Blame SOURCES/annobin.ldconfig.patch

aafa26
diff -rup annobin.orig/annocheck/hardened.c annobin-10.21/annocheck/hardened.c
aafa26
--- annobin.orig/annocheck/hardened.c	2021-10-26 16:27:58.353141848 +0100
aafa26
+++ annobin-10.21/annocheck/hardened.c	2021-10-26 16:28:24.527040025 +0100
aafa26
@@ -1479,7 +1479,7 @@ skip_fortify_checks_for_function (annoch
aafa26
     {
aafa26
       /* NB. KEEP THIS ARRAY ALPHA-SORTED  */
aafa26
       "_GLOBAL__sub_I_main",
aafa26
-      "_Unwind_Resume",              /* In /sbin/ldconfig.  */
aafa26
+      "_Unwind_Resume",
aafa26
       "__b64_ntop",  	             /* Found in ppc64le, RHEL-9, /lib64/libresolv.so.2.  */
aafa26
       "__b64_pton",	             /* Found in ppc64le, RHEL-9, /lib64/libresolv.so.2.  */
aafa26
       "__ctype_get_mb_cur_max",
aafa26
@@ -1490,17 +1490,13 @@ skip_fortify_checks_for_function (annoch
aafa26
       "__td_ta_rtld_global",         /* Found in ppc64le, RHEL-9, /lib64/libthread_db.so.1.  */
aafa26
       "_dl_start_user", 	     /* Found in ppc64le, RHEL-9, /lib64/ld64.so.2.  */
aafa26
       "_dl_tunable_set_arena_max",   /* Found in ppc64le, RHEL-9, /lib64/libc_malloc_debug.so.0.  */
aafa26
-      "_nl_archive_subfreeres",      /* Found in x86_64, RHEL-8.6 /sbin/ldconfig.  */
aafa26
       "_start",
aafa26
       "blacklist_store_name",
aafa26
       "dlmopen_doit",                /* Found in ppc64le, RHEL-9, /lib64/ld64.so.2.  */
aafa26
-      "free_category",               /* Found in x86_64, RHEL-8.6 /sbin/ldconfig.  */
aafa26
       "free_derivation",
aafa26
       "free_mem",
aafa26
-      "insert_to_aux_cache.cold.6",  /* Found in x86_64, RHEL-8.6 /sbin/ldconfig.  */
aafa26
       "install_handler",
aafa26
       "internal_setgrent",
aafa26
-      "print_entry",                 /* In /sbin/ldconfig.  */
aafa26
       "td_init",	             /* Found in ppc64le, RHEL-9, /lib64/libthread_db.so.1.  */
aafa26
       "unlink_blk" 	             /* Found in ppc64le, RHEL-9, /lib64/libc_malloc_debug.so.0.  */
aafa26
     };
aafa26
@@ -1524,11 +1520,9 @@ skip_pic_checks_for_function (annocheck_
aafa26
     {
aafa26
       /* NB. KEEP THIS ARRAY ALPHA-SORTED  */
aafa26
       "_GLOBAL__sub_I_main",
aafa26
-      "_Unwind_Resume",         /* In /sbin/ldconfig.  */
aafa26
-      "_nl_archive_subfreeres", /* In /sbin/ldconfig.  */
aafa26
+      "_Unwind_Resume",
aafa26
       "_start",
aafa26
-      "atexit",        /* The atexit function in libiberty is only compiled with -fPIC not -fPIE.  */
aafa26
-      "print_entry"    /* In /sbin/ldconfig.  */
aafa26
+      "atexit"                  /* The atexit function in libiberty is only compiled with -fPIC not -fPIE.  */
aafa26
     };
aafa26
 
aafa26
   if (skip_this_func (non_pie_funcs, ARRAY_SIZE (non_pie_funcs), component_name))
aafa26
@@ -1566,15 +1560,12 @@ skip_stack_checks_for_function (annochec
aafa26
       "_dl_start",
aafa26
       "_dl_start_user", /* Found in ppc64le, RHEL-9 /lib64/ld64.so.2.  */
aafa26
       "_dl_sysinfo_int80", /* In /lib/ld-linux.so.2.  */
aafa26
-      "_dl_tls_static_surplus_init", /* In /sbin/ldconfig.  */
aafa26
       "_fini",
aafa26
       "_init",
aafa26
       "_start",
aafa26
-      "allocate_dtv",   /* Found in AArch64, RHEL-8, /sbin/ldconfig.  */
aafa26
       "check_match", 	/* Found in AArch64, RHEL-8, /lib64/ld-2.28.so.  */
aafa26
       "check_one_fd",
aafa26
       "dlmopen_doit", 
aafa26
-      "generic_start_main", /* Found in PPC64LE, RHEL-8, /sbin/ldconfig.  */
aafa26
       "get_common_indices.constprop.0",
aafa26
       "is_dst",
aafa26
       "notify_audit_modules_of_loaded_object",
aafa26
@@ -1665,6 +1656,10 @@ function %s is part of the C library's s
aafa26
       return true;
aafa26
     }
aafa26
 
aafa26
+  /* The ldconfig binary is known to be compiled with most security features.  */
aafa26
+  if (streq (data->full_filename, "/sbin/ldconfig"))
aafa26
+    return true;
aafa26
+  
aafa26
   switch (check)
aafa26
     {
aafa26
     case TEST_STACK_PROT:
aafa26
@@ -4790,7 +4785,11 @@ process_arg (const char * arg, const cha
aafa26
 	    }
aafa26
 	}
aafa26
 
aafa26
-      return false;
aafa26
+      /* Do not fail if we do not recognise the test name.  It may be from a
aafa26
+	 future version of annocheck, and it just so happens that a test is
aafa26
+	 running this version by mistake.  */
aafa26
+      einfo (INFO, "ignoring unrecognized test name in --skip option: %s", arg);
aafa26
+      return true;
aafa26
     }
aafa26
 
aafa26
   if (const_strneq (arg, "test-"))
aafa26
diff -rup annobin.orig/annocheck/hardened.c annobin-10.21/annocheck/hardened.c
aafa26
--- annobin.orig/annocheck/hardened.c	2021-10-27 11:23:27.161942804 +0100
aafa26
+++ annobin-10.21/annocheck/hardened.c	2021-10-27 11:23:59.692741676 +0100
aafa26
@@ -1658,7 +1658,13 @@ function %s is part of the C library's s
aafa26
 
aafa26
   /* The ldconfig binary is known to be compiled with most security features.  */
aafa26
   if (streq (data->full_filename, "/sbin/ldconfig"))
aafa26
-    return true;
aafa26
+    {
aafa26
+      sprintf (reason, "\
aafa26
+function %s is part of the C library's startup code, which executes before stack protection is established",
aafa26
+	       component_name);
aafa26
+      skip (data, check, SOURCE_SKIP_CHECKS, reason);
aafa26
+      return true;
aafa26
+    }
aafa26
   
aafa26
   switch (check)
aafa26
     {