release: Add security/export checks to gitian and fix current failures

- fix parsing of BIND_NOW with older readelf - add _IO_stdin_used to ignored exports For details see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109 - add check-symbols and check-security make targets These are not added to the default checks because some of them depend on release-build configs. - always link librt for glibc back-compat builds glibc absorbed clock_gettime in 2.17. librt (its previous location) is safe to link in anyway for back-compat. Fixes #7420 - add security/symbol checks to gitian Github-Pull: #7424 Rebased-From: cd27bf51e0 475813ba5b f3d3eaf78e a8ce872118 a81c87fafc
2026-06-06 11:13:02 +02:00 · 2016-01-26 14:50:50 -05:00
parent 568c32411d
commit aa26ee0101
7 changed files with 34 additions and 7 deletions
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -94,7 +94,7 @@ def check_ELF_RELRO(executable):
        raise IOError('Error opening file')
    for line in stdout.split('\n'):
        tokens = line.split()
-        if len(tokens)>1 and tokens[1] == '(BIND_NOW)':
+        if len(tokens)>1 and tokens[1] == '(BIND_NOW)' or (len(tokens)>2 and tokens[1] == '(FLAGS)' and 'BIND_NOW' in tokens[2]):
            have_bindnow = True
    return have_gnu_relro and have_bindnow

--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -42,9 +42,12 @@ MAX_VERSIONS = {
 'GLIBCXX': (3,4,13),
 'GLIBC':   (2,11)
 }
+# See here for a description of _IO_stdin_used:
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109
+
 # Ignore symbols that are exported as part of every executable
 IGNORE_EXPORTS = {
-'_edata', '_end', '_init', '__bss_start', '_fini'
+'_edata', '_end', '_init', '__bss_start', '_fini', '_IO_stdin_used'
 }
 READELF_CMD = os.getenv('READELF', '/usr/bin/readelf')
 CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt')
--- a/contrib/gitian-descriptors/gitian-linux.yml
+++ b/contrib/gitian-descriptors/gitian-linux.yml
@@ -96,6 +96,8 @@ script: |

    ./configure --prefix=${BASEPREFIX}/${i} --bindir=${INSTALLPATH}/bin --includedir=${INSTALLPATH}/include --libdir=${INSTALLPATH}/lib --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS}
    make ${MAKEOPTS}
+    make ${MAKEOPTS} -C src check-security
+    make ${MAKEOPTS} -C src check-symbols
    make install-strip
    cd installed
    find . -name "lib*.la" -delete
--- a/contrib/gitian-descriptors/gitian-win.yml
+++ b/contrib/gitian-descriptors/gitian-win.yml
@@ -126,6 +126,7 @@ script: |

    ./configure --prefix=${BASEPREFIX}/${i} --bindir=${INSTALLPATH}/bin --includedir=${INSTALLPATH}/include --libdir=${INSTALLPATH}/lib --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS}
    make ${MAKEOPTS}
+    make ${MAKEOPTS} -C src check-security
    make deploy
    make install-strip
    cp -f bitcoin-*setup*.exe $OUTDIR/