Open Bug 1795718 Opened 3 years ago Updated 11 months ago

Disable ASLR in spidermonkey builds in automation again

Categories

(Core :: JavaScript Engine, task, P3)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

People

(Reporter: ahal, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

In bug 1795063, upon migrating the spidermonkey builds from AWS to GCP, I noticed they all started failing due to not having permission to run setaddr -R. I believe this is because we starting using a newer version of Docker in the GCP image (though haven't been able to confirm this yet).

After consulting with :sfink, we decided to remove the setaddr -R calls in automation to unblock the migration for now, and this bug will track adding it back.

Steve pointed out that in order to run setaddr from a docker container, we can create a seccomp profile:

If we did want to do the work to support it, I would not recommend the big hammer of running the whole container in privileged mode (--privileged). It looks like you can alter the seccomp profile to allow only personality(ADDR_NO_RANDOMIZE).
Let me know which way you want to go. I can write the patch to remove the setarch call (or I'm happy to review instead!) I wouldn't know where to put the docker run --security-opt seccomp=FILE.json alteration.

On that latter point, we'd need relops to generate a new image that sets up the profile and possibly create a new task pool that uses it (depending whether we're ok with this permission being granted to all tasks or not).

Severity: -- → N/A
Priority: -- → P3

Is setarch still needed for root-analysis? See also:
Bug 1131380
https://bugzilla.mozilla.org/attachment.cgi?id=8561765&action=diff

Flags: needinfo?(sphink)

Good question. As far as I can tell, it's mostly the same as for other variants. I suspect the rootanalysis job was much more sensitive to ASLR, but I would guess that now that it's just using --gc-zeal=GenerationalGC, it's probably not as important.

Flags: needinfo?(sphink)

Also docker-worker itself will need to support seccomp. AIUI the Taskcluster team is working on this, so the order of operations here is:

  1. Taskcluster releases seccomp support in docker-worker
  2. Relops updates the images with newer docker-worker
  3. We re-add support for disabling ASLR here

Steve, given that we've been working with ASLR enabled for ~2 years now, is it worth going back and fixing this or should we just resolve incomplete?

Blocks: sm-testing
Flags: needinfo?(sphink)
You need to log in before you can comment on or make changes to this bug.