Lines 1095-1101
Link Here
|
1095 |
done |
1095 |
done |
1096 |
|
1096 |
|
1097 |
if type -p scanelf > /dev/null ; then |
1097 |
if type -p scanelf > /dev/null ; then |
1098 |
local insecure_rpath=0 |
1098 |
local qa_var insecure_rpath=0 |
1099 |
|
1099 |
|
1100 |
# Make sure we disallow insecure RUNPATH/RPATH's |
1100 |
# Make sure we disallow insecure RUNPATH/RPATH's |
1101 |
# Don't want paths that point to the tree where the package was built |
1101 |
# Don't want paths that point to the tree where the package was built |
Lines 1132-1140
Link Here
|
1132 |
fi |
1132 |
fi |
1133 |
|
1133 |
|
1134 |
# TEXTREL's are baaaaaaaad |
1134 |
# TEXTREL's are baaaaaaaad |
1135 |
f=$(scanelf -qyRF '%t %p' "${D}") |
1135 |
# Allow devs to mark things as ignorable ... e.g. things that are |
|
|
1136 |
# binary-only and upstream isn't cooperating (nvidia-glx) ... we |
1137 |
# allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ... |
1138 |
# the former overrides the latter ... regexes allowed ! :) |
1139 |
qa_var="QA_TEXTRELS_${ARCH}" |
1140 |
[[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var} |
1141 |
f=$(scanelf -qyRF '%t %p' "${D}" | grep -v ' usr/lib/debug/' | \ |
1142 |
gawk ' |
1143 |
BEGIN { split("'"${QA_TEXTRELS}"'", ignore); } |
1144 |
{ for (idx in ignore) |
1145 |
if ($NF ~ "^"ignore[idx]"$") |
1146 |
next; |
1147 |
print; |
1148 |
}') |
1136 |
if [[ -n ${f} ]] ; then |
1149 |
if [[ -n ${f} ]] ; then |
1137 |
scanelf -qyRF '%T %p' "${WORKDIR}"/ &> "${T}"/scanelf-textrel.log |
1150 |
scanelf -qyRF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log |
1138 |
echo -ne '\a\n' |
1151 |
echo -ne '\a\n' |
1139 |
echo "QA Notice: the following files contain runtime text relocations" |
1152 |
echo "QA Notice: the following files contain runtime text relocations" |
1140 |
echo " Text relocations force the dynamic linker to perform extra" |
1153 |
echo " Text relocations force the dynamic linker to perform extra" |
Lines 1158-1172
Link Here
|
1158 |
# http://hardened.gentoo.org/gnu-stack.xml (Arch Status) |
1171 |
# http://hardened.gentoo.org/gnu-stack.xml (Arch Status) |
1159 |
case ${CTARGET:-${CHOST}} in |
1172 |
case ${CTARGET:-${CHOST}} in |
1160 |
i?86*|ia64*|m68k*|powerpc64*|s390*|x86_64*) |
1173 |
i?86*|ia64*|m68k*|powerpc64*|s390*|x86_64*) |
1161 |
f=$(scanelf -qyRF '%e %p' "${D}") ;; |
1174 |
# Allow devs to mark things as ignorable ... e.g. things |
1162 |
*) |
1175 |
# that are binary-only and upstream isn't cooperating ... |
1163 |
f="" ;; |
1176 |
# we allow ebuild authors to set QA_EXECSTACK_arch and |
|
|
1177 |
# QA_EXECSTACK ... the former overrides the latter ... |
1178 |
# regexes allowed ! :) |
1179 |
|
1180 |
qa_var="QA_EXECSTACK_${ARCH}" |
1181 |
[[ -n ${!qa_var} ]] && QA_EXECSTACK=${!qa_var} |
1182 |
f=$(scanelf -qyRF '%e %p' "${D}" | grep -v ' usr/lib/debug/' | \ |
1183 |
gawk ' |
1184 |
BEGIN { split("'"${QA_EXECSTACK}"'", ignore); } |
1185 |
{ for (idx in ignore) |
1186 |
if ($NF ~ "^"ignore[idx]"$") |
1187 |
next; |
1188 |
print; |
1189 |
}') |
1190 |
;; |
1191 |
*) f="" ;; |
1164 |
esac |
1192 |
esac |
1165 |
;; |
1193 |
;; |
1166 |
esac |
1194 |
esac |
1167 |
if [[ -n ${f} ]] ; then |
1195 |
if [[ -n ${f} ]] ; then |
1168 |
# One more pass to help devs track down the source |
1196 |
# One more pass to help devs track down the source |
1169 |
scanelf -qyRF '%e %p' "${WORKDIR}"/ &> "${T}"/scanelf-exec.log |
1197 |
scanelf -qyRF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log |
1170 |
echo -ne '\a\n' |
1198 |
echo -ne '\a\n' |
1171 |
echo "QA Notice: the following files contain executable stacks" |
1199 |
echo "QA Notice: the following files contain executable stacks" |
1172 |
echo " Files with executable stacks will not work properly (or at all!)" |
1200 |
echo " Files with executable stacks will not work properly (or at all!)" |
Lines 1174-1180
Link Here
|
1174 |
echo " at http://bugs.gentoo.org/ to make sure the file is fixed." |
1202 |
echo " at http://bugs.gentoo.org/ to make sure the file is fixed." |
1175 |
echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml" |
1203 |
echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml" |
1176 |
echo " Please include this file in your report:" |
1204 |
echo " Please include this file in your report:" |
1177 |
echo " ${T}/scanelf-exec.log" |
1205 |
echo " ${T}/scanelf-execstack.log" |
1178 |
echo "${f}" |
1206 |
echo "${f}" |
1179 |
echo -ne '\a\n' |
1207 |
echo -ne '\a\n' |
1180 |
die_msg="${die_msg} execstacks" |
1208 |
die_msg="${die_msg} execstacks" |