rpms/annobin
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result.

Browse Source 
Resolves: #1995224
This commit is contained in:
Nick Clifton 2021-09-16 15:45:40 +01:00
parent 40172408af
commit f0221bb6a7
1 changed files with 79 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
annobin.spec
View File

@ -1,7 +1,7 @@
Name: annobin Name: annobin
Summary: Annotate and examine compiled binary files Summary: Annotate and examine compiled binary files
Version: 9.90 Version: 10.06
Release: 1%{?dist} Release: 1%{?dist}
License: GPLv3+ License: GPLv3+
# Maintainer: nickc@redhat.com # Maintainer: nickc@redhat.com
@ -54,9 +54,13 @@ License: GPLv3+
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz %global annobin_sources annobin-%{version}.tar.xz
Source: https://nickc.fedorapeople.org/%{annobin_sources}
# For the latest sources use: git clone git://sourceware.org/git/annobin.git # For the latest sources use: git clone git://sourceware.org/git/annobin.git
# This is where a copy of the sources will be installed.
%global annobin_source_dir %{_usrsrc}/annobin
# Insert patches here, if needed. Eg: # Insert patches here, if needed. Eg:
# Patch01: annobin-foo.patch # Patch01: annobin-foo.patch
@ -174,14 +178,19 @@ hardening options.
%global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin) %global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin)
%if %{with clangplugin} || %{with llvmplugin} %{!?llvm_version:%global llvm_version 12.0.1}
# FIXME: We currently assume that the first directory listed in clang's %{!?llvm_plugin_dir:%global llvm_plugin_dir %{_libdir}/llvm/%{llvm_version}}
# search directory output is the one that we should use for plugins. %{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/%{llvm_version}}
# This might not be correct.
# The gensub() below is because without it $2 would look like: %if %{with gccplugin}
# " =/usr/lib64/clang/8.0.0" # The next line has been stolen from redhat-rpm-config.spec.
# Note - we install LLVM plugins into the same directory as Clang plugins. # We install a version info file into this directory, rather than gcc's plugin
%global ANNOBIN_CLANG_PLUGIN_DIR %(clang --print-search-dirs | gawk -e'BEGIN { FS = ":" } /libraries/ { print gensub(" =","",1,$2) } END { }') # directory, because there is no reliable way for redhat-rpm-config to
# determine the name of gcc's plugin directory.
%global rrcdir /usr/lib/rpm/redhat
# Information about the gcc plugin is recorded in this file.
%global aver %{rrcdir}/annobin-plugin-version-info
%endif %endif
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
@ -232,18 +241,20 @@ CONFIG_ARGS="$CONFIG_ARGS --with-llvm"
CONFIG_ARGS="$CONFIG_ARGS --without-test" CONFIG_ARGS="$CONFIG_ARGS --without-test"
%endif %endif
%configure ${CONFIG_ARGS} || cat config.log %set_build_flags
%ifarch %{ix86} x86_64
# FIXME: There should be a better way to do this.
export CLANG_TARGET_OPTIONS="-fcf-protection"
%endif
# Fedora supports AArch64's -mbranch-protection=bti, RHEL does not. # Fedora supports AArch64's -mbranch-protection=bti, RHEL does not.
%if 0%{?fedora} != 0 %if 0%{?fedora} != 0
export CFLAGS="$CFLAGS -DAARCh64_BRANCH_PROTECTION_SUPPORTED=1" export CFLAGS="$CFLAGS -DAARCh64_BRANCH_PROTECTION_SUPPORTED=1"
%endif %endif
CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" CXXFLAGS="$CFLAGS" %configure ${CONFIG_ARGS} || cat config.log
%ifarch %{ix86} x86_64
# FIXME: There should be a better way to do this.
export CLANG_TARGET_OPTIONS="-fcf-protection"
%endif
%make_build %make_build
%if %{with plugin_rebuild} %if %{with plugin_rebuild}
@ -289,7 +300,29 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS"
# PLUGIN_INSTALL_DIR is used by the Clang and LLVM makefiles... # PLUGIN_INSTALL_DIR is used by the Clang and LLVM makefiles...
%install %install
%make_install PLUGIN_INSTALL_DIR=$RPM_BUILD_ROOT%{ANNOBIN_CLANG_PLUGIN_DIR} %make_install PLUGIN_INSTALL_DIR=%{buildroot}/%{llvm_plugin_dir}
%if %{with clangplugin}
# Move the clang plugin to a seperate directory.
mkdir -p %{buildroot}/%{clang_plugin_dir}
mv %{buildroot}/%{llvm_plugin_dir}/annobin-for-clang.so %{buildroot}/%{clang_plugin_dir}
%endif
%if %{with gccplugin}
# Record the version of gcc that built this plugin.
mkdir -p %{buildroot}%{rrcdir}
rm -f %{buildroot}%{aver}
# Note - the comparison logic in redhat-rpm-config's %%triggger macros require
# that the plugin builder information appear as the first three numbers in the file.
echo %{gcc_vr} > %{buildroot}%{aver}
# Provide a more complete version information string on the second line.
echo "%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so.0.0.0 was built by gcc version %{gcc_vr} from the %{version} sources" >> %{buildroot}%{aver}
# Also install a copy of the sources into the build tree.
mkdir -p %{buildroot}%{annobin_source_dir}
cp %{_sourcedir}/%{annobin_sources} %{buildroot}%{annobin_source_dir}/latest-annobin.tar.xz
%endif
rm -f %{buildroot}%{_infodir}/dir rm -f %{buildroot}%{_infodir}/dir
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
@ -318,12 +351,18 @@ fi
%{_mandir}/man1/hardened.1* %{_mandir}/man1/hardened.1*
%{_mandir}/man1/run-on-binaries-in.1* %{_mandir}/man1/run-on-binaries-in.1*
%if %{with clangplugin} || %{with llvmplugin} %if %{with clangplugin}
%{ANNOBIN_CLANG_PLUGIN_DIR} %{clang_plugin_dir}/annobin-for-clang.so
%endif
%if %{with llvmplugin}
%{llvm_plugin_dir}/annobin-for-llvm.so
%endif %endif
%if %{with gccplugin} %if %{with gccplugin}
%{ANNOBIN_GCC_PLUGIN_DIR} %{ANNOBIN_GCC_PLUGIN_DIR}
%{aver}
%{annobin_source_dir}/latest-annobin.tar.xz
%endif %endif
%if %{with annocheck} %if %{with annocheck}
@ -335,6 +374,27 @@ fi
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
%changelog %changelog
* Thu Sep 16 2021 Nick Clifton <nickc@redhat.com> - 10.06-1
- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917)
- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries.
- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result. (#1995224)
- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead.
- Annocheck: Fix exit code when tests PASS.
- Documentation: Add node for each hardening test.
- Documentation: Install online.
- Annocheck: Annote FAIL and MAYB results with URL to documentation
- Annocheck: Add --no-urls and --provide-urls options
- Annocheck: Add --help-<tool> option.
- Annocheck: Fix fuzzing detected failures.
- Annocheck: Add --profile option.
- Docs: Document --profile option and rpminspect.yaml.
- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures.
- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444)
- spec file: Add the installation of the annobon sources into /usr/src/annobin.
- Annocheck: Fix memory corruption. (#1996963)
- spec file: Add the creation of a gcc-plugin version info file in /usr/lib/rpm/redhat.
- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection.
* Wed Aug 18 2021 Nick Clifton <nickc@redhat.com> - 9.90-1 * Wed Aug 18 2021 Nick Clifton <nickc@redhat.com> - 9.90-1
- Annocheck: Add linker generated function for ppc64le exceptions. (#1981410) - Annocheck: Add linker generated function for ppc64le exceptions. (#1981410)
- LLVM Plugin: Allow checks to be selected from the command line. - LLVM Plugin: Allow checks to be selected from the command line.