Attachment #127805 for bug #184443




	done

	if type -p scanelf > /dev/null ; then
		local qa_var insecure_rpath=0

		# Make sure we disallow insecure RUNPATH/RPATH's
		# Don't want paths that point to the tree where the package was built

		fi

		# TEXTREL's are baaaaaaaad
		# Allow devs to mark things as ignorable ... e.g. things that are
		# binary-only and upstream isn't cooperating (nvidia-glx) ... we
		# allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ...
		# the former overrides the latter ... regexes allowed ! :)
		qa_var="QA_TEXTRELS_${ARCH}"
		[[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var}
		f=$(scanelf -qyRF '%t %p' "${D}" | grep -v ' usr/lib/debug/' | \
			gawk '
			BEGIN { split("'"${QA_TEXTRELS}"'", ignore); }
			{	for (idx in ignore)
					if ($NF ~ "^"ignore[idx]"$")
					next;
				print;
			}')
		if [[ -n ${f} ]] ; then
			scanelf -qyRF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log
			echo -ne '\a\n'
			echo "QA Notice: the following files contain runtime text relocations"
			echo " Text relocations force the dynamic linker to perform extra"

			# http://hardened.gentoo.org/gnu-stack.xml (Arch Status)
			case ${CTARGET:-${CHOST}} in
				i?86*|ia64*|m68k*|powerpc64*|s390*|x86_64*)
					# Allow devs to mark things as ignorable ... e.g. things
					# that are binary-only and upstream isn't cooperating ...
					# we allow ebuild authors to set QA_EXECSTACK_arch and
					# QA_EXECSTACK ... the former overrides the latter ...
					# regexes allowed ! :)

					qa_var="QA_EXECSTACK_${ARCH}"
					[[ -n ${!qa_var} ]] && QA_EXECSTACK=${!qa_var}
					f=$(scanelf -qyRF '%e %p' "${D}" | grep -v ' usr/lib/debug/' | \
						gawk '
						BEGIN { split("'"${QA_EXECSTACK}"'", ignore); }
						{	for (idx in ignore)
								if ($NF ~ "^"ignore[idx]"$")
									next;
							print;
						}')
					;;
				*)	f="" ;;
			esac
			;;
		esac
		if [[ -n ${f} ]] ; then
			# One more pass to help devs track down the source
			scanelf -qyRF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log
			echo -ne '\a\n'
			echo "QA Notice: the following files contain executable stacks"
			echo " Files with executable stacks will not work properly (or at all!)"

			echo " at http://bugs.gentoo.org/ to make sure the file is fixed."
			echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml"
			echo " Please include this file in your report:"
			echo " ${T}/scanelf-execstack.log"
			echo "${f}"
			echo -ne '\a\n'
			die_msg="${die_msg} execstacks"

Return to bug 184443

Lines 1095-1101 Link Here

(-)ebuild.sh (-8 / +36 lines)
1095	done	1095	done
1096		1096
1097	if type -p scanelf > /dev/null ; then	1097	if type -p scanelf > /dev/null ; then
1098	local insecure_rpath=0	1098	local qa_var insecure_rpath=0
1099		1099
1100	# Make sure we disallow insecure RUNPATH/RPATH's	1100	# Make sure we disallow insecure RUNPATH/RPATH's
1101	# Don't want paths that point to the tree where the package was built	1101	# Don't want paths that point to the tree where the package was built
Lines 1132-1140 Link Here
1132	fi	1132	fi
1133		1133
1134	# TEXTREL's are baaaaaaaad	1134	# TEXTREL's are baaaaaaaad
1135	f=$(scanelf -qyRF '%t %p' "${D}")	1135	# Allow devs to mark things as ignorable ... e.g. things that are
		1136	# binary-only and upstream isn't cooperating (nvidia-glx) ... we
		1137	# allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ...
		1138	# the former overrides the latter ... regexes allowed ! :)
		1139	qa_var="QA_TEXTRELS_${ARCH}"
		1140	[[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var}
		1141	f=$(scanelf -qyRF '%t %p' "${D}" \| grep -v ' usr/lib/debug/' \| \
		1142	gawk '
		1143	BEGIN { split("'"${QA_TEXTRELS}"'", ignore); }
		1144	{ for (idx in ignore)
		1145	if ($NF ~ "^"ignore[idx]"$")
		1146	next;
		1147	print;
		1148	}')
1136	if [[ -n ${f} ]] ; then	1149	if [[ -n ${f} ]] ; then
1137	scanelf -qyRF '%T %p' "${WORKDIR}"/ &> "${T}"/scanelf-textrel.log	1150	scanelf -qyRF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log
1138	echo -ne '\a\n'	1151	echo -ne '\a\n'
1139	echo "QA Notice: the following files contain runtime text relocations"	1152	echo "QA Notice: the following files contain runtime text relocations"
1140	echo " Text relocations force the dynamic linker to perform extra"	1153	echo " Text relocations force the dynamic linker to perform extra"
Lines 1158-1172 Link Here
1158	# http://hardened.gentoo.org/gnu-stack.xml (Arch Status)	1171	# http://hardened.gentoo.org/gnu-stack.xml (Arch Status)
1159	case ${CTARGET:-${CHOST}} in	1172	case ${CTARGET:-${CHOST}} in
1160	i?86\|ia64\|m68k\|powerpc64\|s390\|x86_64)	1173	i?86\|ia64\|m68k\|powerpc64\|s390\|x86_64)
1161	f=$(scanelf -qyRF '%e %p' "${D}") ;;	1174	# Allow devs to mark things as ignorable ... e.g. things
1162	*)	1175	# that are binary-only and upstream isn't cooperating ...
1163	f="" ;;	1176	# we allow ebuild authors to set QA_EXECSTACK_arch and
		1177	# QA_EXECSTACK ... the former overrides the latter ...
		1178	# regexes allowed ! :)
		1179
		1180	qa_var="QA_EXECSTACK_${ARCH}"
		1181	[[ -n ${!qa_var} ]] && QA_EXECSTACK=${!qa_var}
		1182	f=$(scanelf -qyRF '%e %p' "${D}" \| grep -v ' usr/lib/debug/' \| \
		1183	gawk '
		1184	BEGIN { split("'"${QA_EXECSTACK}"'", ignore); }
		1185	{ for (idx in ignore)
		1186	if ($NF ~ "^"ignore[idx]"$")
		1187	next;
		1188	print;
		1189	}')
		1190	;;
		1191	*) f="" ;;
1164	esac	1192	esac
1165	;;	1193	;;
1166	esac	1194	esac
1167	if [[ -n ${f} ]] ; then	1195	if [[ -n ${f} ]] ; then
1168	# One more pass to help devs track down the source	1196	# One more pass to help devs track down the source
1169	scanelf -qyRF '%e %p' "${WORKDIR}"/ &> "${T}"/scanelf-exec.log	1197	scanelf -qyRF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log
1170	echo -ne '\a\n'	1198	echo -ne '\a\n'
1171	echo "QA Notice: the following files contain executable stacks"	1199	echo "QA Notice: the following files contain executable stacks"
1172	echo " Files with executable stacks will not work properly (or at all!)"	1200	echo " Files with executable stacks will not work properly (or at all!)"
Lines 1174-1180 Link Here
1174	echo " at http://bugs.gentoo.org/ to make sure the file is fixed."	1202	echo " at http://bugs.gentoo.org/ to make sure the file is fixed."
1175	echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml"	1203	echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml"
1176	echo " Please include this file in your report:"	1204	echo " Please include this file in your report:"
1177	echo " ${T}/scanelf-exec.log"	1205	echo " ${T}/scanelf-execstack.log"
1178	echo "${f}"	1206	echo "${f}"
1179	echo -ne '\a\n'	1207	echo -ne '\a\n'
1180	die_msg="${die_msg} execstacks"	1208	die_msg="${die_msg} execstacks"