Changeset View
Changeset View
Standalone View
Standalone View
contrib/devtools/test-security-check.py
Show All 30 Lines | |||||
class TestSecurityChecks(unittest.TestCase): | class TestSecurityChecks(unittest.TestCase): | ||||
def test_ELF(self): | def test_ELF(self): | ||||
source = 'test1.c' | source = 'test1.c' | ||||
executable = 'test1' | executable = 'test1' | ||||
cc = 'gcc' | cc = 'gcc' | ||||
write_testcode(source) | write_testcode(source) | ||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack', '-fno-stack-protector', '-Wl,-znorelro']), | self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack', '-fno-stack-protector', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), | ||||
(1, executable + ': failed PIE NX RELRO Canary')) | (1, executable + ': failed PIE NX RELRO Canary')) | ||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fno-stack-protector', '-Wl,-znorelro']), | self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fno-stack-protector', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), | ||||
(1, executable + ': failed PIE RELRO Canary')) | (1, executable + ': failed PIE RELRO Canary')) | ||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro']), | self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), | ||||
(1, executable + ': failed PIE RELRO')) | (1, executable + ': failed PIE RELRO')) | ||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro', '-pie', '-fPIE']), | self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro', '-pie', '-fPIE']), | ||||
(1, executable + ': failed RELRO')) | (1, executable + ': failed RELRO')) | ||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-zrelro', '-Wl,-z,now', '-pie', '-fPIE']), | self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-zrelro', '-Wl,-z,now', '-pie', '-fPIE']), | ||||
(0, '')) | (0, '')) | ||||
def test_32bit_PE(self): | def test_32bit_PE(self): | ||||
source = 'test1.c' | source = 'test1.c' | ||||
executable = 'test1.exe' | executable = 'test1.exe' | ||||
cc = 'i686-w64-mingw32-gcc' | cc = 'i686-w64-mingw32-gcc' | ||||
write_testcode(source) | write_testcode(source) | ||||
self.assertEqual(call_security_check(cc, source, executable, []), | self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat', '-Wl,--no-dynamicbase']), | ||||
(1, executable + ': failed DYNAMIC_BASE NX')) | (1, executable + ': failed DYNAMIC_BASE NX')) | ||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat']), | self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat', '-Wl,--no-dynamicbase']), | ||||
(1, executable + ': failed DYNAMIC_BASE')) | (1, executable + ': failed DYNAMIC_BASE')) | ||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat', '-Wl,--dynamicbase']), | self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat', '-Wl,--dynamicbase']), | ||||
(0, '')) | (0, '')) | ||||
def test_64bit_PE(self): | def test_64bit_PE(self): | ||||
source = 'test1.c' | source = 'test1.c' | ||||
executable = 'test1.exe' | executable = 'test1.exe' | ||||
cc = 'x86_64-w64-mingw32-gcc' | cc = 'x86_64-w64-mingw32-gcc' | ||||
write_testcode(source) | write_testcode(source) | ||||
self.assertEqual( | self.assertEqual( | ||||
call_security_check( | call_security_check( | ||||
cc, | cc, | ||||
source, | source, | ||||
executable, | executable, | ||||
[]), | ['-Wl,--no-nxcompat', '-Wl,--no-dynamicbase', '-Wl,--no-high-entropy-va']), | ||||
(1, | (1, | ||||
executable + ': failed DYNAMIC_BASE NX\n' + executable + ': warning HIGH_ENTROPY_VA')) | executable + ': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX')) | ||||
self.assertEqual( | self.assertEqual( | ||||
call_security_check( | call_security_check( | ||||
cc, | cc, | ||||
source, | source, | ||||
executable, | executable, | ||||
['-Wl,--nxcompat']), | ['-Wl,--nxcompat', '-Wl,--no-dynamicbase', '-Wl,--no-high-entropy-va']), | ||||
(1, | (1, | ||||
executable + ': failed DYNAMIC_BASE\n' + executable + ': warning HIGH_ENTROPY_VA')) | executable + ': failed DYNAMIC_BASE HIGH_ENTROPY_VA')) | ||||
self.assertEqual( | self.assertEqual( | ||||
call_security_check( | call_security_check( | ||||
cc, source, executable, [ | cc, source, executable, [ | ||||
'-Wl,--nxcompat', '-Wl,--dynamicbase']), (0, executable + ': warning HIGH_ENTROPY_VA')) | '-Wl,--nxcompat', '-Wl,--dynamicbase', '-Wl,--no-high-entropy-va']), (1, executable + ': failed HIGH_ENTROPY_VA')) | ||||
self.assertEqual( | self.assertEqual( | ||||
call_security_check( | call_security_check( | ||||
cc, source, executable, [ | cc, source, executable, [ | ||||
'-Wl,--nxcompat', '-Wl,--dynamicbase', '-Wl,--high-entropy-va']), (0, '')) | '-Wl,--nxcompat', '-Wl,--dynamicbase', '-Wl,--high-entropy-va']), (0, '')) | ||||
if __name__ == '__main__': | if __name__ == '__main__': | ||||
unittest.main() | unittest.main() |