diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -219,11 +219,8 @@ ] BASE_MACHO = [ - ("PIE", check_PIE), ("NOUNDEFS", check_MACHO_NOUNDEFS), - ("NX", check_NX), ("Canary", check_MACHO_Canary), - ("CONTROL_FLOW", check_MACHO_control_flow), ] CHECKS = { @@ -236,7 +233,12 @@ lief.ARCHITECTURES.X86: BASE_PE, }, lief.EXE_FORMATS.MACHO: { - lief.ARCHITECTURES.X86: BASE_MACHO, + lief.ARCHITECTURES.X86: BASE_MACHO + [ + ("PIE", check_PIE), + ("NX", check_NX), + ("CONTROL_FLOW", check_MACHO_control_flow), + ], + lief.ARCHITECTURES.ARM64: BASE_MACHO, }, } diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -423,68 +423,94 @@ executable = "test1" cc = determine_wellknown_cmd("CC", "clang") write_testcode(source) + arch = get_arch(cc, source, executable) - self.assertEqual( - call_security_check( - cc, - source, - executable, - [ - "-Wl,-no_pie", - "-Wl,-flat_namespace", - "-Wl,-allow_stack_execute", - "-fno-stack-protector", - ], - ), - (1, executable + ": failed PIE NOUNDEFS NX Canary CONTROL_FLOW"), - ) - self.assertEqual( - call_security_check( - cc, - source, - executable, - [ - "-Wl,-no_pie", - "-Wl,-flat_namespace", - "-Wl,-allow_stack_execute", - "-fstack-protector-all", - ], - ), - (1, executable + ": failed PIE NOUNDEFS NX CONTROL_FLOW"), - ) - self.assertEqual( - call_security_check( - cc, - source, - executable, - ["-Wl,-no_pie", "-Wl,-flat_namespace", "-fstack-protector-all"], - ), - (1, executable + ": failed PIE NOUNDEFS CONTROL_FLOW"), - ) - self.assertEqual( - call_security_check( - cc, source, executable, ["-Wl,-no_pie", "-fstack-protector-all"] - ), - (1, executable + ": failed PIE CONTROL_FLOW"), - ) - self.assertEqual( - call_security_check( - cc, - source, - executable, - ["-Wl,-no_pie", "-fstack-protector-all", "-fcf-protection=full"], - ), - (1, executable + ": failed PIE"), - ) - self.assertEqual( - call_security_check( - cc, - source, - executable, - ["-Wl,-pie", "-fstack-protector-all", "-fcf-protection=full"], - ), - (0, ""), - ) + if arch == lief.ARCHITECTURES.X86: + self.assertEqual( + call_security_check( + cc, + source, + executable, + [ + "-Wl,-no_pie", + "-Wl,-flat_namespace", + "-Wl,-allow_stack_execute", + "-fno-stack-protector", + ], + ), + (1, executable + ": failed PIE NOUNDEFS NX Canary CONTROL_FLOW"), + ) + self.assertEqual( + call_security_check( + cc, + source, + executable, + [ + "-Wl,-no_pie", + "-Wl,-flat_namespace", + "-Wl,-allow_stack_execute", + "-fstack-protector-all", + ], + ), + (1, executable + ": failed PIE NOUNDEFS NX CONTROL_FLOW"), + ) + self.assertEqual( + call_security_check( + cc, + source, + executable, + ["-Wl,-no_pie", "-Wl,-flat_namespace", "-fstack-protector-all"], + ), + (1, executable + ": failed PIE NOUNDEFS CONTROL_FLOW"), + ) + self.assertEqual( + call_security_check( + cc, source, executable, ["-Wl,-no_pie", "-fstack-protector-all"] + ), + (1, executable + ": failed PIE CONTROL_FLOW"), + ) + self.assertEqual( + call_security_check( + cc, + source, + executable, + ["-Wl,-no_pie", "-fstack-protector-all", "-fcf-protection=full"], + ), + (1, executable + ": failed PIE"), + ) + self.assertEqual( + call_security_check( + cc, + source, + executable, + ["-Wl,-pie", "-fstack-protector-all", "-fcf-protection=full"], + ), + (0, ""), + ) + else: + # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks + self.assertEqual( + call_security_check( + cc, + source, + executable, + ["-Wl,-flat_namespace", "-fno-stack-protector"], + ), + (1, executable + ": failed NOUNDEFS Canary"), + ) + self.assertEqual( + call_security_check( + cc, + source, + executable, + ["-Wl,-flat_namespace", "-fstack-protector-all"], + ), + (1, executable + ": failed NOUNDEFS"), + ) + self.assertEqual( + call_security_check(cc, source, executable, ["-fstack-protector-all"]), + (0, ""), + ) clean_files(source, executable) diff --git a/contrib/gitian-descriptors/gitian-osx.yml b/contrib/gitian-descriptors/gitian-osx.yml --- a/contrib/gitian-descriptors/gitian-osx.yml +++ b/contrib/gitian-descriptors/gitian-osx.yml @@ -38,6 +38,7 @@ WRAP_DIR=$HOME/wrapped HOSTS=( x86_64-apple-darwin + arm64-apple-darwin ) # CMake toolchain file name differ from host name