1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
#!/usr/bin/make -f
include ../hardening.make
BUILD_TREE:=../build-tree
SYMLINKED_LD?=
WRAPPERS?=
SYNTAX_STAMP?=
BUILD_EXTRA?=
CFLAGS += -O2
LDFLAGS?=
HELLO=hello.c
TEST_REQS=$(HELLO) $(WRAPPERS) $(SYMLINKED_LD)
TESTS=\
$(SYNTAX_STAMP) \
$(BUILD_TREE)/$(NAME)-test-stock \
$(BUILD_TREE)/$(NAME)-test-compiled \
$(SYMLINKED_LD) \
$(BUILD_TREE)/$(NAME)-test-linked \
$(BUILD_TREE)/$(NAME)-test-fPIC-direct \
$(BUILD_TREE)/$(NAME)-test-fPIC \
$(BUILD_EXTRA)
check: $(TESTS)
clean:
rm -f $(TESTS)
##########
# Compilation and linking results tests
$(BUILD_TREE)/$(NAME)-test-stock: $(HELLO) $(WRAPPERS)
# Compiler and linker options disabled.
DEB_BUILD_HARDENING=0 $(CC) -o $@ $<
readelf -ldrsW $@
$@
$(BUILD_TREE)/$(NAME)-test-compiled: $(HELLO) $(WRAPPERS)
# Compiler options enabled. (linker is not wrapper)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
readelf -ldrsW $@
# Run twice to show off PIE, if available in kernel
$@
$@
# Figure out how to call "hardening-check" for this architecture
HARDENING_CHECK_ARGS:=
ifneq (1,$(DEB_BUILD_HARDENING_PIE))
HARDENING_CHECK_ARGS+=-p
endif
ifneq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR))
HARDENING_CHECK_ARGS+=-s
endif
ifneq (1,$(DEB_BUILD_HARDENING_FORTIFY))
HARDENING_CHECK_ARGS+=-f
endif
ifneq (1,$(DEB_BUILD_HARDENING_RELRO))
HARDENING_CHECK_ARGS+=-r
endif
$(BUILD_TREE)/$(NAME)-test-linked: $(TEST_REQS)
# Compiler and linker options enabled.
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
readelf -ldrsW $@
# Run twice to show off PIE, if available in kernel
$@
$@
# Check state of hardening features via check script
sh ../hardening-check $(HARDENING_CHECK_ARGS) $@
# Manually check state of hardening features
ifeq (1,$(DEB_BUILD_HARDENING_PIE))
# Test PIE
readelf -lW $@ | grep '^Elf file type is DYN'
else
# Skipped PIE test
endif
ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR))
# Test Stack Protector
nm $@ | grep '__stack_chk_fail@@GLIBC'
else
# Skipped Stack Protector test
endif
ifeq (1,$(DEB_BUILD_HARDENING_FORTIFY))
# Test Fortify
nm $@ | egrep '__(sn)?printf_chk@@GLIBC'
else
# Skipped Fortify test
endif
ifeq (1,$(DEB_BUILD_HARDENING_FORMAT))
# Test Format (no-op currently)
else
# Skipped Format test
endif
ifeq (1,$(DEB_BUILD_HARDENING_RELRO))
# Test for RELRO
readelf -lW $@ | grep GNU_RELRO
else
# Skipping RELRO test
endif
ifeq (1,$(DEB_BUILD_HARDENING_BINDNOW))
# Test for BIND_NOW
readelf -dW $@ | grep BIND_NOW
else
# Skipping BINDNOW test
endif
##########
# Compiler arg calling style tests
# cmake likes to pass -fPIC to everything, which broke pre-1.10 wrappers
$(BUILD_TREE)/$(NAME)-test-fPIC-direct: $(TEST_REQS)
# Build directly with -fPIC already defined
$(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ $<
$@
$(BUILD_TREE)/$(NAME)-test-fPIC.o: $(TEST_REQS)
# Build .o with -fPIC already defined
$(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ -c $<
$(BUILD_TREE)/$(NAME)-test-fPIC: $(BUILD_TREE)/$(NAME)-test-fPIC.o $(TEST_REQS)
# Link .o with -fPIC already defined
$(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ $<
$@
|
