/$fuzzer" + mv "fuzz/coverage/$fuzzer/raw" "$coverage_dir/$crate/$fuzzer" + done + popd done - -#@for d in ./crates/*/fuzz; do -#@ wait -#@done From 545313a899c40c795321f9239a695c728a339c6e Mon Sep 17 00:00:00 2001 From: trinity-1686a Date: Thu, 26 May 2022 09:44:06 +0200 Subject: [PATCH 4/4] fix docker_reproducible_build not passing its parameters properly --- maint/docker_reproducible_build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/maint/docker_reproducible_build b/maint/docker_reproducible_build index 1604229a4..e33763130 100755 --- a/maint/docker_reproducible_build +++ b/maint/docker_reproducible_build @@ -13,4 +13,4 @@ set -euo pipefail ## the build-repro job in .gitlab-ci.yml exec docker run --rm -i -v "$(git rev-parse --show-toplevel)":/builds/arti \ -w /builds/arti --shm-size=512m rust:1.59.0-alpine3.15 \ - sh -c "apk add bash && ./maint/reproducible_build" "$@" + sh -c "apk add bash && ./maint/reproducible_build $*"