#
# find . -type f -exec check-abi.sh {} \;
-version=3.1
+version=3.2
help ()
{
--ignore-unknown Silently skip files of unknown type.
--ignore-ABI Do not check ABI annotation.
- --ignore-no-ABI Check ABI information but do not complain if none is found.
+ --no-ignore-ABI Check ABI information but do not complain if none is found.
--ignore-enum Do not check enum size annotation.
- --ignore-no-enum Check enum size information but do not complain if none is found.
+ --no-ignore-enum Check enum size information but do not complain if none is found.
--ignore-FORTIFY Do not check FORTIFY SOURCE annotation.
- --ignore-no-FORTIFY Check FORTIFY SOURCE information but do not complain if none is found.
+ --no-ignore-FORTIFY Check FORTIFY SOURCE information but do not complain if none is found.
--ignore-stack-prot Do not check stack protection annotation.
- --ignore-no-stack-prot Check stack protection information but do not complain if none is found.
+ --no-ignore-stack-prot Check stack protection information but do not complain if none is found.
+ --ignore-gaps Do not fail if there are gaps in the coverage.
+ --no-ignore-gaps Fail if there are gaps in the coverage.
-- Stop accumulating options.
ignore_fortify=0
ignore_stack_prot=0
ignore_unknown=0
+ ignore_gaps=0
scanner=readelf
tmpfile=/dev/shm/check.abi.delme
}
--ignore-abi | --ignore-ABI)
ignore_abi=1;
;;
- --ignore-no-abi | --ignore-no-ABI)
+ --no-ignore-abi | --no-ignore-ABI)
ignore_abi=2;
;;
--ignore-enum)
ignore_enum=1;
;;
- --ignore-no-enum)
+ --no-ignore-enum)
ignore_enum=2;
;;
--ignore-fortify | --ignore-FORTIFY)
ignore_fortify=1;
;;
- --ignore-no-fortify | --ignore-no-FORTIFY)
+ --no-ignore-fortify | --no-ignore-FORTIFY)
ignore_fortify=2;
;;
--ignore-stack-prot)
ignore_stack_prot=1;
;;
- --ignore-no-stack-prot)
+ --no-ignore-stack-prot)
ignore_stack_prot=2;
;;
+ --ignore-gaps)
+ ignore_gaps=1;
+ ;;
+ --no-ignore-gaps)
+ ignore_gaps=0;
+ ;;
--)
shift
fi
fi
- grep -q -e "Gap in build notes" $tmpfile
- if [ $? == 0 ];
+ if [ $ignore_gaps -eq 0 ];
then
- report "$file: there are gaps in the build notes"
- failed=1
+ grep -q -e "Gap in build notes" $tmpfile
+ if [ $? == 0 ];
+ then
+ report "$file: there are gaps in the build notes"
+ failed=1
+ fi
fi
local -a abis
# to fully parse the annobin notes and such a version is not in common
# release (yet).
# FIXME: Remove these options once readelf has been updated.
-$srcdir/../scripts/check-abi.sh --readelf=$READELF --inconsistencies --ignore-FORTIFY --ignore-stack-prot abi-test.exe
+#
+# The --ignore-gaps option is there because currently Scrti.o contains some
+# annobin notes, but crti.o dies not. Thus *any* program built with normal
+# startup code will contain a gap.
+# FIXME: Add assembler support for generating notes.
+$srcdir/../scripts/check-abi.sh --readelf=$READELF --inconsistencies --ignore-FORTIFY --ignore-stack-prot --ignore-gaps abi-test.exe
PLUGIN=../plugin/.libs/annobin.so
-OPTS="-O2 -D_FORTIFY_SOURCE=2 -fPIC -Wall -fstack-protector-strong"
+OPTS="-O2 -D_FORTIFY_SOURCE=2 -fpie -Wall -fstack-protector-strong"
$GCC -fplugin=$PLUGIN -c -g $OPTS $srcdir/hello.c
# without needing the notes produced by annobin, so that is why the test is
# allowed to proceed.
# FIXME: Remove the --skip= options once readelf and gcc have been updated.
+#
+# The --skip-pic and --skip-stack options are here because /usr/lib64/libc_nonshared.a(elf-init.oS)
+# is built with -fPIC and -fno-stack-protection. /usr/lib64/Scrti.o is built
+# with -fpie which makes the pic test impossible.
+
$srcdir/../scripts/hardened.sh --readelf=$READELF \
--skip=fort -k=operator --skip=clash --skip=cf -k=cet \
hardening-test.exe
git://sourceware.org / annobin.git / commitdiff