Skip to content

ci: Catch tests corrupting the source directory #32874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

ci: Catch tests corrupting the source directory #32874

wants to merge 2 commits into from

Conversation

maflcko
Copy link
Member

@maflcko maflcko commented Jul 4, 2025

At best it is annoying when tests delete random files in my source dir, or when they leave around temp files. At worst, it is an attempt to inject a backdoor.

So try to catch them in CI.

For example, this should hopefully catch:

$ ( echo 'my file content' > streams_tmp ) && ls streams_tmp && ./bld-cmake/bin/bench_bitcoin --filter=FindByte && ls streams_tmp
streams_tmp
...
ls: cannot access 'streams_tmp': No such file or directory

@DrahtBot DrahtBot added the Tests label Jul 4, 2025
@DrahtBot
Copy link
Contributor

DrahtBot commented Jul 4, 2025
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32874.

Reviews

See the guideline for information on the review process.
A summary of reviews will appear here.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #32880 (ci: Avoid cd into build dir by maflcko)
  • #31349 (ci: detect outbound internet traffic generated while running tests by vasild)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@maflcko maflcko force-pushed the 2507-ci-less-corrupt branch from 83a51f8 to 8986656 Compare July 4, 2025 10:20
@maflcko
Copy link
Member Author

maflcko commented Jul 4, 2025

I am a bit confused about the ci failures. I guess it makes sense that chattr doesn't work on zfs, but is it also known to not work on overlayfs? If it doesn't work at all, I wonder how commit 5c2185b makes sense to enable the use of chattr in ci. Is there a single setup where it is known to work?

@maflcko maflcko force-pushed the 2507-ci-less-corrupt branch 3 times, most recently from 4759c48 to d910b8c Compare July 4, 2025 11:29
MarcoFalke added 2 commits July 4, 2025 14:15
ci: Avoid cd into build dir
5735d81 
Changing into the build dir is confusing, and brittle. Avoiding this is
required for the next commit.
ci: Catch tests corrupting the source directory
2890d3a
@maflcko maflcko force-pushed the 2507-ci-less-corrupt branch from d910b8c to 2890d3a Compare July 4, 2025 12:15
@maflcko
Copy link
Member Author

maflcko commented Jul 4, 2025

so on linux the check doesn't work and on macos it passed: https://github.com/bitcoin/bitcoin/actions/runs/16073560546/job/45363434537?pr=32874#step:7:2812 :(

@DrahtBot DrahtBot mentioned this pull request Jul 4, 2025
Open
@maflcko maflcko mentioned this pull request Jul 5, 2025
Merged
@maflcko
Copy link
Member Author

maflcko commented Jul 7, 2025

Closing for now. Probably best to move this to a dedicated nightly ci, than to try to force it into the existing ci infra.

@maflcko maflcko closed this Jul 7, 2025
@maflcko maflcko deleted the 2507-ci-less-corrupt branch July 7, 2025 10:44
@luke-jr
Copy link
Member

luke-jr commented Jul 7, 2025

Better not to trust CI to do a security audit for you...

One benefit of CMake is that you can build as another user without write access to the source dir (or indeed, in an isolated container).

@maflcko
Copy link
Member Author

maflcko commented Jul 8, 2025

Better not to trust CI to do a security audit for you...

Yeah, anything in the CI is more a belt-and-suspenders and a way to catch "sunny-day" violations.

Generally, the approach of removing write access can only catch unintentional and accidental violations anyway, because an intentional violation could just guard itself when a write error happens due to missing access. So any violation would have to directly lead to the process being killed, or otherwise logged to mark the tests as failed later on. I am not aware of a tool that allows this without host/root access, so for testing (with or without CI), you'll probably want a full vm with logging/debugging set up (via auditd, AppArmor, SELinux, firejail, strace, ...). Obviously as a user you can still use whatever sandbox you prefer, but for auditing the setup seems more involved.

fanquake added a commit that referenced this pull request Jul 14, 2025
@fanquake
Merge #32880: ci: Avoid cd into build dir
97fb46d 
fad191f ci: Avoid cd into build dir (MarcoFalke)

Pull request description:

  Changing into the build dir is confusing and brittle, because the following commands implicitly assume it. So they could break on unrelated changes.

  The changes are required for stuff like:

  * cmake presets (see #30871 (comment))
  * meta ci tests (like #32874)

  So remove the `cd` and just make the build dir explicit.

ACKs for top commit:
  hebasto:
    ACK fad191f, I have reviewed the code and it looks OK.

Tree-SHA512: a88a9341445ffe28a0dac3815f235ec8eb0459d10a91a80829fd3184762d3c807d0f68c56243b20c04a6efa5becd8a7fad568f43c2b1e6af1ff8ba07b140ef87
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CI failed Tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maflcko @DrahtBot @luke-jr