Feature #20621
open
Check libruby.so hardening by annocheck
Description
As part of #18061, there was implemented annocheck test case. However, the test covers just ruby (which is just thin shell), while leaves out libruby.so (which contains most of the Ruby code). This PR tries to improve that:
https://github.com/ruby/ruby/pull/11123
BTW the question is if all *.so files or even all *.o files should be covered.
Updated by jaruga (Jun Aruga) 4 months ago
BTW the question is if all *.so files or even all *.o files should be covered.
I agree on covering all the .so files. I am not sure if we cover the ".o" files. However, I think that can be after the PR https://github.com/ruby/ruby/pull/11123 adding only libruby.so is merged. I would like a small step approach.
Updated by jaruga (Jun Aruga) 4 months ago
The libruby.so was added to the annocheck test by the PR https://github.com/ruby/ruby/pull/11324. I am not sure if we can close this ticket due to the PR.
By the way, if we add other so and *.o files to the test, it's better to fix some failures that are currently skipped by the --skip-pie --skip-gaps options below.
https://github.com/ruby/ruby/blob/53f3036bf9becda911dba1e9e1823aceb97b3d9a/.github/workflows/annocheck.yml#L57-L60
https://github.com/ruby/ruby/actions/runs/10285685378/job/28464546087?pr=11324#step:10:100
+ /usr/bin/docker run --rm -t ruby-fedora-annocheck-copy annocheck --verbose --skip-pie --skip-gaps ruby libruby.so.3.4.0