fix: fix generation

- test containers workflow updates - fix generation - update build-binaries
slimm609 · Apr 18, 2024 · ad6f1a5 · ad6f1a5
1 parent 08aba81
commit ad6f1a5
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 22 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -4,12 +4,12 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: render-checksec
         run: |
           pip install pre-commit
           mkdir ${HOME}/bin
-          curl -Lo ${HOME}/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.4.0/shfmt_v3.4.0_linux_amd64
+          curl -Lo ${HOME}/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.8.0/shfmt_v3.8.0_linux_amd64
           chmod +x ${HOME}/bin/shfmt
           export PATH=${PATH}:${HOME}/bin
           pre-commit run --all-files

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -12,7 +12,7 @@ repos:
     language: system
     pass_filenames: false
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.2.0
+  rev: v4.5.0
   hooks:
   - id: end-of-file-fixer
   - id: trailing-whitespace
@@ -28,7 +28,7 @@ repos:
   - id: shellcheck
     files: ^checksec$
 - repo: https://github.com/Lucas-C/pre-commit-hooks
-  rev: v1.2.0
+  rev: v1.5.5
   hooks:
   - id: forbid-crlf
   - id: remove-crlf

diff --git a/Dockerfile.photon b/Dockerfile.photon
@@ -1,12 +1,15 @@
-FROM photon:3.0
+FROM photon:5.0
 
 # Install dependencies
 RUN tdnf upgrade -y && tdnf remove toybox -y && \
     tdnf install -y build-essential git rpm-build coreutils util-linux \
-    make autoconf automake gcc ncurses-devel sed tar texinfo procps-ng grep \
-    findutils gzip file which libxml2 python3 python3-pip jq && \
+    make autoconf automake gcc ncurses-devel sed tar texinfo wget procps-ng grep \
+    findutils gzip file which libxml2 python3 python3-pip jq clang gcc-multilib && \
     pip3 install --upgrade pip && pip3 install setuptools && \
-    pip3 install demjson3
+    pip3 install demjson3 && mkdir -p /zig && \
+    wget https://ziglang.org/builds/zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz && \
+    tar xf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz -C /zig --strip-components=1 && \
+    rm -rf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz
 
 COPY .  /root
 WORKDIR /root
diff --git a/Dockerfile.ubuntu b/Dockerfile.ubuntu
@@ -1,12 +1,16 @@
-FROM ubuntu:18.04
+FROM ubuntu:22.04
 
 # Install dependencies
 RUN apt-get update && apt-get -y -q upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y -q install \
-  bc bison flex build-essential ccache git \
+  bc bison flex build-essential ccache git file \
   libncurses-dev libssl-dev u-boot-tools wget \
-  xz-utils vim xfce4 libxml2-utils python-demjson jq \
-  gcc-multilib clang \
- && apt-get clean
+  xz-utils vim xfce4 libxml2-utils python3 python3-pip jq \
+  gcc clang && apt-get clean \
+  pip3 install --upgrade pip && pip3 install setuptools && \
+  pip3 install demjson3 && mkdir -p /zig && \
+  wget https://ziglang.org/builds/zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz && \
+  tar xf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz -C /zig --strip-components=1 && \
+  rm -rf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz
 
 COPY .  /root
 WORKDIR /root
diff --git a/Makefile b/Makefile
@@ -9,3 +9,8 @@ build:
 .PHONY: test
 test:
 	./tests/test-checksec.sh
+
+.PHONY compose-test
+compose-test:
+	docker-compose build
+	docker-compose run
diff --git a/src/functions/filecheck.sh b/src/functions/filecheck.sh
@@ -138,7 +138,7 @@ filecheck() {
   FS_cnt_unchecked=$(grep -cFxf <(sort <<< "${FS_func_libc}") <(sort <<< "${FS_func}"))
   FS_cnt_total=$((FS_cnt_unchecked + FS_cnt_checked))
 
-  if grep -q '_chk$' <<< "$FS_func"; then
+  if [[ $FS_cnt_unchecked -eq $FS_cnt_checked ]]; then
     echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
   else
     echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'

diff --git a/tests/binaries/build_binaries.sh b/tests/binaries/build_binaries.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+set -x
+
+export PATH=$PATH:/zig/
 
 # All hardening features on (except for CFI and SafeStack)
 gcc -o all test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
@@ -26,14 +29,15 @@ clang -o none_cl test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2
 clang -c test.c -o rel_cl.o
 clang -shared -fPIC -o dso_cl.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s
 
-# 32-bit (you might need 'sudo apt install gcc-multilib')
-gcc -m32 -o all32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
-gcc -m32 -o partial32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
-gcc -m32 -o rpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
-gcc -m32 -o runpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
-gcc -m32 -o none32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack
-gcc -m32 -c test.c -o rel32.o
-gcc -m32 -shared -fPIC -o dso32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s
+# 32-bit use zig for cross compile
+zig cc --target=x86-linux-gnu -o all32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
+zig cc --target=x86-linux-gnu -o partial32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
+zig cc --target=x86-linux-gnu -o rpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
+zig cc --target=x86-linux-gnu -o runpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
+zig cc --target=x86-linux-gnu -o none32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack
+zig cc --target=x86-linux-gnu -c test.c -o rel32.o
+zig cc --target=x86-linux-gnu -shared -fPIC -o dso32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s
+
 clang -m32 -o cfi32 test.c -w -flto -fsanitize=cfi -fvisibility=default
 clang -m32 -o sstack32 test.c -w -fsanitize=safe-stack
 clang -m32 -o all_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s