diff options
| author | Wladimir J. van der Laan <laanwj@protonmail.com> | 2020-11-20 09:15:44 +0100 |
|---|---|---|
| committer | Wladimir J. van der Laan <laanwj@protonmail.com> | 2020-11-22 11:11:32 +0100 |
| commit | 634f6ec4eb9997d7bd0f8209fad49a4171d42384 (patch) | |
| tree | 0c9e1de57c164790c4b6cc8397c6c8ce0117b983 /src/Makefile.am | |
| parent | fdd068507d2694137d72638d87ea961e6f16a753 (diff) | |
contrib: Parse ELF directly for symbol and security checks
Instead of the ever-messier text parsing of the output of the readelf
tool (which is clearly meant for human consumption not to be machine
parseable), parse the ELF binaries directly.
Add a small dependency-less ELF parser specific to the checks.
This is slightly more secure, too, because it removes potential
ambiguity due to misparsing and changes in the output format of `elfread`. It
also allows for stricter and more specific ELF format checks in the future.
This removes the build-time dependency for `readelf`.
It passes the test-security-check for me locally, though I haven't
checked on all platforms.
Diffstat (limited to 'src/Makefile.am')
| -rw-r--r-- | src/Makefile.am | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 67fd402603..8da754eee6 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -741,13 +741,13 @@ endif if GLIBC_BACK_COMPAT @echo "Checking glibc back compat..." - $(AM_V_at) READELF=$(READELF) CPPFILT=$(CPPFILT) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS) + $(AM_V_at) CPPFILT=$(CPPFILT) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS) endif check-security: $(bin_PROGRAMS) if HARDEN @echo "Checking binary security..." - $(AM_V_at) READELF=$(READELF) OBJDUMP=$(OBJDUMP) OTOOL=$(OTOOL) $(PYTHON) $(top_srcdir)/contrib/devtools/security-check.py $(bin_PROGRAMS) + $(AM_V_at) OBJDUMP=$(OBJDUMP) OTOOL=$(OTOOL) $(PYTHON) $(top_srcdir)/contrib/devtools/security-check.py $(bin_PROGRAMS) endif if EMBEDDED_LEVELDB |