Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change health check to fail on absolute link paths on osx #1

Merged
merged 3 commits into from
Jun 9, 2020
Merged

Change health check to fail on absolute link paths on osx #1

merged 3 commits into from
Jun 9, 2020

Conversation

adfoster-r7
Copy link

@adfoster-r7 adfoster-r7 commented Jun 5, 2020
edited
Loading

Description

This pull request changes the health check mechanism for omnibus, as part of the effort of running msfconsole at arbitrary locations - rapid7/metasploit-omnibus#127

The current implementation could not be landed in its current form upstream, the current implementation is too specific to our use case.

Before

Omibus verifies that all osx build libs are either whitelisted files, or that their links match the project's root dir.

For instance, an example of a happy path lib. There is a reference directly to /opt/metasploit-framework - the project install dir.

/opt/metasploit-framework/embedded/bin/ruby:
	/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 57337.60.9)
	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1259.32.0)
--->	/opt/metasploit-framework/embedded/lib/libruby.2.6.dylib (compatibility version 2.6.0, current version 2.6.6)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
	/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0

Unfortunately the current check does not correctly handle the scenario of @executable_path being present in linked files:

/opt/metasploit-framework/embedded/bin/ruby:
	/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 57337.60.9)
	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1259.32.0)
--->	@executable_path/../lib/libruby.2.6.dylib (compatibility version 2.6.0, current version 2.6.6)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
--->	@executable_path/../lib/libjemalloc.2.dylib (compatibility version 0.0.0, current version 0.0.0)
	/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

Example Healthcheck failure:

    --> /opt/metasploit-framework//embedded/lib/libruby.2.6.dylib
    DEPENDS ON: libruby.2.6.dylib
      COUNT: 1
      PROVIDED BY: @executable_path/../lib/libruby.2.6.dylib
      FAILED BECAUSE: Unsafe dependency
    --> /opt/metasploit-framework//embedded/lib/libruby.2.6.dylib
    DEPENDS ON: libjemalloc.2.dylib
      COUNT: 1
      PROVIDED BY: @executable_path/../lib/libjemalloc.2.dylib
      FAILED BECAUSE: Unsafe dependency

After

Two changes have been made for osx omnibus builds:

  • The healthcheck has now been updated to add a whitelist of @executable_path to linked files
  • Any absolute paths to the project's install dir is now considered a failing health check.

Maintainers

Please ensure that you check for:

  • [] If this change impacts git cache validity, it bumps the git cache
    serial number
  • [] If this change impacts compatibility with omnibus-software, the
    corresponding change is reviewed and there is a release plan
  • [] If this change impacts compatibility with the omnibus cookbook, the
    corresponding change is reviewed and there is a release plan

@jmartin-tech
Copy link

Please rebase and retarget to r7_working master here is meant to track upstream.

@adfoster-r7 adfoster-r7 changed the base branch from master to r7_working June 5, 2020 14:34
@adfoster-r7 adfoster-r7 force-pushed the change-health-check-to-fail-absolutely-linked-paths branch 2 times, most recently from e2f924d to 181d6d1 Compare June 5, 2020 14:42
@adfoster-r7 adfoster-r7 mentioned this pull request Jun 5, 2020
Open
adfoster-r7
adfoster-r7 commented Jun 5, 2020
View reviewed changes
lib/omnibus/health_check.rb
log.debug(log_key) { " --> Dependency: #{name}" }
log.debug(log_key) { " --> Provided by: #{linked}" }

if !safe && linked !~ Regexp.new(project.install_dir)
if !safe
Copy link
Author

@adfoster-r7 adfoster-r7 Jun 5, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just an initial approach, and the implementation wouldn't be generic enough to land upstream. I've created a ticket over there to discuss further chef#947

@jmartin-tech
Copy link

Can we convert this to be a build option similar to how we introduced skip_packager?

See chef#843

@adfoster-r7 adfoster-r7 force-pushed the change-health-check-to-fail-absolutely-linked-paths branch from f1b206b to 2d6f944 Compare June 5, 2020 22:22
@adfoster-r7
Copy link
Author

adfoster-r7 commented Jun 5, 2020
edited
Loading

@jmartin-r7 I've added a second commit to make this configurable, the calling project will now have to use:

if mac_os_x?
  require_relative_links true
end

@adfoster-r7 adfoster-r7 force-pushed the change-health-check-to-fail-absolutely-linked-paths branch from 2d6f944 to bfbe18e Compare June 5, 2020 22:42
@adfoster-r7 adfoster-r7 changed the base branch from r7_working to r7_7.0.12_custom June 5, 2020 22:42
jmartin-tech
jmartin-tech approved these changes Jun 5, 2020
View reviewed changes
Copy link

@jmartin-tech jmartin-tech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@adfoster-r7
Copy link
Author

Just double checked the unit tests locally, they seem to be failing on master on my osx machine. I'll look further into that on Monday:

image

@jmartin-tech
Copy link

Test on linux using ruby 2.6.5 also show failures for bundle exec rake unit:

Failures:

  1) Omnibus::HealthCheck on linux raises an exception when there are external dependencies
     Failure/Error: expect { subject.run! }.to raise_error(HealthCheckFailed)

       expected Omnibus::HealthCheckFailed, got #<RSpec::Mocks::MockExpectationError: #<Double Omnibus::Project> received unexpected message :require_relative_links with (no args)> with backtrace:
         # ./lib/omnibus/health_check.rb:451:in `check_for_bad_library'
         # ./lib/omnibus/health_check.rb:348:in `block in health_check_ldd'
         # ./lib/omnibus/health_check.rb:405:in `block in read_shared_libs'
         # ./lib/omnibus/health_check.rb:404:in `each_line'
         # ./lib/omnibus/health_check.rb:404:in `read_shared_libs'
         # ./lib/omnibus/health_check.rb:340:in `health_check_ldd'
         # ./lib/omnibus/health_check.rb:81:in `block in run!'
         # ./lib/omnibus/instrumentation.rb:23:in `measure'
         # ./lib/omnibus/health_check.rb:67:in `run!'
         # ./spec/unit/health_check_spec.rb:145:in `block (4 levels) in <module:Omnibus>'
         # ./spec/unit/health_check_spec.rb:145:in `block (3 levels) in <module:Omnibus>'
     # ./spec/unit/health_check_spec.rb:145:in `block (3 levels) in <module:Omnibus>'

  2) Omnibus::HealthCheck on linux does not raise an exception when the healthcheck passes
     Failure/Error: expect { subject.run! }.to_not raise_error

       expected no Exception, got #<RSpec::Mocks::MockExpectationError: #<Double Omnibus::Project> received unexpected message :require_relative_links with (no args)> with backtrace:
         # ./lib/omnibus/health_check.rb:451:in `check_for_bad_library'
         # ./lib/omnibus/health_check.rb:348:in `block in health_check_ldd'
         # ./lib/omnibus/health_check.rb:405:in `block in read_shared_libs'
         # ./lib/omnibus/health_check.rb:404:in `each_line'
         # ./lib/omnibus/health_check.rb:404:in `read_shared_libs'
         # ./lib/omnibus/health_check.rb:340:in `health_check_ldd'
         # ./lib/omnibus/health_check.rb:81:in `block in run!'
         # ./lib/omnibus/instrumentation.rb:23:in `measure'
         # ./lib/omnibus/health_check.rb:67:in `run!'
         # ./spec/unit/health_check_spec.rb:153:in `block (4 levels) in <module:Omnibus>'
         # ./spec/unit/health_check_spec.rb:153:in `block (3 levels) in <module:Omnibus>'
     # ./spec/unit/health_check_spec.rb:153:in `block (3 levels) in <module:Omnibus>'

Finished in 10.59 seconds (files took 1.16 seconds to load)
1194 examples, 2 failures, 1 pending

@adfoster-r7
Copy link
Author

@jmartin-r7 Thanks for taking a look 👍

I've got some fixes to push up for the tests - just wasn't able get the free cycles today, hope to have that sorted tomorrow 🤞

@adfoster-r7 adfoster-r7 force-pushed the change-health-check-to-fail-absolutely-linked-paths branch from 9c57f92 to 68dde31 Compare June 9, 2020 15:27
@adfoster-r7 adfoster-r7 force-pushed the change-health-check-to-fail-absolutely-linked-paths branch from 68dde31 to 0a2c71d Compare June 9, 2020 15:39
@jmartin-tech jmartin-tech merged commit 5996840 into rapid7:r7_7.0.12_custom Jun 9, 2020
@adfoster-r7 adfoster-r7 mentioned this pull request Jun 9, 2020
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmartin-tech jmartin-tech jmartin-tech approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adfoster-r7 @jmartin-tech