Comments (10)
Cargo uses rustc --target=... --print=cfg
to get the derived cfg values.
from cargo-auditable.
I just realized that rustc produces staticlibs will contain a copy of the standard library which would cause conflicts. You could copy the logic rustc itself uses to produce object files containing the crate metadata. These are normally used for dylibs, but should work fine for executables too: https://github.com/rust-lang/rust/blob/e100ec5bc7cd768ec17d75448b29c9ab4a39272b/compiler/rustc_codegen_ssa/src/back/metadata.rs#L233-L287 You can then use -Clink-arg=/path/to/audit_data.o -Clink-arg=-Wl,--require-defined=AUDITABLE_VERSION_INFO
if you call the symbol AUDITABLE_VERSION_INFO
. I just tested it and it works fine even with LTO enabled.
from cargo-auditable.
I have pushed a new branch, external-injection
, that contains a proof-of-concept tool for externally injecting the audit data, using the mechanism suggested by @bjorn3. I can confirm that it does indeed work and even survives LTO, at least on my Linux system!
The proof-of-concept tool is called auditable-inject
, you can use the rust-audit-info
tool to recover the data. Make sure they're from the same branch because I changed the section name to be .dep-v0
on all platforms. No reason to have it vary.
Usage: auditable-inject target-triple /path/to/data_to_inject
Then use the following before compiling:
export RUSTFLAGS='-Clink-arg=audit_data.o -Clink-arg=-Wl,--require-defined=AUDITABLE_VERSION_INFO'
I have ignored endianness as well as some tricky special-casing for MIPS and RISC-V, because I don't know how to derive those from the target triple without having access to rustc internals. I hope Cargo has access to that stuff internally. In the meanwhile I'll probably have to get by with a hardcoded list of big-endian architectures or some such...
from cargo-auditable.
I think I'm going to make a cargo auditable
subcommand, so that people could just alias cargo
to cargo auditable
and make everything installed or built on their system auditable. Plus a better extractor than just rust-audit-info
; it is very minimal, and we need something like cargo audit
. Thoughts?
from cargo-auditable.
I've been thinking along the same lines!
Is there a reason to prefer the current approach where each binary needs to be configured to include the data?
It's mildly more portable, in the sense that we don't need extra platform-specific tools for every platform (e.g. objcopy
on Linux) and can just use the linker. But given how many issues we're having with the linker, I do believe it would be better to just use a binary manipulation tool.
I have big ambitions of getting this thing into Cargo, and I'm not 100% sure what their policy on calling external tools would be. But yes, writing a Cargo wrapper that does this would be fairly trivial and I'd be happy to have a branch with that approach.
from cargo-auditable.
An option would be to compile a staticlib containing the audit data and then tell rustc to link this staticlib when building the final executable.
from cargo-auditable.
@bjorn3 I was not aware of that approach!
I understand that would require some sort of extra crate with crate-type = ["staticlib"]
in Cargo.toml, and then passing some extra flags in the main crate build?
from cargo-auditable.
I fear the symbol would not survive LTO with the staticlib approach unless it's used from the main binary.
from cargo-auditable.
Thanks a lot for the tip, @Nemo157 ! I have migrated to parsing rustc --target=... --print=cfg
, which allowed proper handling of endianness and most of the quirks (except RISC-V). The result is available in the external-injection
branch.
from cargo-auditable.
External injection via cargo auditable
is now the default. The approach with RUSTC_WRAPPER
that landed in #40 made it actually viable.
I've removed mentions of the original build.rs
-based approach from the README.
from cargo-auditable.
Related Issues (20)
- Track C libraries somehow
- Empty copyright placeholder HOT 2
- Upgrade to `object` 0.30
- Add more fields to categories HOT 1
- Proper MSVC support HOT 6
- No way to pass `-C link-arg=` when using both naked LLD and LLD via a compiler wrapper HOT 1
- Include commit hashes for git dependencies HOT 9
- Can't build recent `gitoxide` versions HOT 6
- to_toml test in auditable-serde writes outside the build directory HOT 22
- `--offline`, `--locked`, `--frozen` and `--config` are not passed to `cargo metadata` HOT 1
- Cargo.lock is outdated HOT 11
- Run CI with `--frozen` HOT 1
- Incompatibility with sccache on long builds HOT 28
- Provide a documented way to use `cargo auditable` as a drop-in replacement for `cargo` HOT 9
- Support `RUSTC` environment variable HOT 1
- Auditability / Cheating HOT 8
- Use cargo-auditable with cross? HOT 6
- Out of the box support for other formats HOT 5
- Add actual git repository for source HOT 4
- Extend with additional (non-rust) dependencies HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cargo-auditable.