Merge pull request #543 from HecreReed/codex/hardening-codecheck

zhangstevenunity · web-flow · commit ce06021ba4dd · 2026-04-23T11:09:23.000+08:00
build: harden Linux package artifacts
diff --git a/.github/workflows/build_wheel.yml b/.github/workflows/build_wheel.yml
@@ -72,7 +72,7 @@ jobs:
 
       - name: Install system dependencies
         run: |
-          dnf install -y ninja-build cmake git ccache gcc-c++ lld zip
+          dnf install -y ninja-build cmake git ccache gcc-c++ lld zip binutils patchelf chrpath
           dnf clean all
 
       - name: Install Python dependencies
@@ -95,7 +95,7 @@ jobs:
         uses: actions/cache/restore@v4
         with:
           path: /llvm-workspace/llvm-project/build-shared
-          key: llvm-${{ env.LLVM_TAG }}-manylinux_2_34-${{ matrix.arch }}-${{ matrix.python }}-v1
+          key: llvm-${{ env.LLVM_TAG }}-manylinux_2_34-${{ matrix.arch }}-${{ matrix.python }}-hardening-v2
 
       - name: Prepare LLVM source
         run: |
@@ -114,14 +114,14 @@ jobs:
           echo "LLVM cache miss while running on PR/release."
           echo "PR/release runs are cache-consumers only and should reuse cache generated on the default branch."
           echo "Please run this workflow on the default branch first to populate cache key:"
-          echo "llvm-${{ env.LLVM_TAG }}-manylinux_2_34-${{ matrix.arch }}-${{ matrix.python }}-v1"
+          echo "llvm-${{ env.LLVM_TAG }}-manylinux_2_34-${{ matrix.arch }}-${{ matrix.python }}-hardening-v2"
 
       - name: Build LLVM/MLIR
         if: steps.cache-llvm.outputs.cache-hit != 'true'
         run: |
           export PATH="${PY_PATH}/bin:$PATH"
           cd $LLVM_SOURCE_DIR
-          cmake -G Ninja -S llvm -B $LLVM_BUILD_DIR \
+          cmake -C "$PTO_SOURCE_DIR/cmake/LinuxHardeningCache.cmake" -G Ninja -S llvm -B $LLVM_BUILD_DIR \
             -DLLVM_ENABLE_PROJECTS="mlir;clang" \
             -DBUILD_SHARED_LIBS=ON \
             -DMLIR_ENABLE_BINDINGS_PYTHON=ON \
@@ -137,13 +137,13 @@ jobs:
         uses: actions/cache/save@v4
         with:
           path: /llvm-workspace/llvm-project/build-shared
-          key: llvm-${{ env.LLVM_TAG }}-manylinux_2_34-${{ matrix.arch }}-${{ matrix.python }}-v1
+          key: llvm-${{ env.LLVM_TAG }}-manylinux_2_34-${{ matrix.arch }}-${{ matrix.python }}-hardening-v2
 
       - name: Build PTOAS
         run: |
           export PATH="${PY_PATH}/bin:$PATH"
           cd $PTO_SOURCE_DIR
-          cmake -G Ninja \
+          cmake -C "$PTO_SOURCE_DIR/cmake/LinuxHardeningCache.cmake" -G Ninja \
             -S . \
             -B build \
             -DLLVM_DIR=$LLVM_BUILD_DIR/lib/cmake/llvm \
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -144,7 +144,7 @@ jobs:
         with:
           path: |
             llvm-project/llvm/build-shared
-          key: llvm-${{ runner.os }}-${{ env.LLVM_COMMIT }}-shared-mlirpy
+          key: llvm-${{ runner.os }}-${{ env.LLVM_COMMIT }}-shared-mlirpy-hardening-v2
 
       - name: Prepare LLVM source (no rebuild)
         run: |
@@ -164,7 +164,7 @@ jobs:
         if: steps.cache-llvm.outputs.cache-hit != 'true'
         run: |
           cd llvm-project
-          cmake -G Ninja -S llvm -B llvm/build-shared \
+          cmake -C "${GITHUB_WORKSPACE}/cmake/LinuxHardeningCache.cmake" -G Ninja -S llvm -B llvm/build-shared \
             -DLLVM_ENABLE_PROJECTS="mlir;clang" \
             -DBUILD_SHARED_LIBS=ON \
             -DMLIR_ENABLE_BINDINGS_PYTHON=ON \
@@ -182,12 +182,12 @@ jobs:
         with:
           path: |
             llvm-project/llvm/build-shared
-          key: llvm-${{ runner.os }}-${{ env.LLVM_COMMIT }}-shared-mlirpy
+          key: llvm-${{ runner.os }}-${{ env.LLVM_COMMIT }}-shared-mlirpy-hardening-v2
 
       - name: Build PTOAS
         run: |
           export PYBIND11_CMAKE_DIR="$(python3 -m pybind11 --cmakedir)"
-          cmake -G Ninja -S . -B build \
+          cmake -C "${GITHUB_WORKSPACE}/cmake/LinuxHardeningCache.cmake" -G Ninja -S . -B build \
             -DLLVM_DIR="${LLVM_DIR}/lib/cmake/llvm" \
             -DMLIR_DIR="${LLVM_DIR}/lib/cmake/mlir" \
             -DPython3_EXECUTABLE=python3 \
diff --git a/cmake/LinuxHardeningCache.cmake b/cmake/LinuxHardeningCache.cmake
@@ -0,0 +1,41 @@
+# Copyright (c) 2026 Huawei Technologies Co., Ltd.
+# This program is free software, you can redistribute it and/or modify it under the terms and conditions of
+# CANN Open Software License Agreement Version 2.0 (the "License").
+# Please refer to the License for details. You may not use this file except in compliance with the License.
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED,
+# INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
+# See LICENSE in the root of the software repository for the full text of the License.
+
+# Shared Linux hardening flags for LLVM/PTOAS package builds.
+# This cache file is intended to be passed via `cmake -C ...` so release and
+# delivery builds inherit the same compiler options that codecheck expects.
+
+foreach(_flag_var CMAKE_C_FLAGS CMAKE_CXX_FLAGS)
+  set(_flag_value "${${_flag_var}}")
+  foreach(_hardening_flag
+      -D_FORTIFY_SOURCE=2
+      -fstack-protector-strong
+      -ftrapv)
+    if(NOT " ${_flag_value} " MATCHES "(^| )${_hardening_flag}( |$)")
+      string(APPEND _flag_value " ${_hardening_flag}")
+    endif()
+  endforeach()
+  string(STRIP "${_flag_value}" _flag_value)
+  set(${_flag_var} "${_flag_value}" CACHE STRING "Linux hardening flags" FORCE)
+endforeach()
+
+foreach(_flag_var
+    CMAKE_EXE_LINKER_FLAGS
+    CMAKE_SHARED_LINKER_FLAGS
+    CMAKE_MODULE_LINKER_FLAGS)
+  set(_flag_value "${${_flag_var}}")
+  foreach(_hardening_flag
+      -Wl,-z,relro
+      -Wl,-z,now)
+    if(NOT " ${_flag_value} " MATCHES "(^| )${_hardening_flag}( |$)")
+      string(APPEND _flag_value " ${_hardening_flag}")
+    endif()
+  endforeach()
+  string(STRIP "${_flag_value}" _flag_value)
+  set(${_flag_var} "${_flag_value}" CACHE STRING "Linux hardening linker flags" FORCE)
+endforeach()
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -18,9 +18,11 @@ ENV PY_PATH="/opt/python/${PY_VER}"
 ENV PATH="${PY_PATH}/bin:${PATH}"
 
 # dependency
-RUN dnf install -y ninja-build cmake git ccache gcc-c++ lld zip && dnf clean all
+RUN dnf install -y ninja-build cmake git ccache gcc-c++ lld zip binutils patchelf chrpath && dnf clean all
 RUN pip install --no-cache-dir numpy pybind11 nanobind setuptools wheel auditwheel
 
+COPY cmake/LinuxHardeningCache.cmake /tmp/LinuxHardeningCache.cmake
+
 # setting build directories
 ENV WORKSPACE_DIR=/llvm-workspace
 ENV LLVM_SOURCE_DIR=$WORKSPACE_DIR/llvm-project
@@ -34,7 +36,7 @@ WORKDIR $WORKSPACE_DIR
 RUN git clone --depth 1 --branch ${LLVM_TAG} https://github.com/llvm/llvm-project.git
 
 WORKDIR $LLVM_SOURCE_DIR
-RUN cmake -G Ninja -S llvm -B $LLVM_BUILD_DIR \
+RUN cmake -C /tmp/LinuxHardeningCache.cmake -G Ninja -S llvm -B $LLVM_BUILD_DIR \
     -DLLVM_ENABLE_PROJECTS="mlir;clang" \
     -DBUILD_SHARED_LIBS=ON \
     -DMLIR_ENABLE_BINDINGS_PYTHON=ON \
@@ -50,7 +52,7 @@ RUN git clone https://github.com/zhangstevenunity/PTOAS.git
 # TODO: tag git commit of PTOAS repo
 
 WORKDIR $PTO_SOURCE_DIR
-RUN cmake -G Ninja \
+RUN cmake -C /tmp/LinuxHardeningCache.cmake -G Ninja \
     -S . \
     -B build \
     -DLLVM_DIR=$LLVM_BUILD_DIR/lib/cmake/llvm \
diff --git a/docker/collect_ptoas_dist.sh b/docker/collect_ptoas_dist.sh
@@ -22,7 +22,7 @@
 #     bin/ptoas       - The actual ptoas binary
 #     lib/*.so*       - Required shared library dependencies
 
-set -e
+set -euo pipefail
 
 if [ $# -lt 1 ]; then
   echo "Usage: $0 <output_directory>" >&2
@@ -39,7 +39,7 @@ for var in LLVM_BUILD_DIR PTO_INSTALL_DIR PTO_SOURCE_DIR; do
   fi
 done
 
-export LD_LIBRARY_PATH="${LLVM_BUILD_DIR}/lib:${PTO_INSTALL_DIR}/lib:${LD_LIBRARY_PATH}"
+export LD_LIBRARY_PATH="${LLVM_BUILD_DIR}/lib:${PTO_INSTALL_DIR}/lib:${LD_LIBRARY_PATH:-}"
 
 PTOAS_BIN="${PTO_SOURCE_DIR}/build/tools/ptoas/ptoas"
 PTOAS_DEPS_DIR="${PTOAS_DIST_DIR}/lib"
@@ -49,12 +49,82 @@ if [ ! -f "$PTOAS_BIN" ]; then
   exit 1
 fi
 
+remove_rpath() {
+  local path="$1"
+  if ! has_rpath "$path"; then
+    return
+  fi
+  if command -v patchelf >/dev/null 2>&1; then
+    patchelf --remove-rpath "$path"
+  fi
+  if has_rpath "$path" && command -v chrpath >/dev/null 2>&1; then
+    chrpath -d "$path"
+  fi
+  if has_rpath "$path"; then
+    echo "Error: failed to scrub RPATH/RUNPATH from ${path}" >&2
+    exit 1
+  fi
+}
+
+strip_symbols() {
+  local path="$1"
+  strip --strip-unneeded "$path"
+}
+
+has_rpath() {
+  local path="$1"
+  if command -v patchelf >/dev/null 2>&1; then
+    local rpath_value
+    rpath_value="$(patchelf --print-rpath "$path" 2>/dev/null || true)"
+    [[ -n "$rpath_value" ]]
+    return
+  fi
+  readelf -d "$path" 2>/dev/null | grep -Eq '(RPATH|RUNPATH)'
+}
+
+assert_relro() {
+  local path="$1"
+  if ! readelf -l "$path" 2>/dev/null | grep -q 'GNU_RELRO'; then
+    echo "WARN: RELRO segment missing in ${path}" >&2
+    return
+  fi
+  if ! readelf -d "$path" 2>/dev/null | grep -Eq '(BIND_NOW|FLAGS.*NOW|FLAGS_1.*NOW)'; then
+    echo "WARN: NOW binding missing in ${path}" >&2
+  fi
+}
+
+assert_no_symtab() {
+  local path="$1"
+  if readelf -S "$path" 2>/dev/null | grep -Eq '[[:space:]]\\.symtab[[:space:]]'; then
+    echo "Error: symbol table still present in ${path}" >&2
+    exit 1
+  fi
+}
+
+assert_no_rpath() {
+  local path="$1"
+  if has_rpath "$path"; then
+    echo "Error: runtime search path still present in ${path}" >&2
+    exit 1
+  fi
+}
+
+harden_elf() {
+  local path="$1"
+  remove_rpath "$path"
+  strip_symbols "$path"
+  assert_relro "$path"
+  assert_no_symtab "$path"
+  assert_no_rpath "$path"
+}
+
 # Create output directories
 mkdir -p "${PTOAS_DIST_DIR}/bin" "${PTOAS_DEPS_DIR}"
 
 # Copy ptoas binary
 echo "Copying ptoas binary..."
 cp "$PTOAS_BIN" "${PTOAS_DIST_DIR}/bin/"
+harden_elf "${PTOAS_DIST_DIR}/bin/ptoas"
 
 # Collect *.so dependencies (transitive closure under /llvm-workspace)
 echo "Collecting shared library dependencies..."
@@ -64,7 +134,8 @@ copy_so() {
   local name
   name=$(basename "$f")
   [[ -f "${PTOAS_DEPS_DIR}/${name}" ]] && return 0
-  cp -n "$f" "${PTOAS_DEPS_DIR}/" 2>/dev/null || true
+  cp -L -n "$f" "${PTOAS_DEPS_DIR}/" 2>/dev/null || true
+  harden_elf "${PTOAS_DEPS_DIR}/${name}"
   while read -r res; do
     copy_so "$res"
   done < <(ldd "$f" 2>/dev/null | awk '/=> \/llvm-workspace\// {print $3}')
@@ -74,6 +145,10 @@ while read -r res; do
   copy_so "$res"
 done < <(ldd "$PTOAS_BIN" 2>/dev/null | awk '/=> \/llvm-workspace\// {print $3}')
 
+while read -r packaged; do
+  harden_elf "$packaged"
+done < <(find "${PTOAS_DIST_DIR}/bin" "${PTOAS_DEPS_DIR}" -type f | sort)
+
 # Create wrapper script
 echo "Creating wrapper script..."
 cat > "${PTOAS_DIST_DIR}/ptoas" << 'WRAPPER_EOF'
diff --git a/docker/copy_ptoas_deps.sh b/docker/copy_ptoas_deps.sh
@@ -10,18 +10,88 @@
 # Collect only *.so actually needed by ptoas (transitive closure under /llvm-workspace).
 # Expects: LLVM_BUILD_DIR, PTO_INSTALL_DIR, PTOAS_DEPS_DIR, PTO_SOURCE_DIR
 
-set -e
+set -euo pipefail
 
-export LD_LIBRARY_PATH="${LLVM_BUILD_DIR}/lib:${PTO_INSTALL_DIR}/lib:${LD_LIBRARY_PATH}"
+export LD_LIBRARY_PATH="${LLVM_BUILD_DIR}/lib:${PTO_INSTALL_DIR}/lib:${LD_LIBRARY_PATH:-}"
 PTOAS_BIN="${PTO_SOURCE_DIR}/build/tools/ptoas/ptoas"
 
+remove_rpath() {
+  local path="$1"
+  if ! has_rpath "$path"; then
+    return
+  fi
+  if command -v patchelf >/dev/null 2>&1; then
+    patchelf --remove-rpath "$path"
+  fi
+  if has_rpath "$path" && command -v chrpath >/dev/null 2>&1; then
+    chrpath -d "$path"
+  fi
+  if has_rpath "$path"; then
+    echo "Error: failed to scrub RPATH/RUNPATH from ${path}" >&2
+    exit 1
+  fi
+}
+
+strip_symbols() {
+  local path="$1"
+  strip --strip-unneeded "$path"
+}
+
+has_rpath() {
+  local path="$1"
+  if command -v patchelf >/dev/null 2>&1; then
+    local rpath_value
+    rpath_value="$(patchelf --print-rpath "$path" 2>/dev/null || true)"
+    [[ -n "$rpath_value" ]]
+    return
+  fi
+  readelf -d "$path" 2>/dev/null | grep -Eq '(RPATH|RUNPATH)'
+}
+
+assert_relro() {
+  local path="$1"
+  if ! readelf -l "$path" 2>/dev/null | grep -q 'GNU_RELRO'; then
+    echo "WARN: RELRO segment missing in ${path}" >&2
+    return
+  fi
+  if ! readelf -d "$path" 2>/dev/null | grep -Eq '(BIND_NOW|FLAGS.*NOW|FLAGS_1.*NOW)'; then
+    echo "WARN: NOW binding missing in ${path}" >&2
+  fi
+}
+
+assert_no_symtab() {
+  local path="$1"
+  if readelf -S "$path" 2>/dev/null | grep -Eq '[[:space:]]\\.symtab[[:space:]]'; then
+    echo "Error: symbol table still present in ${path}" >&2
+    exit 1
+  fi
+}
+
+assert_no_rpath() {
+  local path="$1"
+  if has_rpath "$path"; then
+    echo "Error: runtime search path still present in ${path}" >&2
+    exit 1
+  fi
+}
+
+harden_elf() {
+  local path="$1"
+  remove_rpath "$path"
+  strip_symbols "$path"
+  assert_relro "$path"
+  assert_no_symtab "$path"
+  assert_no_rpath "$path"
+}
+
 copy_so() {
   local f="$1"
   [[ -f "$f" ]] || return 0
   local name
   name=$(basename "$f")
   [[ -f "${PTOAS_DEPS_DIR}/${name}" ]] && return 0
-  cp -n "$f" "${PTOAS_DEPS_DIR}/" 2>/dev/null || true
+  cp -L -n "$f" "${PTOAS_DEPS_DIR}/" 2>/dev/null || true
+  harden_elf "${PTOAS_DEPS_DIR}/${name}"
   while read -r res; do
     copy_so "$res"
   done < <(ldd "$f" 2>/dev/null | awk '/=> \/llvm-workspace\// {print $3}')
@@ -31,3 +101,7 @@ mkdir -p "$PTOAS_DEPS_DIR"
 while read -r res; do
   copy_so "$res"
 done < <(ldd "$PTOAS_BIN" 2>/dev/null | awk '/=> \/llvm-workspace\// {print $3}')
+
+while read -r packaged; do
+  harden_elf "$packaged"
+done < <(find "$PTOAS_DEPS_DIR" -type f | sort)
