Merge #13764: contrib: Fix test-security-check fail in Ubuntu 18.04
1e60713a68
contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee)
Pull request description:
- Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes.
- Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA
Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
This commit is contained in:
commit
f8685f461b
2 changed files with 9 additions and 9 deletions
|
@ -14,7 +14,7 @@ import os
|
||||||
|
|
||||||
READELF_CMD = os.getenv('READELF', '/usr/bin/readelf')
|
READELF_CMD = os.getenv('READELF', '/usr/bin/readelf')
|
||||||
OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
|
OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
|
||||||
NONFATAL = {'HIGH_ENTROPY_VA'} # checks which are non-fatal for now but only generate a warning
|
NONFATAL = {} # checks which are non-fatal for now but only generate a warning
|
||||||
|
|
||||||
def check_ELF_PIE(executable):
|
def check_ELF_PIE(executable):
|
||||||
'''
|
'''
|
||||||
|
|
|
@ -32,11 +32,11 @@ class TestSecurityChecks(unittest.TestCase):
|
||||||
cc = 'gcc'
|
cc = 'gcc'
|
||||||
write_testcode(source)
|
write_testcode(source)
|
||||||
|
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE']),
|
||||||
(1, executable+': failed PIE NX RELRO Canary'))
|
(1, executable+': failed PIE NX RELRO Canary'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE']),
|
||||||
(1, executable+': failed PIE RELRO Canary'))
|
(1, executable+': failed PIE RELRO Canary'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE']),
|
||||||
(1, executable+': failed PIE RELRO'))
|
(1, executable+': failed PIE RELRO'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE']),
|
||||||
(1, executable+': failed RELRO'))
|
(1, executable+': failed RELRO'))
|
||||||
|
@ -49,9 +49,9 @@ class TestSecurityChecks(unittest.TestCase):
|
||||||
cc = 'i686-w64-mingw32-gcc'
|
cc = 'i686-w64-mingw32-gcc'
|
||||||
write_testcode(source)
|
write_testcode(source)
|
||||||
|
|
||||||
self.assertEqual(call_security_check(cc, source, executable, []),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--no-dynamicbase']),
|
||||||
(1, executable+': failed DYNAMIC_BASE NX'))
|
(1, executable+': failed DYNAMIC_BASE NX'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--no-dynamicbase']),
|
||||||
(1, executable+': failed DYNAMIC_BASE'))
|
(1, executable+': failed DYNAMIC_BASE'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase']),
|
||||||
(0, ''))
|
(0, ''))
|
||||||
|
@ -61,9 +61,9 @@ class TestSecurityChecks(unittest.TestCase):
|
||||||
cc = 'x86_64-w64-mingw32-gcc'
|
cc = 'x86_64-w64-mingw32-gcc'
|
||||||
write_testcode(source)
|
write_testcode(source)
|
||||||
|
|
||||||
self.assertEqual(call_security_check(cc, source, executable, []), (1, executable+': failed DYNAMIC_BASE NX\n'+executable+': warning HIGH_ENTROPY_VA'))
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va']), (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat']), (1, executable+': failed DYNAMIC_BASE\n'+executable+': warning HIGH_ENTROPY_VA'))
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va']), (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase']), (0, executable+': warning HIGH_ENTROPY_VA'))
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--no-high-entropy-va']), (1, executable+': failed HIGH_ENTROPY_VA'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va']), (0, ''))
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va']), (0, ''))
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
|
Loading…
Reference in a new issue