aboutsummaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorCory Fields <cory-nospam-@coryfields.com>2016-01-26 14:50:50 -0500
committerWladimir J. van der Laan <laanwj@gmail.com>2016-01-27 11:33:33 +0100
commitaa26ee010198a1cc4d3e7e62cd0ab80807ba66a4 (patch)
treee6bae80309a07c287fe8330f6d984d38b0cc9ae7 /contrib
parent568c32411d1dbe8d47fe87a3cf306741fb44485a (diff)
release: Add security/export checks to gitian and fix current failures
- fix parsing of BIND_NOW with older readelf - add _IO_stdin_used to ignored exports For details see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109 - add check-symbols and check-security make targets These are not added to the default checks because some of them depend on release-build configs. - always link librt for glibc back-compat builds glibc absorbed clock_gettime in 2.17. librt (its previous location) is safe to link in anyway for back-compat. Fixes #7420 - add security/symbol checks to gitian Github-Pull: #7424 Rebased-From: cd27bf51e06a8d79790a631696355bd05751b0aa 475813ba5b208eb9a5d027eb628a717cc123ef4f f3d3eaf78eb51238d799d8f20a585550d1567719 a8ce872118c4807465629aecb9e4f3d72d999ccb a81c87fafce43e49cc2307947e3951b84be7ca9a
Diffstat (limited to 'contrib')
-rwxr-xr-xcontrib/devtools/security-check.py2
-rwxr-xr-xcontrib/devtools/symbol-check.py5
-rw-r--r--contrib/gitian-descriptors/gitian-linux.yml2
-rw-r--r--contrib/gitian-descriptors/gitian-win.yml1
4 files changed, 8 insertions, 2 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index e96eaa9c38..01586457db 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -94,7 +94,7 @@ def check_ELF_RELRO(executable):
raise IOError('Error opening file')
for line in stdout.split('\n'):
tokens = line.split()
- if len(tokens)>1 and tokens[1] == '(BIND_NOW)':
+ if len(tokens)>1 and tokens[1] == '(BIND_NOW)' or (len(tokens)>2 and tokens[1] == '(FLAGS)' and 'BIND_NOW' in tokens[2]):
have_bindnow = True
return have_gnu_relro and have_bindnow
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index 93acfcdda4..4ad5136f79 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -42,9 +42,12 @@ MAX_VERSIONS = {
'GLIBCXX': (3,4,13),
'GLIBC': (2,11)
}
+# See here for a description of _IO_stdin_used:
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109
+
# Ignore symbols that are exported as part of every executable
IGNORE_EXPORTS = {
-'_edata', '_end', '_init', '__bss_start', '_fini'
+'_edata', '_end', '_init', '__bss_start', '_fini', '_IO_stdin_used'
}
READELF_CMD = os.getenv('READELF', '/usr/bin/readelf')
CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt')
diff --git a/contrib/gitian-descriptors/gitian-linux.yml b/contrib/gitian-descriptors/gitian-linux.yml
index d13ae8b10c..d034a91303 100644
--- a/contrib/gitian-descriptors/gitian-linux.yml
+++ b/contrib/gitian-descriptors/gitian-linux.yml
@@ -96,6 +96,8 @@ script: |
./configure --prefix=${BASEPREFIX}/${i} --bindir=${INSTALLPATH}/bin --includedir=${INSTALLPATH}/include --libdir=${INSTALLPATH}/lib --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS}
make ${MAKEOPTS}
+ make ${MAKEOPTS} -C src check-security
+ make ${MAKEOPTS} -C src check-symbols
make install-strip
cd installed
find . -name "lib*.la" -delete
diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml
index 66077e0d5b..bcc6c4629e 100644
--- a/contrib/gitian-descriptors/gitian-win.yml
+++ b/contrib/gitian-descriptors/gitian-win.yml
@@ -126,6 +126,7 @@ script: |
./configure --prefix=${BASEPREFIX}/${i} --bindir=${INSTALLPATH}/bin --includedir=${INSTALLPATH}/include --libdir=${INSTALLPATH}/lib --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS}
make ${MAKEOPTS}
+ make ${MAKEOPTS} -C src check-security
make deploy
make install-strip
cp -f bitcoin-*setup*.exe $OUTDIR/