Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result.
Resolves: #1995224
This commit is contained in:
Nick Clifton
parent
40172408af
commit
f0221bb6a7
98
annobin.spec
98
annobin.spec
@ -1,7 +1,7 @@
|
||||
|
||||
Name: annobin
|
||||
Summary: Annotate and examine compiled binary files
|
||||
Version: 9.90
|
||||
Version: 10.06
|
||||
Release: 1%{?dist}
|
||||
License: GPLv3+
|
||||
# Maintainer: nickc@redhat.com
|
||||
@ -54,9 +54,13 @@ License: GPLv3+
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz
|
||||
%global annobin_sources annobin-%{version}.tar.xz
|
||||
Source: https://nickc.fedorapeople.org/%{annobin_sources}
|
||||
# For the latest sources use: git clone git://sourceware.org/git/annobin.git
|
||||
|
||||
# This is where a copy of the sources will be installed.
|
||||
%global annobin_source_dir %{_usrsrc}/annobin
|
||||
|
||||
# Insert patches here, if needed. Eg:
|
||||
# Patch01: annobin-foo.patch
|
||||
|
||||
@ -174,14 +178,19 @@ hardening options.
|
||||
|
||||
%global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin)
|
||||
|
||||
%if %{with clangplugin} || %{with llvmplugin}
|
||||
# FIXME: We currently assume that the first directory listed in clang's
|
||||
# search directory output is the one that we should use for plugins.
|
||||
# This might not be correct.
|
||||
# The gensub() below is because without it $2 would look like:
|
||||
# " =/usr/lib64/clang/8.0.0"
|
||||
# Note - we install LLVM plugins into the same directory as Clang plugins.
|
||||
%global ANNOBIN_CLANG_PLUGIN_DIR %(clang --print-search-dirs | gawk -e'BEGIN { FS = ":" } /libraries/ { print gensub(" =","",1,$2) } END { }')
|
||||
%{!?llvm_version:%global llvm_version 12.0.1}
|
||||
%{!?llvm_plugin_dir:%global llvm_plugin_dir %{_libdir}/llvm/%{llvm_version}}
|
||||
%{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/%{llvm_version}}
|
||||
|
||||
%if %{with gccplugin}
|
||||
# The next line has been stolen from redhat-rpm-config.spec.
|
||||
# We install a version info file into this directory, rather than gcc's plugin
|
||||
# directory, because there is no reliable way for redhat-rpm-config to
|
||||
# determine the name of gcc's plugin directory.
|
||||
%global rrcdir /usr/lib/rpm/redhat
|
||||
|
||||
# Information about the gcc plugin is recorded in this file.
|
||||
%global aver %{rrcdir}/annobin-plugin-version-info
|
||||
%endif
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
@ -232,18 +241,20 @@ CONFIG_ARGS="$CONFIG_ARGS --with-llvm"
|
||||
CONFIG_ARGS="$CONFIG_ARGS --without-test"
|
||||
%endif
|
||||
|
||||
%configure ${CONFIG_ARGS} || cat config.log
|
||||
|
||||
%ifarch %{ix86} x86_64
|
||||
# FIXME: There should be a better way to do this.
|
||||
export CLANG_TARGET_OPTIONS="-fcf-protection"
|
||||
%endif
|
||||
%set_build_flags
|
||||
|
||||
# Fedora supports AArch64's -mbranch-protection=bti, RHEL does not.
|
||||
%if 0%{?fedora} != 0
|
||||
export CFLAGS="$CFLAGS -DAARCh64_BRANCH_PROTECTION_SUPPORTED=1"
|
||||
%endif
|
||||
|
||||
CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" CXXFLAGS="$CFLAGS" %configure ${CONFIG_ARGS} || cat config.log
|
||||
|
||||
%ifarch %{ix86} x86_64
|
||||
# FIXME: There should be a better way to do this.
|
||||
export CLANG_TARGET_OPTIONS="-fcf-protection"
|
||||
%endif
|
||||
|
||||
%make_build
|
||||
|
||||
%if %{with plugin_rebuild}
|
||||
@ -289,7 +300,29 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS"
|
||||
|
||||
# PLUGIN_INSTALL_DIR is used by the Clang and LLVM makefiles...
|
||||
%install
|
||||
%make_install PLUGIN_INSTALL_DIR=$RPM_BUILD_ROOT%{ANNOBIN_CLANG_PLUGIN_DIR}
|
||||
%make_install PLUGIN_INSTALL_DIR=%{buildroot}/%{llvm_plugin_dir}
|
||||
|
||||
%if %{with clangplugin}
|
||||
# Move the clang plugin to a seperate directory.
|
||||
mkdir -p %{buildroot}/%{clang_plugin_dir}
|
||||
mv %{buildroot}/%{llvm_plugin_dir}/annobin-for-clang.so %{buildroot}/%{clang_plugin_dir}
|
||||
%endif
|
||||
|
||||
%if %{with gccplugin}
|
||||
# Record the version of gcc that built this plugin.
|
||||
mkdir -p %{buildroot}%{rrcdir}
|
||||
rm -f %{buildroot}%{aver}
|
||||
# Note - the comparison logic in redhat-rpm-config's %%triggger macros require
|
||||
# that the plugin builder information appear as the first three numbers in the file.
|
||||
echo %{gcc_vr} > %{buildroot}%{aver}
|
||||
# Provide a more complete version information string on the second line.
|
||||
echo "%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so.0.0.0 was built by gcc version %{gcc_vr} from the %{version} sources" >> %{buildroot}%{aver}
|
||||
|
||||
# Also install a copy of the sources into the build tree.
|
||||
mkdir -p %{buildroot}%{annobin_source_dir}
|
||||
cp %{_sourcedir}/%{annobin_sources} %{buildroot}%{annobin_source_dir}/latest-annobin.tar.xz
|
||||
%endif
|
||||
|
||||
rm -f %{buildroot}%{_infodir}/dir
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
@ -318,12 +351,18 @@ fi
|
||||
%{_mandir}/man1/hardened.1*
|
||||
%{_mandir}/man1/run-on-binaries-in.1*
|
||||
|
||||
%if %{with clangplugin} || %{with llvmplugin}
|
||||
%{ANNOBIN_CLANG_PLUGIN_DIR}
|
||||
%if %{with clangplugin}
|
||||
%{clang_plugin_dir}/annobin-for-clang.so
|
||||
%endif
|
||||
|
||||
%if %{with llvmplugin}
|
||||
%{llvm_plugin_dir}/annobin-for-llvm.so
|
||||
%endif
|
||||
|
||||
%if %{with gccplugin}
|
||||
%{ANNOBIN_GCC_PLUGIN_DIR}
|
||||
%{aver}
|
||||
%{annobin_source_dir}/latest-annobin.tar.xz
|
||||
%endif
|
||||
|
||||
%if %{with annocheck}
|
||||
@ -335,6 +374,27 @@ fi
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
%changelog
|
||||
* Thu Sep 16 2021 Nick Clifton <nickc@redhat.com> - 10.06-1
|
||||
- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917)
|
||||
- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries.
|
||||
- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result. (#1995224)
|
||||
- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead.
|
||||
- Annocheck: Fix exit code when tests PASS.
|
||||
- Documentation: Add node for each hardening test.
|
||||
- Documentation: Install online.
|
||||
- Annocheck: Annote FAIL and MAYB results with URL to documentation
|
||||
- Annocheck: Add --no-urls and --provide-urls options
|
||||
- Annocheck: Add --help-<tool> option.
|
||||
- Annocheck: Fix fuzzing detected failures.
|
||||
- Annocheck: Add --profile option.
|
||||
- Docs: Document --profile option and rpminspect.yaml.
|
||||
- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures.
|
||||
- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444)
|
||||
- spec file: Add the installation of the annobon sources into /usr/src/annobin.
|
||||
- Annocheck: Fix memory corruption. (#1996963)
|
||||
- spec file: Add the creation of a gcc-plugin version info file in /usr/lib/rpm/redhat.
|
||||
- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection.
|
||||
|
||||
* Wed Aug 18 2021 Nick Clifton <nickc@redhat.com> - 9.90-1
|
||||
- Annocheck: Add linker generated function for ppc64le exceptions. (#1981410)
|
||||
- LLVM Plugin: Allow checks to be selected from the command line.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user