Page MenuHomePhabricator
Files F14864958

D14007.id40659.diff
No OneTemporary
Actions

D14007.id40659.diff
View Options

diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -163,27 +163,41 @@
return binary.has_nx
+BASE_ELF = [
+ ("PIE", check_PIE),
+ ("NX", check_NX),
+ ("RELRO", check_ELF_RELRO),
+ ("Canary", check_ELF_Canary),
+ ("separate_code", check_ELF_separate_code),
+]
+
+BASE_PE = [
+ ("PIE", check_PIE),
+ ("DYNAMIC_BASE", check_PE_DYNAMIC_BASE),
+ ("HIGH_ENTROPY_VA", check_PE_HIGH_ENTROPY_VA),
+ ("NX", check_NX),
+ ("RELOC_SECTION", check_PE_RELOC_SECTION),
+]
+
+BASE_MACHO = [
+ ("PIE", check_PIE),
+ ("NOUNDEFS", check_MACHO_NOUNDEFS),
+ ("NX", check_NX),
+ ("Canary", check_MACHO_Canary),
+]
+
CHECKS = {
- "ELF": [
- ("PIE", check_PIE),
- ("NX", check_NX),
- ("RELRO", check_ELF_RELRO),
- ("Canary", check_ELF_Canary),
- ("separate_code", check_ELF_separate_code),
- ],
- "PE": [
- ("PIE", check_PIE),
- ("DYNAMIC_BASE", check_PE_DYNAMIC_BASE),
- ("HIGH_ENTROPY_VA", check_PE_HIGH_ENTROPY_VA),
- ("NX", check_NX),
- ("RELOC_SECTION", check_PE_RELOC_SECTION),
- ],
- "MACHO": [
- ("PIE", check_PIE),
- ("NOUNDEFS", check_MACHO_NOUNDEFS),
- ("NX", check_NX),
- ("Canary", check_MACHO_Canary),
- ],
+ lief.EXE_FORMATS.ELF: {
+ lief.ARCHITECTURES.X86: BASE_ELF,
+ lief.ARCHITECTURES.ARM: BASE_ELF,
+ lief.ARCHITECTURES.ARM64: BASE_ELF,
+ },
+ lief.EXE_FORMATS.PE: {
+ lief.ARCHITECTURES.X86: BASE_PE,
+ },
+ lief.EXE_FORMATS.MACHO: {
+ lief.ARCHITECTURES.X86: BASE_MACHO,
+ },
}
@@ -192,14 +206,22 @@
for filename in sys.argv[1:]:
try:
binary = lief.parse(filename)
- etype = binary.format.name
+ etype = binary.format
+ arch = binary.abstract.header.architecture
+ binary.concrete
+
if etype == lief.EXE_FORMATS.UNKNOWN:
print(f"{filename}: unknown executable format")
retval = 1
continue
+ if arch == lief.ARCHITECTURES.NONE:
+ print(f"{filename}: unknown architecture")
+ retval = 1
+ continue
+
failed: List[str] = []
- for name, func in CHECKS[etype]:
+ for name, func in CHECKS[etype][arch]:
if not func(binary):
failed.append(name)
if failed:
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -3,12 +3,12 @@
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
"""
-A script to check that the executables produced by gitian only contain
-certain symbols and are only linked against allowed libraries.
+A script to check that release executables only contain certain symbols
+and are only linked against allowed libraries.
Example usage:
- find contrib/gitian-builder/build -type f -executable | xargs python3 contrib/devtools/symbol-check.py
+ find ../path/to/binaries -type f -executable | xargs python3 contrib/devtools/symbol-check.py
"""
import sys
@@ -283,18 +283,18 @@
CHECKS = {
- "ELF": [
+ lief.EXE_FORMATS.ELF: [
("IMPORTED_SYMBOLS", check_imported_symbols),
("EXPORTED_SYMBOLS", check_exported_symbols),
("LIBRARY_DEPENDENCIES", check_ELF_libraries),
("INTERPRETER_NAME", check_ELF_interpreter),
],
- "MACHO": [
+ lief.EXE_FORMATS.MACHO: [
("DYNAMIC_LIBRARIES", check_MACHO_libraries),
("MIN_OS", check_MACHO_min_os),
("SDK", check_MACHO_sdk),
],
- "PE": [
+ lief.EXE_FORMATS.PE: [
("DYNAMIC_LIBRARIES", check_PE_libraries),
("SUBSYSTEM_VERSION", check_PE_subsystem_version),
],
@@ -306,7 +306,7 @@
for filename in sys.argv[1:]:
try:
binary = lief.parse(filename)
- etype = binary.format.name
+ etype = binary.format
if etype == lief.EXE_FORMATS.UNKNOWN:
print(f"{filename}: unknown executable format")

File Metadata

Mime Type
text/plain
Expires
Tue, May 20, 23:38 (28 m, 30 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5862419
Default Alt Text
D14007.id40659.diff (4 KB)

Event Timeline