diff options
author | Cory Fields <cory-nospam-@coryfields.com> | 2016-01-26 14:50:50 -0500 |
---|---|---|
committer | Wladimir J. van der Laan <laanwj@gmail.com> | 2016-01-27 11:33:33 +0100 |
commit | aa26ee010198a1cc4d3e7e62cd0ab80807ba66a4 (patch) | |
tree | e6bae80309a07c287fe8330f6d984d38b0cc9ae7 /contrib | |
parent | 568c32411d1dbe8d47fe87a3cf306741fb44485a (diff) |
release: Add security/export checks to gitian and fix current failures
- fix parsing of BIND_NOW with older readelf
- add _IO_stdin_used to ignored exports
For details see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109
- add check-symbols and check-security make targets
These are not added to the default checks because some of them depend on
release-build configs.
- always link librt for glibc back-compat builds
glibc absorbed clock_gettime in 2.17. librt (its previous location) is safe to
link in anyway for back-compat.
Fixes #7420
- add security/symbol checks to gitian
Github-Pull: #7424
Rebased-From: cd27bf51e06a8d79790a631696355bd05751b0aa 475813ba5b208eb9a5d027eb628a717cc123ef4f f3d3eaf78eb51238d799d8f20a585550d1567719 a8ce872118c4807465629aecb9e4f3d72d999ccb a81c87fafce43e49cc2307947e3951b84be7ca9a
Diffstat (limited to 'contrib')
-rwxr-xr-x | contrib/devtools/security-check.py | 2 | ||||
-rwxr-xr-x | contrib/devtools/symbol-check.py | 5 | ||||
-rw-r--r-- | contrib/gitian-descriptors/gitian-linux.yml | 2 | ||||
-rw-r--r-- | contrib/gitian-descriptors/gitian-win.yml | 1 |
4 files changed, 8 insertions, 2 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index e96eaa9c38..01586457db 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -94,7 +94,7 @@ def check_ELF_RELRO(executable): raise IOError('Error opening file') for line in stdout.split('\n'): tokens = line.split() - if len(tokens)>1 and tokens[1] == '(BIND_NOW)': + if len(tokens)>1 and tokens[1] == '(BIND_NOW)' or (len(tokens)>2 and tokens[1] == '(FLAGS)' and 'BIND_NOW' in tokens[2]): have_bindnow = True return have_gnu_relro and have_bindnow diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index 93acfcdda4..4ad5136f79 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -42,9 +42,12 @@ MAX_VERSIONS = { 'GLIBCXX': (3,4,13), 'GLIBC': (2,11) } +# See here for a description of _IO_stdin_used: +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109 + # Ignore symbols that are exported as part of every executable IGNORE_EXPORTS = { -'_edata', '_end', '_init', '__bss_start', '_fini' +'_edata', '_end', '_init', '__bss_start', '_fini', '_IO_stdin_used' } READELF_CMD = os.getenv('READELF', '/usr/bin/readelf') CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt') diff --git a/contrib/gitian-descriptors/gitian-linux.yml b/contrib/gitian-descriptors/gitian-linux.yml index d13ae8b10c..d034a91303 100644 --- a/contrib/gitian-descriptors/gitian-linux.yml +++ b/contrib/gitian-descriptors/gitian-linux.yml @@ -96,6 +96,8 @@ script: | ./configure --prefix=${BASEPREFIX}/${i} --bindir=${INSTALLPATH}/bin --includedir=${INSTALLPATH}/include --libdir=${INSTALLPATH}/lib --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} make ${MAKEOPTS} + make ${MAKEOPTS} -C src check-security + make ${MAKEOPTS} -C src check-symbols make install-strip cd installed find . -name "lib*.la" -delete diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml index 66077e0d5b..bcc6c4629e 100644 --- a/contrib/gitian-descriptors/gitian-win.yml +++ b/contrib/gitian-descriptors/gitian-win.yml @@ -126,6 +126,7 @@ script: | ./configure --prefix=${BASEPREFIX}/${i} --bindir=${INSTALLPATH}/bin --includedir=${INSTALLPATH}/include --libdir=${INSTALLPATH}/lib --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} make ${MAKEOPTS} + make ${MAKEOPTS} -C src check-security make deploy make install-strip cp -f bitcoin-*setup*.exe $OUTDIR/ |