diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -15,7 +15,7 @@ READELF_CMD = os.getenv('READELF', '/usr/bin/readelf') OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump') # checks which are non-fatal for now but only generate a warning -NONFATAL = {'HIGH_ENTROPY_VA'} +NONFATAL = {} def check_ELF_PIE(executable): diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -36,11 +36,11 @@ cc = 'gcc' write_testcode(source) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack', '-fno-stack-protector', '-Wl,-znorelro']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack', '-fno-stack-protector', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), (1, executable + ': failed PIE NX RELRO Canary')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fno-stack-protector', '-Wl,-znorelro']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fno-stack-protector', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), (1, executable + ': failed PIE RELRO Canary')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), (1, executable + ': failed PIE RELRO')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro', '-pie', '-fPIE']), (1, executable + ': failed RELRO')) @@ -53,9 +53,9 @@ cc = 'i686-w64-mingw32-gcc' write_testcode(source) - self.assertEqual(call_security_check(cc, source, executable, []), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat', '-Wl,--no-dynamicbase']), (1, executable + ': failed DYNAMIC_BASE NX')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat', '-Wl,--no-dynamicbase']), (1, executable + ': failed DYNAMIC_BASE')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat', '-Wl,--dynamicbase']), (0, '')) @@ -71,21 +71,21 @@ cc, source, executable, - []), + ['-Wl,--no-nxcompat', '-Wl,--no-dynamicbase', '-Wl,--no-high-entropy-va']), (1, - executable + ': failed DYNAMIC_BASE NX\n' + executable + ': warning HIGH_ENTROPY_VA')) + executable + ': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX')) self.assertEqual( call_security_check( cc, source, executable, - ['-Wl,--nxcompat']), + ['-Wl,--nxcompat', '-Wl,--no-dynamicbase', '-Wl,--no-high-entropy-va']), (1, - executable + ': failed DYNAMIC_BASE\n' + executable + ': warning HIGH_ENTROPY_VA')) + executable + ': failed DYNAMIC_BASE HIGH_ENTROPY_VA')) self.assertEqual( call_security_check( cc, source, executable, [ - '-Wl,--nxcompat', '-Wl,--dynamicbase']), (0, executable + ': warning HIGH_ENTROPY_VA')) + '-Wl,--nxcompat', '-Wl,--dynamicbase', '-Wl,--no-high-entropy-va']), (1, executable + ': failed HIGH_ENTROPY_VA')) self.assertEqual( call_security_check( cc, source, executable, [