ayrtonm
commented
1 year ago I added the assumption that undefined functions are in the same compartment as the caller to easily handle a few places where the nginx rtmp module calls the system openssl library. Using prebuilt libraries will probably be a common use-case but it's not super relevant to demoing this with nginx.
Currently the source rewriter assumes that functions not defined in any of the source files passed in are in the same compartment as the caller. This means it does not create call gates for calls to functions in prebuilt libraries and instead uses the same pkey/compartment/stack as the source file where the undefined functions is called (and logs this to stdout).
The libusb and ffmpeg tests use prebuilt libraries, but call them from different compartments. Specically both have the main executable with pkey 1 and treat libusb/libavformat as untrusted libraries with pkey 0. To re-enable these tests we need to add a way to specify what pkeys undefined functions should have.