|
|
aafa26 |
diff -rup annobin.orig/annocheck/hardened.c annobin-10.21/annocheck/hardened.c
|
|
|
aafa26 |
--- annobin.orig/annocheck/hardened.c 2021-10-26 16:27:58.353141848 +0100
|
|
|
aafa26 |
+++ annobin-10.21/annocheck/hardened.c 2021-10-26 16:28:24.527040025 +0100
|
|
|
aafa26 |
@@ -1479,7 +1479,7 @@ skip_fortify_checks_for_function (annoch
|
|
|
aafa26 |
{
|
|
|
aafa26 |
/* NB. KEEP THIS ARRAY ALPHA-SORTED */
|
|
|
aafa26 |
"_GLOBAL__sub_I_main",
|
|
|
aafa26 |
- "_Unwind_Resume", /* In /sbin/ldconfig. */
|
|
|
aafa26 |
+ "_Unwind_Resume",
|
|
|
aafa26 |
"__b64_ntop", /* Found in ppc64le, RHEL-9, /lib64/libresolv.so.2. */
|
|
|
aafa26 |
"__b64_pton", /* Found in ppc64le, RHEL-9, /lib64/libresolv.so.2. */
|
|
|
aafa26 |
"__ctype_get_mb_cur_max",
|
|
|
aafa26 |
@@ -1490,17 +1490,13 @@ skip_fortify_checks_for_function (annoch
|
|
|
aafa26 |
"__td_ta_rtld_global", /* Found in ppc64le, RHEL-9, /lib64/libthread_db.so.1. */
|
|
|
aafa26 |
"_dl_start_user", /* Found in ppc64le, RHEL-9, /lib64/ld64.so.2. */
|
|
|
aafa26 |
"_dl_tunable_set_arena_max", /* Found in ppc64le, RHEL-9, /lib64/libc_malloc_debug.so.0. */
|
|
|
aafa26 |
- "_nl_archive_subfreeres", /* Found in x86_64, RHEL-8.6 /sbin/ldconfig. */
|
|
|
aafa26 |
"_start",
|
|
|
aafa26 |
"blacklist_store_name",
|
|
|
aafa26 |
"dlmopen_doit", /* Found in ppc64le, RHEL-9, /lib64/ld64.so.2. */
|
|
|
aafa26 |
- "free_category", /* Found in x86_64, RHEL-8.6 /sbin/ldconfig. */
|
|
|
aafa26 |
"free_derivation",
|
|
|
aafa26 |
"free_mem",
|
|
|
aafa26 |
- "insert_to_aux_cache.cold.6", /* Found in x86_64, RHEL-8.6 /sbin/ldconfig. */
|
|
|
aafa26 |
"install_handler",
|
|
|
aafa26 |
"internal_setgrent",
|
|
|
aafa26 |
- "print_entry", /* In /sbin/ldconfig. */
|
|
|
aafa26 |
"td_init", /* Found in ppc64le, RHEL-9, /lib64/libthread_db.so.1. */
|
|
|
aafa26 |
"unlink_blk" /* Found in ppc64le, RHEL-9, /lib64/libc_malloc_debug.so.0. */
|
|
|
aafa26 |
};
|
|
|
aafa26 |
@@ -1524,11 +1520,9 @@ skip_pic_checks_for_function (annocheck_
|
|
|
aafa26 |
{
|
|
|
aafa26 |
/* NB. KEEP THIS ARRAY ALPHA-SORTED */
|
|
|
aafa26 |
"_GLOBAL__sub_I_main",
|
|
|
aafa26 |
- "_Unwind_Resume", /* In /sbin/ldconfig. */
|
|
|
aafa26 |
- "_nl_archive_subfreeres", /* In /sbin/ldconfig. */
|
|
|
aafa26 |
+ "_Unwind_Resume",
|
|
|
aafa26 |
"_start",
|
|
|
aafa26 |
- "atexit", /* The atexit function in libiberty is only compiled with -fPIC not -fPIE. */
|
|
|
aafa26 |
- "print_entry" /* In /sbin/ldconfig. */
|
|
|
aafa26 |
+ "atexit" /* The atexit function in libiberty is only compiled with -fPIC not -fPIE. */
|
|
|
aafa26 |
};
|
|
|
aafa26 |
|
|
|
aafa26 |
if (skip_this_func (non_pie_funcs, ARRAY_SIZE (non_pie_funcs), component_name))
|
|
|
aafa26 |
@@ -1566,15 +1560,12 @@ skip_stack_checks_for_function (annochec
|
|
|
aafa26 |
"_dl_start",
|
|
|
aafa26 |
"_dl_start_user", /* Found in ppc64le, RHEL-9 /lib64/ld64.so.2. */
|
|
|
aafa26 |
"_dl_sysinfo_int80", /* In /lib/ld-linux.so.2. */
|
|
|
aafa26 |
- "_dl_tls_static_surplus_init", /* In /sbin/ldconfig. */
|
|
|
aafa26 |
"_fini",
|
|
|
aafa26 |
"_init",
|
|
|
aafa26 |
"_start",
|
|
|
aafa26 |
- "allocate_dtv", /* Found in AArch64, RHEL-8, /sbin/ldconfig. */
|
|
|
aafa26 |
"check_match", /* Found in AArch64, RHEL-8, /lib64/ld-2.28.so. */
|
|
|
aafa26 |
"check_one_fd",
|
|
|
aafa26 |
"dlmopen_doit",
|
|
|
aafa26 |
- "generic_start_main", /* Found in PPC64LE, RHEL-8, /sbin/ldconfig. */
|
|
|
aafa26 |
"get_common_indices.constprop.0",
|
|
|
aafa26 |
"is_dst",
|
|
|
aafa26 |
"notify_audit_modules_of_loaded_object",
|
|
|
aafa26 |
@@ -1665,6 +1656,10 @@ function %s is part of the C library's s
|
|
|
aafa26 |
return true;
|
|
|
aafa26 |
}
|
|
|
aafa26 |
|
|
|
aafa26 |
+ /* The ldconfig binary is known to be compiled with most security features. */
|
|
|
aafa26 |
+ if (streq (data->full_filename, "/sbin/ldconfig"))
|
|
|
aafa26 |
+ return true;
|
|
|
aafa26 |
+
|
|
|
aafa26 |
switch (check)
|
|
|
aafa26 |
{
|
|
|
aafa26 |
case TEST_STACK_PROT:
|
|
|
aafa26 |
@@ -4790,7 +4785,11 @@ process_arg (const char * arg, const cha
|
|
|
aafa26 |
}
|
|
|
aafa26 |
}
|
|
|
aafa26 |
|
|
|
aafa26 |
- return false;
|
|
|
aafa26 |
+ /* Do not fail if we do not recognise the test name. It may be from a
|
|
|
aafa26 |
+ future version of annocheck, and it just so happens that a test is
|
|
|
aafa26 |
+ running this version by mistake. */
|
|
|
aafa26 |
+ einfo (INFO, "ignoring unrecognized test name in --skip option: %s", arg);
|
|
|
aafa26 |
+ return true;
|
|
|
aafa26 |
}
|
|
|
aafa26 |
|
|
|
aafa26 |
if (const_strneq (arg, "test-"))
|
|
|
aafa26 |
diff -rup annobin.orig/annocheck/hardened.c annobin-10.21/annocheck/hardened.c
|
|
|
aafa26 |
--- annobin.orig/annocheck/hardened.c 2021-10-27 11:23:27.161942804 +0100
|
|
|
aafa26 |
+++ annobin-10.21/annocheck/hardened.c 2021-10-27 11:23:59.692741676 +0100
|
|
|
aafa26 |
@@ -1658,7 +1658,13 @@ function %s is part of the C library's s
|
|
|
aafa26 |
|
|
|
aafa26 |
/* The ldconfig binary is known to be compiled with most security features. */
|
|
|
aafa26 |
if (streq (data->full_filename, "/sbin/ldconfig"))
|
|
|
aafa26 |
- return true;
|
|
|
aafa26 |
+ {
|
|
|
aafa26 |
+ sprintf (reason, "\
|
|
|
aafa26 |
+function %s is part of the C library's startup code, which executes before stack protection is established",
|
|
|
aafa26 |
+ component_name);
|
|
|
aafa26 |
+ skip (data, check, SOURCE_SKIP_CHECKS, reason);
|
|
|
aafa26 |
+ return true;
|
|
|
aafa26 |
+ }
|
|
|
aafa26 |
|
|
|
aafa26 |
switch (check)
|
|
|
aafa26 |
{
|