From c8a73a98ec634df90074219c95ca51f6b99c2b4f Mon Sep 17 00:00:00 2001 From: Brian Davis Date: Thu, 18 Apr 2024 19:51:47 -0400 Subject: [PATCH] fix: fix generation - test containers workflow updates - fix generation - update build-binaries --- .github/workflows/pull_request.yml | 4 ++-- .pre-commit-config.yaml | 4 ++-- Dockerfile.photon | 11 +++++++---- Dockerfile.ubuntu | 14 +++++++++----- Makefile | 5 +++++ src/functions/filecheck.sh | 2 +- tests/binaries/build_binaries.sh | 20 ++++++++++++-------- 7 files changed, 38 insertions(+), 22 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 09b14fd..f4fc29b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -4,12 +4,12 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: render-checksec run: | pip install pre-commit mkdir ${HOME}/bin - curl -Lo ${HOME}/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.4.0/shfmt_v3.4.0_linux_amd64 + curl -Lo ${HOME}/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.8.0/shfmt_v3.8.0_linux_amd64 chmod +x ${HOME}/bin/shfmt export PATH=${PATH}:${HOME}/bin pre-commit run --all-files diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a6bf519..54a1960 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -12,7 +12,7 @@ repos: language: system pass_filenames: false - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.2.0 + rev: v4.5.0 hooks: - id: end-of-file-fixer - id: trailing-whitespace @@ -28,7 +28,7 @@ repos: - id: shellcheck files: ^checksec$ - repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.2.0 + rev: v1.5.5 hooks: - id: forbid-crlf - id: remove-crlf diff --git a/Dockerfile.photon b/Dockerfile.photon index 5bbc218..b0dce12 100644 --- a/Dockerfile.photon +++ b/Dockerfile.photon @@ -1,12 +1,15 @@ -FROM photon:3.0 +FROM photon:5.0 # Install dependencies RUN tdnf upgrade -y && tdnf remove toybox -y && \ tdnf install -y build-essential git rpm-build coreutils util-linux \ - make autoconf automake gcc ncurses-devel sed tar texinfo procps-ng grep \ - findutils gzip file which libxml2 python3 python3-pip jq && \ + make autoconf automake gcc ncurses-devel sed tar texinfo wget procps-ng grep \ + findutils gzip file which libxml2 python3 python3-pip jq clang && \ pip3 install --upgrade pip && pip3 install setuptools && \ - pip3 install demjson3 + pip3 install demjson3 && mkdir -p /zig && \ + wget https://ziglang.org/builds/zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz && \ + tar xf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz -C /zig --strip-components=1 && \ + rm -rf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz COPY . /root WORKDIR /root diff --git a/Dockerfile.ubuntu b/Dockerfile.ubuntu index 9a95274..ab16838 100644 --- a/Dockerfile.ubuntu +++ b/Dockerfile.ubuntu @@ -1,12 +1,16 @@ -FROM ubuntu:18.04 +FROM ubuntu:22.04 # Install dependencies RUN apt-get update && apt-get -y -q upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y -q install \ - bc bison flex build-essential ccache git \ + bc bison flex build-essential ccache git file \ libncurses-dev libssl-dev u-boot-tools wget \ - xz-utils vim xfce4 libxml2-utils python-demjson jq \ - gcc-multilib clang \ - && apt-get clean + xz-utils vim xfce4 libxml2-utils python3 python3-pip jq \ + gcc clang gcc-multilib && apt-get clean \ + pip3 install --upgrade pip && pip3 install setuptools && \ + pip3 install demjson3 && mkdir -p /zig && \ + wget https://ziglang.org/builds/zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz && \ + tar xf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz -C /zig --strip-components=1 && \ + rm -rf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz COPY . /root WORKDIR /root diff --git a/Makefile b/Makefile index ae8de80..6c06659 100644 --- a/Makefile +++ b/Makefile @@ -9,3 +9,8 @@ build: .PHONY: test test: ./tests/test-checksec.sh + +.PHONY compose-test +compose-test: + docker-compose build + docker-compose run diff --git a/src/functions/filecheck.sh b/src/functions/filecheck.sh index 45298c4..82c4f1e 100644 --- a/src/functions/filecheck.sh +++ b/src/functions/filecheck.sh @@ -138,7 +138,7 @@ filecheck() { FS_cnt_unchecked=$(grep -cFxf <(sort <<< "${FS_func_libc}") <(sort <<< "${FS_func}")) FS_cnt_total=$((FS_cnt_unchecked + FS_cnt_checked)) - if grep -q '_chk$' <<< "$FS_func"; then + if [[ $FS_cnt_unchecked -eq $FS_cnt_checked ]]; then echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",' else echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",' diff --git a/tests/binaries/build_binaries.sh b/tests/binaries/build_binaries.sh index 33c6059..6b0d9c0 100755 --- a/tests/binaries/build_binaries.sh +++ b/tests/binaries/build_binaries.sh @@ -1,4 +1,7 @@ #!/bin/bash +set -x + +export PATH=$PATH:/zig/ # All hardening features on (except for CFI and SafeStack) gcc -o all test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s @@ -26,14 +29,15 @@ clang -o none_cl test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 clang -c test.c -o rel_cl.o clang -shared -fPIC -o dso_cl.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s -# 32-bit (you might need 'sudo apt install gcc-multilib') -gcc -m32 -o all32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -gcc -m32 -o partial32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s -gcc -m32 -o rpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags -gcc -m32 -o runpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags -gcc -m32 -o none32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack -gcc -m32 -c test.c -o rel32.o -gcc -m32 -shared -fPIC -o dso32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s +# 32-bit use zig for cross compile +zig cc --target=x86-linux-gnu -o all32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s +zig cc --target=x86-linux-gnu -o partial32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s +zig cc --target=x86-linux-gnu -o rpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags +zig cc --target=x86-linux-gnu -o runpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags +zig cc --target=x86-linux-gnu -o none32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack +zig cc --target=x86-linux-gnu -c test.c -o rel32.o +zig cc --target=x86-linux-gnu -shared -fPIC -o dso32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s + clang -m32 -o cfi32 test.c -w -flto -fsanitize=cfi -fvisibility=default clang -m32 -o sstack32 test.c -w -fsanitize=safe-stack clang -m32 -o all_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s