Move check-security-hardening.sh into full_test_suite.py
This commit is contained in:
parent
105b2b6248
commit
c6af0aa453
|
@ -1,46 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
REPOROOT="$(readlink -f "$(dirname "$0")"/../../)"
|
|
||||||
|
|
||||||
function test_rpath_runpath {
|
|
||||||
if "${REPOROOT}/qa/zcash/checksec.sh" --file "$1" | grep -q "No RPATH.*No RUNPATH"; then
|
|
||||||
echo PASS: "$1" has no RPATH or RUNPATH.
|
|
||||||
return 0
|
|
||||||
else
|
|
||||||
echo FAIL: "$1" has an RPATH or a RUNPATH.
|
|
||||||
"${REPOROOT}/qa/zcash/checksec.sh" --file "$1"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
function test_fortify_source {
|
|
||||||
if { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "FORTIFY_SOURCE support available.*Yes"; } &&
|
|
||||||
{ "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "Binary compiled with FORTIFY_SOURCE support.*Yes"; }; then
|
|
||||||
echo PASS: "$1" has FORTIFY_SOURCE.
|
|
||||||
return 0
|
|
||||||
else
|
|
||||||
echo FAIL: "$1" is missing FORTIFY_SOURCE.
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# PIE, RELRO, Canary, and NX are tested by make check-security.
|
|
||||||
make -C "$REPOROOT/src" check-security
|
|
||||||
|
|
||||||
test_rpath_runpath "${REPOROOT}/src/zcashd"
|
|
||||||
test_rpath_runpath "${REPOROOT}/src/zcash-cli"
|
|
||||||
test_rpath_runpath "${REPOROOT}/src/zcash-gtest"
|
|
||||||
test_rpath_runpath "${REPOROOT}/src/zcash-tx"
|
|
||||||
test_rpath_runpath "${REPOROOT}/src/test/test_bitcoin"
|
|
||||||
test_rpath_runpath "${REPOROOT}/src/zcash/GenerateParams"
|
|
||||||
|
|
||||||
# NOTE: checksec.sh does not reliably determine whether FORTIFY_SOURCE is
|
|
||||||
# enabled for the entire binary. See issue #915.
|
|
||||||
test_fortify_source "${REPOROOT}/src/zcashd"
|
|
||||||
test_fortify_source "${REPOROOT}/src/zcash-cli"
|
|
||||||
test_fortify_source "${REPOROOT}/src/zcash-gtest"
|
|
||||||
test_fortify_source "${REPOROOT}/src/zcash-tx"
|
|
||||||
test_fortify_source "${REPOROOT}/src/test/test_bitcoin"
|
|
||||||
test_fortify_source "${REPOROOT}/src/zcash/GenerateParams"
|
|
|
@ -5,6 +5,7 @@
|
||||||
|
|
||||||
import argparse
|
import argparse
|
||||||
import os
|
import os
|
||||||
|
import re
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
|
@ -24,6 +25,61 @@ def repofile(filename):
|
||||||
# Custom test runners
|
# Custom test runners
|
||||||
#
|
#
|
||||||
|
|
||||||
|
RE_RPATH_RUNPATH = re.compile('No RPATH.*No RUNPATH')
|
||||||
|
RE_FORTIFY_AVAILABLE = re.compile('FORTIFY_SOURCE support available.*Yes')
|
||||||
|
RE_FORTIFY_USED = re.compile('Binary compiled with FORTIFY_SOURCE support.*Yes')
|
||||||
|
|
||||||
|
def test_rpath_runpath(filename):
|
||||||
|
output = subprocess.check_output(
|
||||||
|
[repofile('qa/zcash/checksec.sh'), '--file', repofile(filename)]
|
||||||
|
)
|
||||||
|
if RE_RPATH_RUNPATH.search(output):
|
||||||
|
print('PASS: %s has no RPATH or RUNPATH.' % filename)
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
print('FAIL: %s has an RPATH or a RUNPATH.' % filename)
|
||||||
|
print(output)
|
||||||
|
return False
|
||||||
|
|
||||||
|
def test_fortify_source(filename):
|
||||||
|
proc = subprocess.Popen(
|
||||||
|
[repofile('qa/zcash/checksec.sh'), '--fortify-file', repofile(filename)],
|
||||||
|
stdout=subprocess.PIPE,
|
||||||
|
)
|
||||||
|
line1 = proc.stdout.readline()
|
||||||
|
line2 = proc.stdout.readline()
|
||||||
|
proc.terminate()
|
||||||
|
if RE_FORTIFY_AVAILABLE.search(line1) and RE_FORTIFY_USED.search(line2):
|
||||||
|
print('PASS: %s has FORTIFY_SOURCE.' % filename)
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
print('FAIL: %s is missing FORTIFY_SOURCE.' % filename)
|
||||||
|
return False
|
||||||
|
|
||||||
|
def check_security_hardening():
|
||||||
|
ret = True
|
||||||
|
|
||||||
|
# PIE, RELRO, Canary, and NX are tested by make check-security.
|
||||||
|
ret &= subprocess.call(['make', '-C', repofile('src'), 'check-security']) == 0
|
||||||
|
|
||||||
|
ret &= test_rpath_runpath('src/zcashd')
|
||||||
|
ret &= test_rpath_runpath('src/zcash-cli')
|
||||||
|
ret &= test_rpath_runpath('src/zcash-gtest')
|
||||||
|
ret &= test_rpath_runpath('src/zcash-tx')
|
||||||
|
ret &= test_rpath_runpath('src/test/test_bitcoin')
|
||||||
|
ret &= test_rpath_runpath('src/zcash/GenerateParams')
|
||||||
|
|
||||||
|
# NOTE: checksec.sh does not reliably determine whether FORTIFY_SOURCE
|
||||||
|
# is enabled for the entire binary. See issue #915.
|
||||||
|
ret &= test_fortify_source('src/zcashd')
|
||||||
|
ret &= test_fortify_source('src/zcash-cli')
|
||||||
|
ret &= test_fortify_source('src/zcash-gtest')
|
||||||
|
ret &= test_fortify_source('src/zcash-tx')
|
||||||
|
ret &= test_fortify_source('src/test/test_bitcoin')
|
||||||
|
ret &= test_fortify_source('src/zcash/GenerateParams')
|
||||||
|
|
||||||
|
return ret
|
||||||
|
|
||||||
def ensure_no_dot_so_in_depends():
|
def ensure_no_dot_so_in_depends():
|
||||||
arch_dir = os.path.join(
|
arch_dir = os.path.join(
|
||||||
REPOROOT,
|
REPOROOT,
|
||||||
|
@ -72,7 +128,7 @@ STAGES = [
|
||||||
STAGE_COMMANDS = {
|
STAGE_COMMANDS = {
|
||||||
'btest': [repofile('src/test/test_bitcoin'), '-p'],
|
'btest': [repofile('src/test/test_bitcoin'), '-p'],
|
||||||
'gtest': [repofile('src/zcash-gtest')],
|
'gtest': [repofile('src/zcash-gtest')],
|
||||||
'sec-hard': [repofile('qa/zcash/check-security-hardening.sh')],
|
'sec-hard': check_security_hardening,
|
||||||
'no-dot-so': ensure_no_dot_so_in_depends,
|
'no-dot-so': ensure_no_dot_so_in_depends,
|
||||||
'secp256k1': ['make', '-C', repofile('src/secp256k1'), 'check'],
|
'secp256k1': ['make', '-C', repofile('src/secp256k1'), 'check'],
|
||||||
'univalue': ['make', '-C', repofile('src/univalue'), 'check'],
|
'univalue': ['make', '-C', repofile('src/univalue'), 'check'],
|
||||||
|
|
Loading…
Reference in New Issue