During my GraalVM native image build GsonFeature is auto detected and enabled:
1 user-specific feature(s)
- com.oracle.svm.thirdparty.gson.GsonFeature
This Feature registeres reflective access to sun.misc.Unsafe that I don't use. I want to disable it but don't know how.
The --features compiler flag allows to enable specific Features but it seems there is no way do disable auto-detected ones.
Related
I got some strange glibc-related linker errors for builds with distributed build cache configured on build nodes running different Linux distributions.
Now I somehow suspect build artifacts from those machines with different glibc versions getting mixed up, but I don't know how to investigate this.
How do I find out what Bazel takes into account when building the hash for a certain build artifact?
I know I can explicitly set environment variables which then will affect the hash. But how can I be sure a given compiler, a certain version of glibc, etc. will lead to different hashes for built artifacts?
And how do I check/compare what's been taken into account?
This is a complex topic and a multi-facet question. I am going to answer in the following order:
How do I check/compare what's been taken into account?
How to investigate against which glibc a build linked?
How can I be sure a given compiler, a certain version of glibc, etc. will lead to different hashes for built artifacts?
How do I check/compare what's been taken into account?
To answer this, you should look into the the execution look, specifically you can read up on https://bazel.build/remote/cache-remote#compare-logs. The *.json execution log should contain everything you need to know (granted, it might be a bit verbose) and is a little easier to process with shell-magic/your editor.
How to investigate against which glibc a build linked?
From the execution log, you can get all the required hashes to retrieve cached artifacts/binaries from your remote cache. Given these files, you should be able to use standard tools to get to the glibc version (ldd -r -v binary | grep GLIBC).
How can I be sure a given compiler, a certain version of glibc, etc. will lead to different hashes for built artifacts?
This depends on the way you have setup for compilation toolchain. The best case would be a fully hermetic compilation toolchain, where all necessary files are declared using attributes like https://bazel.build/reference/be/c-cpp#cc_toolchain.compiler_files.
But this would also mean to lock-down the compiler sysroot. This should include all libraries you are linking against if you want full hermeticity. If you want to use some system libraries, you need to tell bazel where to find them and to factor in their hash: https://stackoverflow.com/a/43419786/20546409 or https://www.stevenengelhardt.com/2021/09/22/practical-bazel-depending-on-a-system-provided-c-cpp-library/
If you use the auto-detected compiler toolchain, some tricks are used to lock-down the sysroot paths, but expect some non-hermiticity. https://github.com/limdor/bazel-examples/tree/master/linux_toolchain is a nice write-up how to move from the auto-detected toolchain to something more hermetic.
The hack
Of course, you can hack around this. Note, this is inherently a bad idea:
create a script that inspects the system, determines everything important like the glibc version, maybe the linux distribution (flavor)
creates a string describing this variation and hash-summing it
use that as the instance key/name for your remote cache
Description:
The application leaks internal file paths.
Severity Description:
Understanding internal system structure may lead to further attacks on the system including directory traversing and forceful browsing. Furthermore, the file structure reveals the type of server implemented.
Exploitability:
An information leak is the intentional or unintentional disclosure of information that either (1) is regarded as sensitive within the product's own functionality, such as a private message, or (2) provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.
Many information leaks are resultant (e.g. path disclosure in PHP script error), but they can also be primary (e.g. timing discrepancies in crypto). There are many different types of problems that involve information leaks. Their severity can range widely depending on the type of information that is leaked.
Location:
Mach-O 64-bit arm64 binary
Attack Vectors
Strings saved in file
Exhibits
The following screenshot demonstrates the presence of the Full Path Disclosure vulnerability.
Reproduction Steps:
Download the mobile application on your iOS device.
Connect to your device using SSH.
Navigate to the path where the application is installed.
The path for installed applications on iOS devices is: "/var/containers/Bundle/Application/{uuid}" 5. Locate the "ApplicationName" binary within the "App.app" directory.
Use the "strings" application to extract strings from the binary.
The syntax is as follows: "strings ApplicationName | grep -i '/Users/"
The binary exposes multiple paths of the development environment.
How to fix the issue.
I'm writing a new C/C++ library with tasks. It's low level so it'll need the ability to tune the build for CPU, O/S, whether libraries (or tasks) are build opt, dbg, or which network library is used (e.g. generic TCP, Solarflare, Mellanox, Infiniband). This seems like an ideal Bazel use-case.
I have basic Bazel working e.g. I can build sample tasks, libraries, with dependencies. And so far that works nicely.
Now, to the point: as the code is just C with some C++, it seems impractical to build a whole new toolchain. What Bazel ships with and/or can do on GCC/Clang is good enough; most defaults are fine. Can't I just customize it? Still, I need a simple way to accomplish the following:
allow developers to choose their compiler typically clang, or gcc, with version
allow developers to decide how to build their code e.g. x86-32 dbg libraries but x86-32 opt binaries. Or 64 bit versions of same ...
allow developers to select which network library to link in, and therefore build it but not the others
for dbg builds developers may want to toss in an extra compilation flag and be assured it's used everywhere when build libraries and tasks
to limit developers to valid configurations. For example, if I know the code works on Intel chips x86-32bit or 64 bit but PPC processors aren't supported ... then ... developers may have lots of dials to turn for x86, it's desirable to stop with an error when cpu=ppc
Which basic approach is best?
allow Bazel to auto-discover the platform, toolchain and instruct developers to modify it to task? How?
provide a copy-and-pasted-and-edited custom c/c++ tool chain .bzl file?
Focus on on CROSSTOOL only?
Ship the library with customized platform and tool chain files?
TIA
I have enabled minted+pygmentize to highlight my program listings, and since pygmentize is an external program, the shell-escape flag must be enabled on pdflatex in Lyx. Now, every time I compile a document without removing this option in the global settings, I get this warning.
The following LaTeX backend has been configured to allow execution of external programs for any document:
pdflatex $$i -shell-escape
This is a dangerous configuration. Please, consider using the support offered by LyX for allowing this privilege only to documents that actually need it, instead.
The dialog indicates that there is some document-specific setting that can enable the shell-escape flag, however I see no such option in the document settings, or anything on Google about this error, save one mail archive that only explains why the dialog appears.
Is there some way to set the shell-escape flag from the latex preamble? Or is there some document setting that allows the shell-escape flag that I have been unable to find?
I seemed to have found the answer in that mail archive, which was an alternate proposed dialog text.
Go to Document->Settings->Formats and check "Allow running of external programs."
This enables the shell-escape flag for the current document only.
I am a bit worried that Safari's remote web inspector might be used for accessing my app's source code during runtime. A quick test with an IPA seems to suggests that this feature is disabled in non debug mode.
I thought I would double check with you. Any advice ? do I need to add any extra measures to ensure it is disabled ?
Jamil