Bump Go version, deps, fix some linter issues... #218
Conversation
kolyshkin
force-pushed
the
ci-bumps
branch
2 times, most recently
from
fcc7c0e to
e2f9e99
Compare
kolyshkin
changed the title
kolyshkin
requested review from
mrunalp,
rhatdan,
runcom and
thaJeztah
as code owners
|
Oops, apparently most tests are skipped (because, of course, Ubuntu does not have selinux). Need to switch to a hosted Fedora or something like that. But that's a separate issue. Let this be draft for now. |
Of course we knew it for a long time, we just forgot :) And since actions/runner-images#2307 is quite old, I filed a new one: actions/runner-images#10802 |
|
LGTM, Are the SELinux tests running on Ubuntu now? |
No :( We need to switch to Fedora, I filed #220 for that. This PR still makes sense but with or without it we actually don't test much :( |
|
@kolyshkin wondering, would this be something that could be provided through those "actuated.dev" runners? (perhaps the "actuated.com" runners could provide a configuration with SELinux installed?) |
|
Current generations of arm64 servers available via cloud do not have working nested virtualisation. It may come in the future, where a standard runner could pivot into a RPM-based distro. So whilst that's not available, and GitHub may not have it on their radar to support SELinux, we could provide SELinux based runners with fedora or a fedora-like distro like Alma for x86_64 and arm64. Feel free to reach out to me to discuss options if you know of an end-user company willing to sponsor it. |
kolyshkin
force-pushed
the
ci-bumps
branch
3 times, most recently
from
0594972 to
48e0c04
Compare
|
@rhatdan @thaJeztah PTAL (the lack of selinux testing is now addressed by #221). |
|
It would be helpful if the audit.log is collected on failures, to see if there is an AVC reported. |
kolyshkin
force-pushed
the
ci-bumps
branch
3 times, most recently
from
ad0d740 to
255f274
Compare
| @@ -639,21 +639,6 @@ func (m mlsRange) String() string { | |||
| return low + "-" + high | |||
| } | |||
|
|
|||
| // TODO: remove min and max once Go < 1.21 is not supported. | |||
| func max(a, b uint) uint { | |||
There was a problem hiding this comment.
Was there a strong reason not to continue supporting older Go versions? If not, I'd prefer continuing compatibility; we can either move this to a //go:build ... file, or rename the func to not shadow the builtin
There was a problem hiding this comment.
No strong reasons; the weak ones are quite usual:
- by switching to a newer version we can use new language and stdlib features, some of those I really like;
- Go < 1.22 is not supported and might have some unpatched issues.
Sure, if there is a need, we can try maintaining backward compatibility, especially since this repo is not too bif or complex.
There was a problem hiding this comment.
we can either move this to a //go:build ... file
It's not possible. Now I remember I actually tried that before, only to get something like this:
$ make
GOOS=linux GOARCH=amd64 go build ./...
# github.com/opencontainers/selinux/go-selinux
go-selinux/selinux_linux.go:666:22: built-in max requires go1.21 or later (-lang was set to go1.19; check go.mod)
go-selinux/selinux_linux.go:669:23: built-in min requires go1.21 or later (-lang was set to go1.19; check go.mod)There was a problem hiding this comment.
Done (renamed to minInt/maxInt).
There was a problem hiding this comment.
Would like to hear your reasons for supporting Go 1.19.
go.mod
Outdated
| @@ -1,5 +1,5 @@ | |||
| module github.com/opencontainers/selinux | |||
|
|
|||
| go 1.19 | |||
| go 1.21 | |||
There was a problem hiding this comment.
Same here, unless we really cannot
go-selinux/selinux_linux.go
Outdated
| @@ -138,7 +138,7 @@ func verifySELinuxfsMount(mnt string) bool { | |||
| return false | |||
| } | |||
|
|
|||
| if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) { | |||
| if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) { //nolint:gosec | |||
There was a problem hiding this comment.
Can you use the #nosec G115 style? That way we can supported only G115 without any other gosec issue that may be found
There was a problem hiding this comment.
Alas this is not working for me. Perhaps you only used standalone gosec?
$ golangci-lint run ./...
go-selinux/selinux_linux.go:141:11: G115: integer overflow conversion int64 -> uint32 (gosec)
if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) { // #nosec G115 -- this code is right.
^There was a problem hiding this comment.
This is weird. The same annotation works just fine in a different place:
i0 := int(c.TrailingZeroBits()) //#nosec G115 -- don't expect TralingZeroBits to return values with highest bit set.bit not here. I am lost 😿
There was a problem hiding this comment.
OK, it doesn't work because it's after {. It works if I put in on a previous line:
//#nosec G115 -- there is no overflow here.
if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) {There was a problem hiding this comment.
But, in this case it might want for the whole block, rather than just this line. I'm lost again 😕
There was a problem hiding this comment.
Ah, the "whole block" is return false so I guess it's fine.
There was a problem hiding this comment.
Yeah, they are kinda horrible, the #nosec comments! I think it's good to use them though (to not accidentally mask other security-related discoveries).
Thanks!
go-selinux/selinux_linux.go
Outdated
| @@ -583,7 +583,8 @@ func bitsetToStr(c *big.Int) string { | |||
| var str string | |||
|
|
|||
| length := 0 | |||
| for i := int(c.TrailingZeroBits()); i < c.BitLen(); i++ { | |||
| i0 := int(c.TrailingZeroBits()) //nolint:gosec | |||
There was a problem hiding this comment.
Same here, and possible add a comment after the // #nosec G115 -- <short commend here >
Ubuntu 20.04 is being deprecated. Signed-off-by: Kir Kolyshkin <[email protected]>
Fix the following gosec warnings in tests by using uint32 everywhere, so
we don't have to do a single cast:
pkg/pwalk/pwalk_test.go:29:20: G115: integer overflow conversion int -> uint32 (gosec)
if count != uint32(total) {
^
pkg/pwalk/pwalk_test.go:73:15: G115: integer overflow conversion int -> uint32 (gosec)
max := uint32(total / 2)
^
pkg/pwalk/pwalk_test.go:86:21: G115: integer overflow conversion int -> uint32 (gosec)
if count != uint32(total) {
^
pkg/pwalkdir/pwalkdir_test.go:32:20: G115: integer overflow conversion int -> uint32 (gosec)
if count != uint32(total) {
^
pkg/pwalkdir/pwalkdir_test.go:76:15: G115: integer overflow conversion int -> uint32 (gosec)
max := uint32(total / 2)
^
pkg/pwalkdir/pwalkdir_test.go:89:21: G115: integer overflow conversion int -> uint32 (gosec)
if count != uint32(total) {
^
While at it,
- switch from atomic op (atomic.AddUint32) to atomic type
(atomic.Int32) with methods, which is more error-prone;
- rename max to maxFiles as the former is a built-in function
in Go >= 1.21.
Signed-off-by: Kir Kolyshkin <[email protected]>
Most of parseLevelItem users will cast its result to int. On a 32-bit platform this means we may end up with a negative number. So, let's limit bitSize to 31 in a call to ParseUint, and return int so there are less typecasts in the code. Also, change MLS level to use int, for the same reason (less typecasts). This fixes the following gosec warnings: go-selinux/selinux_linux.go:505:30: G115: integer overflow conversion uint -> int (gosec) bitset.SetBit(bitset, int(i), 1) ^ go-selinux/selinux_linux.go:512:29: G115: integer overflow conversion uint -> int (gosec) bitset.SetBit(bitset, int(cat), 1) ^ go-selinux/selinux_linux.go:626:31: G115: integer overflow conversion uint -> int (gosec) low := "s" + strconv.Itoa(int(m.low.sens)) ^ go-selinux/selinux_linux.go:635:32: G115: integer overflow conversion uint -> int (gosec) high := "s" + strconv.Itoa(int(m.high.sens)) ^ Signed-off-by: Kir Kolyshkin <[email protected]>
This fixes the following linter warnings:
go-selinux/selinux_linux.go:645:6: function max has same name as predeclared identifier (predeclared)
func max(a, b int) int {
^
go-selinux/selinux_linux.go:652:6: function min has same name as predeclared identifier (predeclared)
func min(a, b int) int {
^
Signed-off-by: Kir Kolyshkin <[email protected]>
Gosec doesn't like this code:
go-selinux/selinux_linux.go:141:11: G115: integer overflow conversion int64 -> uint32 (gosec)
if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) {
^
But it is correct because
- buf.Type is int64 or int32, depending on the platform;
- unix.SELINUX_MAGIC is untyped int which overflows int32
(i.e. it becomes negative).
So the best type to use here is uint32.
Signed-off-by: Kir Kolyshkin <[email protected]>
Gosec complains:
go-selinux/selinux_linux.go:587:14: G115: integer overflow conversion uint -> int (gosec)
for i := int(c.TrailingZeroBits()); i < c.BitLen(); i++ {
^
This is indeed a valid concern in case TrailingZeroBits returns a value
which uses a highest bit (i.e. more than MaxInt32 or MaxInt64, depending
on the platform).
But I think this is highly unlikely.
Signed-off-by: Kir Kolyshkin <[email protected]>
In both of these cases we're writing to a file in /sys/fs/selinux virtual file system, the file is pre-existing (and if it isn't, it could not be created), so the third WriteFile argument is never used and can as well be 0. Signed-off-by: Kir Kolyshkin <[email protected]>
While at it, fix naked returns. Signed-off-by: Kir Kolyshkin <[email protected]>
The new version produces the following warnings: WARN [config_reader] The configuration option `linters.govet.check-shadowing` is deprecated. Please enable `shadow` instead, if you are not using `enable-all`. WARN The linter 'exportloopref' is deprecated (since v1.60.2) due to: Since Go1.22 (loopvar) this linter is no longer relevant. Replaced by copyloopvar. WARN The linter 'tenv' is deprecated (since v1.64.0) due to: Duplicate feature another linter. Replaced by usetesting. so fix the configuration accordingly. Note we do not enable copyloopvar since it requires Go 1.22 and we're currently have it set to Go 1.21 in go.mod. Also, remove "cache: false" from actions/setup-go@v5 since golangci-lint-action@v6 now relies on setup-go caching. Also, rename "deadline" to "timeout" as the former is no longer supported. Signed-off-by: Kir Kolyshkin <[email protected]>
Also, replace Go 1.21 with Go 1.19 as this is the minimally supported version for now. Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
The sole reason is to simplify branch protection rules, requiring just this one to be passed. I tried but could not find a way to list all other jobs, so had to add all of them manually. Signed-off-by: Kir Kolyshkin <[email protected]>
Use the oldest tagged version here, because all the functionality this package needs is in there already. Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
|
@thaJeztah please take another look, I think I've addressed all your comments. Aside from changes that you've requested, I added Go 1.19 to CI matrix, and added a new commit which removes a couple of unneeded |
|
Thanks! Yeah, users of older go versions should become rare, but as long as it's not adding a ton of burden (generally, this repository won't require too many updates I expect), I think it's good to keep But we sure can update |
Yes to that!
In this particular case this was min/max functions, which I had to adopt in two regards:
I played a bit and decided the best way forward is to just bump min Go version and drop them. But it's not a big deal to keep compatibility if needed. At least for now. |
|
Might be worth adding renovate to this repo to keep the repo more up 2 date. |
For github actions used, and go version, probably. For go.mod, I think we can stick to go's MVS recommendations (specify the minimum version required) |
This started as a bump of some CI deps but quickly got out of hand 😬
See individual commits for details. High level overview:
go.mod: bump go to 1.21, drop min/max functions;all-donejob;golang.org/x/sys v0.1.0;