#endif
/* The version of the package.
- NB/ This number is expected to be in the form "Nnn" where
- "N" is major version number and "nn" is the minor version number. */
-#define ANNOBIN_VERSION 996
+ NB/ This number is expected to be in the form "NNnn" where
+ "NN" is major version number and "nn" is the minor version number. */
+#define ANNOBIN_VERSION 1001
/* The version of the annotation specification supported. */
#define SPEC_VERSION 3
einfo (INFO, " --tmpdir=<NAME> [Absolute pathname of a temporary directory used to pass data between iterations]");
einfo (INFO, " --level=<N> [Recursion level of the scanner]");
+ einfo (INFO, "Tools have their own options:");
+ einfo (INFO, " --enable-<tool> [Turn on <tool>][By default the hardened tool is enabled]");
+ einfo (INFO, " --disable-<tool> [Turn off <tool>]");
+ einfo (INFO, " --<tool>-help [Display help message for <tool> & exit]");
+ einfo (INFO, " --help-<tool> [Display help message for <tool> & exit]");
+ einfo (INFO, " --<tool>-<option> [Pass <option> to <tool>]");
+ einfo (INFO, "Tool names are case insensitive, so --hardened-help is the same as --Hardened-help");
+ einfo (INFO, "If an option is unique to a tool then it can be passed without the --tool prefix");
+ einfo (INFO, "For example the hardened tool's test skipping options can be passed as either");
+ einfo (INFO, "--hardened-skip-<test> or just --skip-<test>");
+
einfo (INFO, "The following scanning tools are available:");
checker * tool;
for (tool = first_checker; tool != NULL; tool = ((checker_internal *)(tool->internal))->next)
- {
- push_component (tool);
- einfo (PARTIAL, "\n");
- if (tool->usage)
- tool->usage ();
- else
- einfo (INFO, "Does not have any specific options");
- pop_component ();
- }
+ einfo (INFO, " %s\n", tool->name);
}
static void
const char * arg = argv[a];
bool used = false;
checker * tool;
+ const char * orig_arg = arg;
++ a;
for (tool = first_checker; tool != NULL; tool = ((checker_internal *)(tool->internal))->next)
- if (tool->process_arg != NULL)
- {
- push_component (tool);
- if (tool->process_arg (arg, argv, argc, & a))
- used = true;
- pop_component ();
- }
+ {
+ if (arg[0] == '-' && arg[1] == '-' && strncasecmp (arg + 2, tool->name, strlen (tool->name)) == 0)
+ {
+ arg += 2 + strlen (tool->name);
+ if (arg[0] == '-')
+ ++arg;
+
+ if (streq (arg, "help"))
+ {
+ if (tool->usage)
+ {
+ push_component (tool);
+ tool->usage ();
+ pop_component ();
+ }
+ else
+ einfo (INFO, "Tool %s does not have any specific options", tool->name);
+
+ exit (EXIT_SUCCESS);
+ }
+
+ if (tool->process_arg != NULL)
+ {
+ push_component (tool);
+ if (tool->process_arg (arg, argv, argc, & a))
+ used = true;
+ pop_component ();
+ }
+
+ if (! used)
+ goto unknown_arg;
+ }
+ else if (tool->process_arg != NULL)
+ {
+ push_component (tool);
+ if (tool->process_arg (arg, argv, argc, & a))
+ used = true;
+ pop_component ();
+ }
+ }
if (used)
{
if (arg[0] == '-')
{
const char * parameter;
- const char * orig_arg = arg;
arg += (arg[1] == '-' ? 2 : 1);
switch (*arg)
{
case 'h': /* --help */
+ /* As an assit to users treat --help-<tool> as --<tool>-help. */
+ if (const_strneq (arg, "help-"))
+ {
+ for (tool = first_checker; tool != NULL; tool = ((checker_internal *)(tool->internal))->next)
+ {
+ if (tool->usage
+ && strncasecmp (arg + strlen ("help-"), tool->name, strlen (tool->name)) == 0)
+ {
+ push_component (tool);
+ tool->usage ();
+ pop_component ();
+ exit (EXIT_SUCCESS);
+ }
+ }
+ }
usage ();
exit (EXIT_SUCCESS);
{
const char * parameter;
- if (streq (arg, "--enable-builtby") || streq (arg, "--enable-built-by"))
+ if (arg[0] == '-')
+ ++ arg;
+ if (arg[0] == '-')
+ ++ arg;
+
+ if (streq (arg, "enable-builtby") || streq (arg, "enable-built-by") || streq (arg, "enable"))
{
disabled = false;
return true;
}
- if (streq (arg, "--disable-builtby") || streq (arg, "--disable-built-by"))
+ if (streq (arg, "disable-builtby") || streq (arg, "disable-built-by") || streq (arg, "disable"))
{
disabled = true;
return true;
}
- if (streq (arg, "--all"))
+ if (streq (arg, "all"))
{
all = true;
return true;
}
- if (const_strneq (arg, "--tool="))
+ if (const_strneq (arg, "tool="))
{
if ((parameter = strchr (arg, '=')) == NULL)
{
return true;
}
- if (const_strneq (arg, "--nottool="))
+ if (const_strneq (arg, "nottool="))
{
if ((parameter = strchr (arg, '=')) == NULL)
{
static bool enable_colour = true;
static bool full_filenames_set = false;
static bool full_filenames = false;
+static bool provide_url = true;
#define FIXED_FORMAT_STRING "%s: test: %s file: %s"
enum test_state state;
const char * name; /* Also used as part of the command line option to disable the test. */
const char * description; /* Used in the --help output to describe the test. */
+ const char * doc_url; /* Online description of the test. */
} test;
enum test_index
TEST_PROPERTY_NOTE,
TEST_RUN_PATH,
TEST_RWX_SEG,
- TEST_SHORT_ENUM,
+ TEST_SHORT_ENUMS,
TEST_STACK_CLASH,
TEST_STACK_PROT,
TEST_STACK_REALIGN,
TEST_TEXTREL,
TEST_THREADS,
TEST_WARNINGS,
- TEST_WRITEABLE_GOT,
+ TEST_WRITABLE_GOT,
TEST_MAX
};
#define STR(a) #a
#define MIN_GO_REV_STR(a,b,c) a STR(b) c
-#define TEST(name,upper,description) \
- [ TEST_##upper ] = { true, false, false, STATE_UNTESTED, #name, description }
+#define TEST(name,upper,description) \
+ [ TEST_##upper ] = { true, false, false, STATE_UNTESTED, #name, description, \
+ "https://sourceware.org/annobin/annobin.html/Test-" #name ".html" }
/* Array of tests to run. Default to enabling them all.
The result field is initialised in the start() function. */
TEST (entry, ENTRY, "The first instruction is ENDBR (x86 executables only)"),
TEST (fortify, FORTIFY, "Compiled with -D_FORTIFY_SOURCE=2"),
TEST (glibcxx-assertions, GLIBCXX_ASSERTIONS, "Compiled with -D_GLIBCXX_ASSERTIONS"),
- TEST (gnu-relro, GNU_RELRO, "The relocations for the GOT are not writeable"),
+ TEST (gnu-relro, GNU_RELRO, "The relocations for the GOT are not writable"),
TEST (gnu-stack, GNU_STACK, "The stack is not executable"),
TEST (go-revision, GO_REVISION, MIN_GO_REV_STR ("GO compiler revision >= ", MIN_GO_REVISION, " (go only)")),
TEST (lto, LTO, "Compiled with -flto"),
TEST (pie, PIE, "Executables need to be compiled with -fPIE"),
TEST (production, PRODUCTION, "Built by a production compiler"),
TEST (property-note, PROPERTY_NOTE, "Correctly formatted GNU Property notes"),
- TEST (run-path, RUN_PATH, "All runpath entries are under /usr"),
- TEST (rwx-seg, RWX_SEG, "There are no segments that are both writeable and executable"),
- TEST (short-enum, SHORT_ENUM, "Compiled with consistent use of -fshort-enum"),
+ TEST (run-path, RUN_PATH, "All runpath entries are secure"),
+ TEST (rwx-seg, RWX_SEG, "There are no segments that are both writable and executable"),
+ TEST (short-enums, SHORT_ENUMS, "Compiled with consistent use of -fshort-enums"),
TEST (stack-clash, STACK_CLASH, "Compiled with -fstack-clash-protection (not ARM)"),
TEST (stack-prot, STACK_PROT, "Compiled with -fstack-protector-strong"),
TEST (stack-realign, STACK_REALIGN, "Compiled with -mstackrealign (i686 only)"),
TEST (textrel, TEXTREL, "There are no text relocations in the binary"),
TEST (threads, THREADS, "Compiled with -fexceptions"),
TEST (warnings, WARNINGS, "Compiled with -Wall"),
- TEST (writeable-got, WRITEABLE_GOT, "The .got section is not writeable"),
+ TEST (writable-got, WRITABLE_GOT, "The .got section is not writable"),
};
/* Default to not reporting future fails - it could confuse ordinary users. */
return full_filenames ? data->full_filename : data->filename;
}
+static inline void
+go_red (void)
+{
+ if (enable_colour && isatty (1))
+ einfo (PARTIAL, RED_COLOUR);
+}
+
+static inline void
+go_default_colour (void)
+{
+ if (enable_colour && isatty (1))
+ einfo (PARTIAL, DEFAULT_COLOUR);
+}
+
+static inline void
+go_gold (void)
+{
+ if (enable_colour && isatty (1))
+ einfo (PARTIAL, GOLD_COLOUR);
+}
+
static void
warn (annocheck_data * data, const char * message)
{
if (fixed_format_messages)
return;
+
einfo (PARTIAL, "%s: %s: ", HARDENED_CHECKER_NAME, get_filename (data));
- if (enable_colour && isatty (1))
- einfo (PARTIAL, RED_COLOUR);
+
+ go_red ();
+
einfo (PARTIAL, "WARN: %s", message);
- if (enable_colour && isatty (1))
- einfo (PARTIAL, DEFAULT_COLOUR);
+
+ go_default_colour ();
+
einfo (PARTIAL, "\n");
}
else if (tests[testnum].state != STATE_FAILED || BE_VERBOSE)
{
einfo (PARTIAL, "%s: %s: ", HARDENED_CHECKER_NAME, filename);
- if (enable_colour && isatty (1))
- einfo (PARTIAL, RED_COLOUR);
+ go_red ();
einfo (PARTIAL, "FAIL: %s test ", tests[testnum].name);
if (reason)
einfo (PARTIAL, "because %s ", reason);
else
einfo (PARTIAL, "(%s) ", name);
}
+
+ go_default_colour ();
+
if (BE_VERY_VERBOSE)
einfo (PARTIAL, "(source: %s)", source);
- if (enable_colour && isatty (1))
- einfo (PARTIAL, DEFAULT_COLOUR);
+
einfo (PARTIAL, "\n");
+
+ if (provide_url)
+ einfo (INFO, "%s: For more information visit: %s",
+ filename, tests[testnum].doc_url);
}
tests[testnum].state = STATE_FAILED;
else if (tests[testnum].state == STATE_UNTESTED || BE_VERBOSE)
{
einfo (PARTIAL, "%s: %s: ", HARDENED_CHECKER_NAME, filename);
- if (enable_colour && isatty (1))
- einfo (PARTIAL, GOLD_COLOUR);
+
+ go_gold ();
+
einfo (PARTIAL, "MAYB: test: %s ", tests[testnum].name);
if (reason)
einfo (PARTIAL, "because %s ", reason);
if (per_file.component_name)
einfo (PARTIAL, "(function: %s) ", per_file.component_name);
+
+ go_default_colour ();
+
if (BE_VERY_VERBOSE)
einfo (PARTIAL, " (source: %s)", source);
- if (enable_colour && isatty (1))
- einfo (PARTIAL, DEFAULT_COLOUR);
+
einfo (PARTIAL, "\n");
+
+ if (provide_url)
+ einfo (INFO, "%s: For more information visit: %s",
+ filename, tests[testnum].doc_url);
}
if (tests[testnum].state != STATE_FAILED)
if (sec->shdr.sh_flags & SHF_WRITE)
{
if (is_object_file ())
- skip (data, TEST_WRITEABLE_GOT, SOURCE_SECTION_HEADERS, "Object file");
+ skip (data, TEST_WRITABLE_GOT, SOURCE_SECTION_HEADERS, "Object file");
else
- fail (data, TEST_WRITEABLE_GOT, SOURCE_SECTION_HEADERS, "the GOT/PLT relocs are writeable");
+ fail (data, TEST_WRITABLE_GOT, SOURCE_SECTION_HEADERS, "the GOT/PLT relocs are writable");
}
else
- pass (data, TEST_WRITEABLE_GOT, SOURCE_SECTION_HEADERS, NULL);
+ pass (data, TEST_WRITABLE_GOT, SOURCE_SECTION_HEADERS, NULL);
return false;
}
break;
case GNU_BUILD_ATTRIBUTE_SHORT_ENUM:
- if (skip_test (TEST_SHORT_ENUM))
+ if (skip_test (TEST_SHORT_ENUMS))
break;
enum short_enum_state state = value ? SHORT_ENUM_STATE_SHORT : SHORT_ENUM_STATE_LONG;
if (value > 1)
{
- maybe (data, TEST_SHORT_ENUM, SOURCE_ANNOBIN_NOTES, "unexpected note value");
+ maybe (data, TEST_SHORT_ENUMS, SOURCE_ANNOBIN_NOTES, "unexpected note value");
einfo (VERBOSE2, "debug: enum note value: %x", value);
}
else if (per_file.short_enum_state == SHORT_ENUM_STATE_UNSET)
per_file.short_enum_state = state;
else if (per_file.short_enum_state != state)
- fail (data, TEST_SHORT_ENUM, SOURCE_ANNOBIN_NOTES, "both short and long enums supported");
+ fail (data, TEST_SHORT_ENUMS, SOURCE_ANNOBIN_NOTES, "both short and long enums supported");
break;
case 'b':
|| const_strneq (attr, "pac-ret"))
{
fail (data, TEST_BRANCH_PROTECTION, SOURCE_ANNOBIN_NOTES, "only partially enabled");
- fail (data, TEST_NOT_BRANCH_PROTECTION, SOURCE_ANNOBIN_NOTES, "only partially enabled");
+ fail (data, TEST_NOT_BRANCH_PROTECTION, SOURCE_ANNOBIN_NOTES, "only partially disabled");
}
else
{
if (per_file.current_tool == TOOL_GIMPLE)
skip (data, TEST_FORTIFY, SOURCE_ANNOBIN_NOTES, "LTO compilation discards preprocessor options");
else if (! skip_test_for_current_func (data, TEST_FORTIFY))
- fail (data, TEST_FORTIFY, SOURCE_ANNOBIN_NOTES, "-D_FORTIFY_SOURCE=2 was not present on command line");
+ fail (data, TEST_FORTIFY, SOURCE_ANNOBIN_NOTES, "-D_FORTIFY_SOURCE=2 was not present on the command line");
break;
case 0:
if (type != GNU_PROPERTY_AARCH64_FEATURE_1_AND)
{
einfo (VERBOSE2, "%s: debug: property note type %lx", get_filename (data), type);
- return "Unexpected property note type";
+ return "unexpected property note type";
}
if (size != 4)
{
einfo (VERBOSE2, "debug: data note at offset %lx has size %lu, expected 4",
(long)(notedata - (const unsigned char *) sec->data->d_buf), size);
- return "Property note data has invalid size";
+ return "the property note data has an invalid size";
}
ulong property = get_4byte_value (notedata);
if ((property & GNU_PROPERTY_AARCH64_FEATURE_1_BTI) == 0)
{
if (tests[TEST_BRANCH_PROTECTION].enabled)
- return "The BTI property is not enabled";
+ return "the BTI property is not enabled";
}
if ((property & GNU_PROPERTY_AARCH64_FEATURE_1_PAC) == 0)
{
#if 0
if (tests[TEST_BRANCH_PROTECTION].enabled)
- return "The PAC property is not enabled";
+ return "the PAC property is not enabled";
#else
future_fail (data, "PAC property is not enabled");
#endif
{
einfo (VERBOSE2, "debug: data note at offset %lx has size %lu, expected 4",
(long)(notedata - (const unsigned char *) sec->data->d_buf), size);
- return "Property note data has invalid size";
+ return "the property note data has an invalid size";
}
ulong property = get_4byte_value (notedata);
if ((property & GNU_PROPERTY_X86_FEATURE_1_IBT) == 0)
{
einfo (VERBOSE2, "debug: property bits = %lx", property);
- return "The IBT property is not enabled";
+ return "the IBT property is not enabled";
}
if ((property & GNU_PROPERTY_X86_FEATURE_1_SHSTK) == 0)
{
einfo (VERBOSE2, "debug: property bits = %lx", property);
- return "The SHSTK property is not enabled";
+ return "the SHSTK property is not enabled";
}
pass (data, TEST_CF_PROTECTION, SOURCE_PROPERTY_NOTES, "correct flags found in .note.gnu.property note");
if (tests[TEST_PROPERTY_NOTE].state == STATE_PASSED)
{
/* The loader will only process the first note, so having more than one is an error. */
- reason = "More than one GNU Property note";
+ reason = "there is more than one GNU Property note";
goto fail;
}
}
if (note->n_namesz != sizeof ELF_NOTE_GNU
|| strncmp ((char *) sec->data->d_buf + name_offset, ELF_NOTE_GNU, strlen (ELF_NOTE_GNU)) != 0)
{
- reason = "Property note does not have expected name";
+ reason = "the property note does not have expected name";
einfo (VERBOSE2, "debug: Expected name '%s', got '%.*s'", ELF_NOTE_GNU,
(int) strlen (ELF_NOTE_GNU), (char *) sec->data->d_buf + name_offset);
goto fail;
uint expected_quanta = data->is_32bit ? 4 : 8;
if (note->n_descsz < 8 || (note->n_descsz % expected_quanta) != 0)
{
- reason = "Property note data has the wrong size";
+ reason = "the property note data has the wrong size";
einfo (VERBOSE2, "debug: Expected data size to be a multiple of %d but the size is 0x%x",
expected_quanta, note->n_descsz);
goto fail;
const unsigned char * notedata = sec->data->d_buf + data_offset;
if (is_x86 () && remaining == 0)
{
- reason = "note section present but empty";
+ reason = "the note section is present but empty";
goto fail;
}
notedata += 8;
if (size > remaining)
{
- reason = "Property note data has invalid size";
+ reason = "the property note data has an invalid size";
einfo (VERBOSE2, "debug: data size for note at offset %lx is %lu but remaining data is only %u",
(long)(notedata - (const unsigned char *) sec->data->d_buf), size, remaining);
goto fail;
if (is_object_file ())
skip (data, TEST_TEXTREL, SOURCE_DYNAMIC_SECTION, "Object files are allowed text relocations");
else
- fail (data, TEST_TEXTREL, SOURCE_DYNAMIC_SECTION, NULL);
+ fail (data, TEST_TEXTREL, SOURCE_DYNAMIC_SECTION, "the DT_TEXTREL tag was detected");
break;
case DT_RPATH:
break;
case 1:
future_fail (data, "PAC_PLT flag is missing from dynamic tags");
- pass (data, TEST_DYNAMIC_TAGS, SOURCE_DYNAMIC_SECTION, "BTI_PLT flag is present in the dynamic tags");
+ fail (data, TEST_DYNAMIC_TAGS, SOURCE_DYNAMIC_SECTION, "PAC_PLT flag is missing from the dynamic tags");
fail (data, TEST_NOT_DYNAMIC_TAGS, SOURCE_DYNAMIC_SECTION, "BTI_PLT flag is present in the dynamic tags");
break;
case 2:
break;
case 3:
pass (data, TEST_DYNAMIC_TAGS, SOURCE_DYNAMIC_SECTION, NULL);
- fail (data, TEST_NOT_DYNAMIC_TAGS, SOURCE_DYNAMIC_SECTION, "The BTI and PAC flags are present in the dynamic tags");
+ fail (data, TEST_NOT_DYNAMIC_TAGS, SOURCE_DYNAMIC_SECTION, "BTI and PAC flags are present in the dynamic tags");
break;
}
}
}
else if (note.n_type == NT_GNU_PROPERTY_TYPE_0)
{
- fail (data, TEST_PROPERTY_NOTE, SOURCE_SEGMENT_CONTENTS, "GNU Property note segment not 8 byte aligned");
+ fail (data, TEST_PROPERTY_NOTE, SOURCE_SEGMENT_CONTENTS, "the GNU Property note segment not 8 byte aligned");
}
}
if (note.n_type == NT_GNU_PROPERTY_TYPE_0)
{
if (offset != 0)
- fail (data, TEST_PROPERTY_NOTE, SOURCE_SEGMENT_CONTENTS, "More than one GNU Property note in note segment");
+ fail (data, TEST_PROPERTY_NOTE, SOURCE_SEGMENT_CONTENTS, "there is more than one GNU Property note in the note segment");
else
/* FIXME: We should check the contents of the note. */
pass (data, TEST_PROPERTY_NOTE, SOURCE_SEGMENT_CONTENTS, NULL);
}
if (! per_file.build_notes_seen && is_C_compiler (per_file.seen_tools))
- fail (data, TEST_NOTES, SOURCE_ANNOBIN_NOTES, "Annobin notes were not found");
+ fail (data, TEST_NOTES, SOURCE_ANNOBIN_NOTES, "annobin notes were not found");
if (! ignore_gaps)
{
case TEST_PRODUCTION:
case TEST_NOTES:
case TEST_ENTRY:
- case TEST_SHORT_ENUM:
+ case TEST_SHORT_ENUMS:
case TEST_DYNAMIC_SEGMENT:
case TEST_RUN_PATH:
case TEST_RWX_SEG:
case TEST_TEXTREL:
case TEST_THREADS:
- case TEST_WRITEABLE_GOT:
+ case TEST_WRITABLE_GOT:
/* The absence of a result for these tests actually means that they have passed. */
pass (data, i, SOURCE_FINAL_SCAN, NULL);
break;
skip (data, i, SOURCE_FINAL_SCAN, "needs gcc 9+");
else
{
- fail (data, i, SOURCE_FINAL_SCAN, "The -mbranch-protection option was not used");
- pass (data, i, SOURCE_FINAL_SCAN, "The -mbranch-protection option was not used");
+ if (i == TEST_BRANCH_PROTECTION)
+ fail (data, i, SOURCE_FINAL_SCAN, "the -mbranch-protection option was not used");
+ else
+ pass (data, i, SOURCE_FINAL_SCAN, "the -mbranch-protection option was not used");
}
break;
einfo (INFO, " --test-future Enable the future fail tests");
einfo (INFO, " To enable/disable tests for a specific environment use:");
+ einfo (INFO, " --profile-el7 Ensure that only tests suitable for RHEL-7 are run");
einfo (INFO, " --profile-el9 Ensure that only tests suitable for RHEL-9 are run");
einfo (INFO, " --profile-rawhide Ensure that only tests suitable for Fedora Rawhide are run");
#if 0 /* Not implemented yet. */
#endif
einfo (INFO, " The tool will also report missing annobin data unless:");
einfo (INFO, " --ignore-gaps Ignore missing annobin data");
+ einfo (INFO, " --report-gaps Report missing annobin data");
einfo (INFO, " The tool is enabled by default. This can be changed by:");
einfo (INFO, " --disable-hardened Disables the hardening checker");
einfo (INFO, " --enable-hardened Reenables the hardening checker");
- einfo (INFO, " The tool will generate messages based upon the verbosity level but the format is not fixed");
- einfo (INFO, " In order to have a consistent output enable this option:");
- einfo (INFO, " --fixed-format-messages Display messages in a fixed format");
- einfo (INFO, " By default when not opeating in verbose more only the filename of input files will be displayed in messages");
- einfo (INFO, " This can be changed with:");
- einfo (INFO, " --full-filenames Display the full path of input files");
- einfo (INFO, " --base-filenames Display only the filename of input files");
+ einfo (INFO, " The tool will generate messages based upon the verbosity level but the format is not fixed");
+ einfo (INFO, " In order to have a consistent output enable this option:");
+ einfo (INFO, " --fixed-format-messages Display messages in a fixed format");
+ einfo (INFO, " By default when not opeating in verbose more only the filename of input files will be displayed in messages");
+ einfo (INFO, " This can be changed with:");
+ einfo (INFO, " --full-filenames Display the full path of input files");
+ einfo (INFO, " --base-filenames Display only the filename of input files");
- einfo (INFO, " When the output is directed to a terminal colouring will be used to highlight significant messages");
- einfo (INFO, " This can be controlled by:");
- einfo (INFO, " --disable-colour Disables coloured messages");
- einfo (INFO, " --disable-color Disables colored messages");
- einfo (INFO, " --enable-colour Enables coloured messages");
- einfo (INFO, " --enable-color Enables colored messages");
+ einfo (INFO, " When the output is directed to a terminal colouring will be used to highlight significant messages");
+ einfo (INFO, " This can be controlled by:");
+ einfo (INFO, " --disable-colour Disables coloured messages");
+ einfo (INFO, " --disable-color Disables colored messages");
+ einfo (INFO, " --enable-colour Enables coloured messages");
+ einfo (INFO, " --enable-color Enables colored messages");
+
+ einfo (INFO, " Annobin's online documentation includes an extended description of the tests");
+ einfo (INFO, " run here. By default when a FAIL or MAYB result is displayed a URL to the");
+ einfo (INFO, " relevant online description is also included (unless fixed-format mode is enabled)");
+ einfo (INFO, " This behaiour can be disabled by:");
+ einfo (INFO, " --no-urls Do not include URLs in error messages");
+ einfo (INFO, " And re-enabled with:");
+ einfo (INFO, " --provide-urls Include URLs in error messages");
}
#define MAX_DISABLED 10
{ "fc35", {}, {} },
{ "automotive", {}, {} },
#endif
+ { "el7", { TEST_BRANCH_PROTECTION, TEST_DYNAMIC_TAGS, TEST_PIE, TEST_BIND_NOW, TEST_FORTIFY, TEST_STACK_CLASH },
+ { TEST_NOT_BRANCH_PROTECTION, TEST_NOT_DYNAMIC_TAGS } },
{ "el9", { TEST_BRANCH_PROTECTION, TEST_DYNAMIC_TAGS },
{ TEST_NOT_BRANCH_PROTECTION, TEST_NOT_DYNAMIC_TAGS } },
{ "rawhide", { TEST_NOT_BRANCH_PROTECTION, TEST_NOT_DYNAMIC_TAGS },
static bool
process_arg (const char * arg, const char ** argv, const uint argc, uint * next)
{
- if (const_strneq (arg, "--skip-"))
+ if (arg[0] == '-')
+ ++ arg;
+ if (arg[0] == '-')
+ ++ arg;
+
+ if (const_strneq (arg, "skip-"))
{
- arg += strlen ("--skip-");
+ arg += strlen ("skip-");
int i;
return false;
}
- if (const_strneq (arg, "--test-"))
+ if (const_strneq (arg, "test-"))
{
- arg += strlen ("--test-");
+ arg += strlen ("test-");
int i;
return false;
}
- if (streq (arg, "--enable-hardened"))
+ if (streq (arg, "enable-hardened") || streq (arg, "enable"))
{
disabled = false;
return true;
}
- if (streq (arg, "--disable-hardened"))
+ if (streq (arg, "disable-hardened") || streq (arg, "disable"))
{
disabled = true;
return true;
}
- if (streq (arg, "--ignore-gaps"))
+ if (streq (arg, "ignore-gaps"))
{
ignore_gaps = true;
return true;
}
- if (streq (arg, "--fixed-format-messages"))
+ if (streq (arg, "report-gaps"))
+ {
+ ignore_gaps = false;
+ return true;
+ }
+
+ if (streq (arg, "fixed-format-messages"))
{
fixed_format_messages = true;
return true;
}
- if (streq (arg, "--disable-colour") || streq (arg, "--disable-color"))
+ if (streq (arg, "disable-colour") || streq (arg, "disable-color"))
{
enable_colour = false;
return true;
}
- if (streq (arg, "--enable-colour") || streq (arg, "--enable-color"))
+ if (streq (arg, "enable-colour") || streq (arg, "enable-color"))
{
enable_colour = true;
return true;
}
- if (streq (arg, "--full-filenames"))
+ if (streq (arg, "provide-urls"))
+ {
+ provide_url = true;
+ return true;
+ }
+
+ if (streq (arg, "no-urls"))
+ {
+ provide_url = false;
+ return true;
+ }
+
+ if (streq (arg, "full-filenames"))
{
full_filenames = true;
full_filenames_set = true;
return true;
}
- if (streq (arg, "--base-filenames"))
+ if (streq (arg, "base-filenames"))
{
full_filenames = false;
full_filenames_set = true;
return true;
}
- if (const_strneq (arg, "--profile-"))
+ if (const_strneq (arg, "profile-"))
{
- arg += strlen ("--profile-");
+ arg += strlen ("profile-");
uint i;
static bool
notes_process_arg (const char * arg, const char ** argv, const uint argc, uint * next)
{
- if (streq (arg, "--enable-notes"))
+ if (arg[0] == '-')
+ ++ arg;
+ if (arg[0] == '-')
+ ++ arg;
+
+ if (streq (arg, "enable-notes") || streq (arg, "enable"))
disabled = false;
- else if (streq (arg, "--disable-notes"))
+ else if (streq (arg, "disable-notes") || streq (arg, "disable"))
disabled = true;
else
/* Computes the cumulative size of section(s) in binary files.
- Copyright (c) 2018 - 2019 Red Hat.
+ Copyright (c) 2018 - 2021 Red Hat.
This is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published
static bool
size_process_arg (const char * arg, const char ** argv, const uint argc, uint * next)
{
- if (const_strneq (arg, "--size-sec-flags="))
+ if (arg[0] == '-')
+ ++ arg;
+ if (arg[0] == '-')
+ ++ arg;
+
+ if (const_strneq (arg, "size-sec-flags="))
{
- const char * flag = arg + strlen ("--size-sec-flags=");
+ const char * flag = arg + strlen ("size-sec-flags=");
Elf64_Word * addto = & sec_need_flags;
disabled = false;
return true;
}
- if (const_strneq (arg, "--section-size") /* Deprecated. */
- || const_strneq (arg, "--size-sec"))
+ if (const_strneq (arg, "section-size") /* Deprecated. */
+ || const_strneq (arg, "size-sec"))
{
const char * parameter;
const char * sought;
return true;
}
- if (streq (arg, "--human") /* Deprecated. */
- || streq (arg, "--size-human"))
+ if (streq (arg, "human") /* Deprecated. */
+ || streq (arg, "size-human"))
{
human = true;
return true;
}
- if (const_strneq (arg, "--size-seg-flags="))
+ if (const_strneq (arg, "size-seg-flags="))
{
- const char * flag = arg + strlen ("--size-seg-flags=");
+ const char * flag = arg + strlen ("size-seg-flags=");
Elf64_Word * addto = & seg_need_flags;
-
+
disabled = false;
while (*flag)
struct checker size_checker =
{
- "Section Size",
+ "Size",
NULL, /* file_start */
size_interesting_sec,
NULL, /* check_sec */
/* Monitors the time annocheck takes running its tools.
- Copyright (c) 2018 - 2019 Red Hat.
+ Copyright (c) 2018 - 2021 Red Hat.
This is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published
static bool
timing_process_arg (const char * arg, const char ** argv, const uint argc, uint * next)
{
- if (streq (arg, "--enable-timing"))
+ if (arg[0] == '-')
+ ++ arg;
+ if (arg[0] == '-')
+ ++ arg;
+
+ if (streq (arg, "enable-timing") || streq (arg, "enable"))
disabled = false;
- else if (streq (arg, "--disable-timing"))
+ else if (streq (arg, "disable-timing") || streq (arg, "disable"))
disabled = true;
- else if (streq (arg, "--nsec"))
+ else if (streq (arg, "nsec"))
resolution = NSEC;
- else if (streq (arg, "--usec"))
+ else if (streq (arg, "usec"))
resolution = USEC;
- else if (streq (arg, "--sec"))
+ else if (streq (arg, "sec"))
resolution = SEC;
else
dir=`$CXX -print-file-name=plugin 2>/dev/null`
if test x"$dir" = xplugin; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- as_fn_error $? "$CXX does not support plugins; reconfigure GCC with --enable-plugin" "$LINENO" 5
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+ dir=`$CXX -print-file-name=.`/plugin
fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
CPPFLAGS="$CPPFLAGS -I$dir/include"
dir=`$CXX -print-file-name=plugin 2>/dev/null`
if test x"$dir" = xplugin; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- as_fn_error $? "$CXX does not support plugins; reconfigure GCC with --enable-plugin" "$LINENO" 5
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+ dir=`$CXX -print-file-name=.`/plugin
fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
CPPFLAGS="$CPPFLAGS -I$dir/include"
'configure.ac'
],
{
- 'm4_sinclude' => 1,
- 'AC_CONFIG_FILES' => 1,
- 'AH_OUTPUT' => 1,
- 'AM_GNU_GETTEXT_INTL_SUBDIR' => 1,
- 'AC_CONFIG_HEADERS' => 1,
- 'AM_SILENT_RULES' => 1,
'AC_FC_PP_SRCEXT' => 1,
- 'AM_AUTOMAKE_VERSION' => 1,
- 'AM_PROG_FC_C_O' => 1,
- 'AM_MAKEFILE_INCLUDE' => 1,
- 'm4_pattern_forbid' => 1,
- 'include' => 1,
- 'LT_INIT' => 1,
- 'AC_CANONICAL_TARGET' => 1,
- 'AC_CONFIG_SUBDIRS' => 1,
- 'AM_INIT_AUTOMAKE' => 1,
- 'AC_CANONICAL_SYSTEM' => 1,
- 'AM_MAINTAINER_MODE' => 1,
- 'LT_CONFIG_LTDL_DIR' => 1,
- 'AC_CONFIG_AUX_DIR' => 1,
- 'AM_PROG_CC_C_O' => 1,
- 'AM_GNU_GETTEXT' => 1,
- 'AM_CONDITIONAL' => 1,
- 'AC_CANONICAL_BUILD' => 1,
+ '_AM_COND_ENDIF' => 1,
'AC_INIT' => 1,
+ 'AM_CONDITIONAL' => 1,
'AM_POT_TOOLS' => 1,
- '_AM_COND_ENDIF' => 1,
- 'AM_PATH_GUILE' => 1,
+ '_AM_COND_IF' => 1,
+ 'AC_CANONICAL_BUILD' => 1,
+ 'LT_CONFIG_LTDL_DIR' => 1,
+ '_AM_COND_ELSE' => 1,
+ '_AM_SUBST_NOTMAKE' => 1,
+ 'AM_PROG_AR' => 1,
+ 'AC_REQUIRE_AUX_FILE' => 1,
'AM_PROG_MOC' => 1,
- 'AC_CONFIG_LINKS' => 1,
'_LT_AC_TAGCONFIG' => 1,
- 'AC_LIBSOURCE' => 1,
- 'AM_ENABLE_MULTILIB' => 1,
- 'AC_DEFINE_TRACE_LITERAL' => 1,
- '_AM_COND_ELSE' => 1,
- 'AC_CANONICAL_HOST' => 1,
+ 'AM_AUTOMAKE_VERSION' => 1,
+ 'AC_CANONICAL_TARGET' => 1,
'LT_SUPPORTED_TAG' => 1,
- 'AC_PROG_LIBTOOL' => 1,
'AM_NLS' => 1,
+ 'AC_CONFIG_HEADERS' => 1,
+ 'AM_PROG_FC_C_O' => 1,
'AC_FC_SRCEXT' => 1,
- 'AC_CONFIG_LIBOBJ_DIR' => 1,
- 'AC_FC_PP_DEFINE' => 1,
- 'AM_PROG_CXX_C_O' => 1,
- '_AM_SUBST_NOTMAKE' => 1,
- 'AM_PROG_F77_C_O' => 1,
- '_m4_warn' => 1,
- '_AM_MAKEFILE_INCLUDE' => 1,
- 'AC_SUBST_TRACE' => 1,
- 'AM_XGETTEXT_OPTION' => 1,
- 'AM_PROG_AR' => 1,
'AC_FC_FREEFORM' => 1,
+ 'LT_INIT' => 1,
+ 'm4_sinclude' => 1,
+ 'AM_PATH_GUILE' => 1,
+ 'include' => 1,
+ 'AM_PROG_F77_C_O' => 1,
+ 'AC_DEFINE_TRACE_LITERAL' => 1,
+ 'AC_LIBSOURCE' => 1,
+ 'AC_CONFIG_AUX_DIR' => 1,
'm4_pattern_allow' => 1,
- '_AM_COND_IF' => 1,
+ 'AM_PROG_CC_C_O' => 1,
+ 'AM_GNU_GETTEXT' => 1,
+ 'AM_XGETTEXT_OPTION' => 1,
+ 'AM_GNU_GETTEXT_INTL_SUBDIR' => 1,
+ 'AC_CONFIG_FILES' => 1,
+ 'AM_MAKEFILE_INCLUDE' => 1,
+ 'AM_PROG_CXX_C_O' => 1,
+ 'AH_OUTPUT' => 1,
'm4_include' => 1,
'AC_SUBST' => 1,
- 'AC_REQUIRE_AUX_FILE' => 1,
- 'sinclude' => 1
+ 'AM_ENABLE_MULTILIB' => 1,
+ 'AC_CANONICAL_SYSTEM' => 1,
+ 'AC_CANONICAL_HOST' => 1,
+ 'AM_SILENT_RULES' => 1,
+ 'm4_pattern_forbid' => 1,
+ 'AC_FC_PP_DEFINE' => 1,
+ 'AM_INIT_AUTOMAKE' => 1,
+ 'AM_MAINTAINER_MODE' => 1,
+ 'AC_CONFIG_LIBOBJ_DIR' => 1,
+ '_m4_warn' => 1,
+ 'AC_SUBST_TRACE' => 1,
+ '_AM_MAKEFILE_INCLUDE' => 1,
+ 'AC_CONFIG_SUBDIRS' => 1,
+ 'sinclude' => 1,
+ 'AC_CONFIG_LINKS' => 1,
+ 'AC_PROG_LIBTOOL' => 1
}
], 'Autom4te::Request' ),
bless( [
'configure.ac'
],
{
- 'ACX_LT_HOST_FLAGS' => 1,
- 'ACX_PROG_CMP_IGNORE_INITIAL' => 1,
- 'AC_LIBTOOL_COMPILER_OPTION' => 1,
- 'AC_LIBTOOL_SYS_OLD_ARCHIVE' => 1,
- '_AM_DEPENDENCIES' => 1,
- 'AC_PROG_LD_RELOAD_FLAG' => 1,
- 'AC_ENABLE_FAST_INSTALL' => 1,
- 'AC_LIBTOOL_SYS_LIB_STRIP' => 1,
- 'AC_DISABLE_FAST_INSTALL' => 1,
- 'ACX_CHECK_CYGWIN_CAT_WORKS' => 1,
- 'LT_AC_PROG_RC' => 1,
- 'AC_PROG_LIBTOOL' => 1,
- '_LT_AC_PROG_ECHO_BACKSLASH' => 1,
- 'AC_CHECK_LIBM' => 1,
- 'LT_SYS_DLOPEN_SELF' => 1,
- 'DISABLE_RPATH' => 1,
- 'AM_RUN_LOG' => 1,
- 'AM_SET_CURRENT_AUTOMAKE_VERSION' => 1,
- 'AC_LIBTOOL_LINKER_OPTION' => 1,
- 'ANNOCHECK' => 1,
- 'AC_DISABLE_STATIC' => 1,
- 'AC_LIBTOOL_WIN32_DLL' => 1,
- 'BUILD_CLANG_PLUGIN' => 1,
'ACX_BUGURL' => 1,
- 'm4_pattern_allow' => 1,
- 'ACX_PATH_SEP' => 1,
+ 'AM_MISSING_PROG' => 1,
+ 'LIBELF' => 1,
+ 'AM_PROG_INSTALL_STRIP' => 1,
+ 'LT_LIB_M' => 1,
+ 'LT_PROG_GCJ' => 1,
+ 'GCC_TARGET_TOOL' => 1,
+ '_LT_DLL_DEF_P' => 1,
+ 'AC_PATH_MAGIC' => 1,
+ 'AC_LTDL_OBJDIR' => 1,
+ 'AM_SANITY_CHECK' => 1,
+ '_m4_warn' => 1,
+ 'AC_LIBTOOL_FC' => 1,
+ '_LT_AC_SYS_LIBPATH_AIX' => 1,
+ 'GMP' => 1,
'm4_include' => 1,
+ 'AC_DISABLE_FAST_INSTALL' => 1,
+ '_AM_CONFIG_MACRO_DIRS' => 1,
+ 'AC_DEPLIBS_CHECK_METHOD' => 1,
+ '_LT_PROG_FC' => 1,
+ '_LT_AC_LANG_C_CONFIG' => 1,
+ '_AC_AM_CONFIG_HEADER_HOOK' => 1,
'AU_DEFUN' => 1,
- 'ACX_HAVE_GCC_FOR_TARGET' => 1,
- '_LT_AC_LANG_CXX' => 1,
+ 'AC_DISABLE_SHARED' => 1,
+ '_LT_PROG_ECHO_BACKSLASH' => 1,
+ 'AC_LIBTOOL_DLOPEN' => 1,
+ 'AC_LIBTOOL_CXX' => 1,
+ '_LT_COMPILER_BOILERPLATE' => 1,
+ 'AC_ENABLE_SHARED' => 1,
'AC_PROG_CPP_WERROR' => 1,
- '_LT_AC_SHELL_INIT' => 1,
- 'AM_SILENT_RULES' => 1,
- '_AM_PROG_CC_C_O' => 1,
- 'AC_CONFIG_MACRO_DIR' => 1,
- '_AC_PROG_LIBTOOL' => 1,
- '_NCN_TOOL_PREFIXES' => 1,
- 'AM_MISSING_HAS_RUN' => 1,
+ 'AC_PROG_EGREP' => 1,
+ 'BUILD_GCC_PLUGIN' => 1,
+ 'LT_INIT' => 1,
+ 'AC_LIBTOOL_RC' => 1,
+ 'm4_pattern_allow' => 1,
+ 'LLVM_PLUGIN' => 1,
'_LT_AC_TRY_DLOPEN_SELF' => 1,
- 'AC_PROG_LEX' => 1,
- 'AC_DEFUN_ONCE' => 1,
- 'ACX_PROG_LN' => 1,
- 'LT_AC_PROG_GCJ' => 1,
- 'AC_LIBTOOL_OBJDIR' => 1,
- 'AC_PATH_MAGIC' => 1,
+ 'AC_LIBTOOL_SYS_LIB_STRIP' => 1,
+ '_LT_AC_LANG_RC_CONFIG' => 1,
+ 'LT_AC_PROG_EGREP' => 1,
+ 'AC_LIBTOOL_PROG_LD_SHLIBS' => 1,
+ 'GCC_PLUGIN' => 1,
+ 'LT_OUTPUT' => 1,
+ 'ACX_PATH_SEP' => 1,
+ 'AC_CHECK_LIBM' => 1,
+ 'ACX_PKGVERSION' => 1,
+ 'AC_LIBTOOL_LANG_C_CONFIG' => 1,
+ '_AC_PROG_LIBTOOL' => 1,
+ 'AC_PROG_LD_RELOAD_FLAG' => 1,
+ '_LT_CC_BASENAME' => 1,
+ 'AM_MAKE_INCLUDE' => 1,
+ 'AM_AUTOMAKE_VERSION' => 1,
+ 'LT_PATH_LD' => 1,
+ 'AM_ENABLE_SHARED' => 1,
+ 'AC_LIBTOOL_WIN32_DLL' => 1,
+ 'ACX_PROG_GNAT' => 1,
+ 'AM_DISABLE_SHARED' => 1,
+ '_AM_PROG_TAR' => 1,
+ 'AC_LIBTOOL_SYS_HARD_LINK_LOCKS' => 1,
+ 'AM_SET_LEADING_DOT' => 1,
+ 'ACX_HAVE_GCC_FOR_TARGET' => 1,
+ 'AC_LIBTOOL_SYS_OLD_ARCHIVE' => 1,
+ 'ACX_NONCANONICAL_BUILD' => 1,
+ '_AM_DEPENDENCIES' => 1,
+ 'BUILD_ANNOCHECK' => 1,
+ 'LT_AC_PROG_RC' => 1,
+ '_AM_MANGLE_OPTION' => 1,
+ 'AM_SET_DEPDIR' => 1,
+ 'AC_LIBTOOL_PROG_COMPILER_NO_RTTI' => 1,
+ 'AM_INIT_AUTOMAKE' => 1,
+ 'AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH' => 1,
+ '_LT_LINKER_BOILERPLATE' => 1,
+ 'AC_LIBTOOL_PROG_COMPILER_PIC' => 1,
+ '_AM_SET_OPTIONS' => 1,
+ '_LT_PROG_LTMAIN' => 1,
+ '_LT_AC_LANG_CXX' => 1,
'_LT_WITH_SYSROOT' => 1,
+ '_LT_AC_LANG_F77' => 1,
+ '_LT_PATH_TOOL_PREFIX' => 1,
'LTSUGAR_VERSION' => 1,
+ 'ZW_PROG_COMPILER_DEPENDENCIES' => 1,
+ 'AC_LIBTOOL_F77' => 1,
+ '_AM_PROG_CC_C_O' => 1,
+ '_LT_AC_LANG_F77_CONFIG' => 1,
+ 'AC_LIBTOOL_PICMODE' => 1,
+ 'AM_DEP_TRACK' => 1,
+ 'DEBUGINFOD' => 1,
+ '_LT_AC_LANG_CXX_CONFIG' => 1,
+ 'AC_LIBTOOL_DLOPEN_SELF' => 1,
+ 'LT_PATH_NM' => 1,
+ 'LT_PROG_GO' => 1,
+ 'LTVERSION_VERSION' => 1,
+ 'NCN_STRICT_CHECK_TARGET_TOOLS' => 1,
+ 'AC_LTDL_ENABLE_INSTALL' => 1,
+ 'LT_AC_PROG_SED' => 1,
+ 'ACX_CHECK_INSTALLED_TARGET_TOOL' => 1,
+ 'DISABLE_RPATH' => 1,
'AC_LTDL_PREOPEN' => 1,
+ 'LT_PROG_RC' => 1,
+ '_LT_LINKER_OPTION' => 1,
+ 'LTOPTIONS_VERSION' => 1,
+ 'AM_AUX_DIR_EXPAND' => 1,
+ '_LT_AC_SHELL_INIT' => 1,
+ 'ACX_PROG_LN' => 1,
+ 'ACX_TOOL_DIRS' => 1,
+ '_LT_AC_CHECK_DLFCN' => 1,
+ 'AM_SUBST_NOTMAKE' => 1,
'AC_LIBTOOL_POSTDEP_PREDEP' => 1,
- 'AC_DEPLIBS_CHECK_METHOD' => 1,
- 'LTOBSOLETE_VERSION' => 1,
- 'AM_PROG_LD' => 1,
- '_LT_PROG_F77' => 1,
- 'LT_PROG_GO' => 1,
+ '_GCC_AUTOCONF_VERSION_CHECK' => 1,
+ 'AC_PROG_LIBTOOL' => 1,
+ '_GCC_TOPLEV_NONCANONICAL_BUILD' => 1,
+ 'AM_SILENT_RULES' => 1,
+ 'AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE' => 1,
+ 'GCC_TOPLEV_SUBDIRS' => 1,
'AC_LIBTOOL_LANG_RC_CONFIG' => 1,
- 'ACX_PROG_GNAT' => 1,
- '_LT_AC_SYS_COMPILER' => 1,
- 'AM_PROG_INSTALL_STRIP' => 1,
- 'AM_PROG_LIBTOOL' => 1,
- '_LT_AC_LANG_F77_CONFIG' => 1,
- '_LT_AC_LOCK' => 1,
+ '_LT_AC_TAGVAR' => 1,
+ 'AM_PROG_NM' => 1,
'AC_PROG_LD_GNU' => 1,
- '_LT_PATH_TOOL_PREFIX' => 1,
- 'AC_CONFIG_MACRO_DIR_TRACE' => 1,
- 'AC_PROG_EGREP' => 1,
- 'AM_OUTPUT_DEPENDENCY_COMMANDS' => 1,
- 'AC_DEFUN' => 1,
- 'AC_LIBTOOL_LANG_F77_CONFIG' => 1,
- 'ACX_CHECK_PROG_VER' => 1,
- 'AC_LIBTOOL_CXX' => 1,
+ 'LT_AC_PROG_GCJ' => 1,
+ 'BUILD_LLVM_PLUGIN' => 1,
+ 'AC_LIBTOOL_LANG_GCJ_CONFIG' => 1,
'AM_DISABLE_STATIC' => 1,
- 'ZW_PROG_COMPILER_DEPENDENCIES' => 1,
- '_LT_AC_LANG_RC_CONFIG' => 1,
- '_AM_SUBST_NOTMAKE' => 1,
- 'AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE' => 1,
- 'AC_LIBTOOL_SYS_HARD_LINK_LOCKS' => 1,
- '_GCC_TOPLEV_NONCANONICAL_HOST' => 1,
- 'AM_MAKE_INCLUDE' => 1,
- 'LT_AC_PROG_EGREP' => 1,
- 'AM_AUTOMAKE_VERSION' => 1,
- '_AM_IF_OPTION' => 1,
- 'AC_LIBTOOL_LANG_C_CONFIG' => 1,
- 'AC_LIBTOOL_F77' => 1,
- '_LT_LINKER_BOILERPLATE' => 1,
- '_LT_AC_LANG_GCJ_CONFIG' => 1,
+ '_LT_AC_LOCK' => 1,
+ 'GCC_BASE_VER' => 1,
'include' => 1,
- 'BUILD_GCC_PLUGIN' => 1,
- 'GCC_TOPLEV_SUBDIRS' => 1,
- 'm4_pattern_forbid' => 1,
- 'AM_PROG_INSTALL_SH' => 1,
- 'AC_PREREQ' => 1,
- 'AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH' => 1,
- '_LT_AC_TAGVAR' => 1,
- 'ACX_HEADER_STRING' => 1,
- 'BUILD_LLVM_PLUGIN' => 1,
- 'AM_SET_DEPDIR' => 1,
- '_AM_MANGLE_OPTION' => 1,
- '_AM_CONFIG_MACRO_DIRS' => 1,
+ '_LT_AC_SYS_COMPILER' => 1,
+ '_LT_PROG_F77' => 1,
+ 'AM_OUTPUT_DEPENDENCY_COMMANDS' => 1,
+ 'AC_LIBTOOL_LANG_F77_CONFIG' => 1,
+ 'BUILD_CLANG_PLUGIN' => 1,
+ 'ACX_HEADER_STDBOOL' => 1,
+ 'AC_DEFUN_ONCE' => 1,
+ 'BUILD_DOCS' => 1,
+ 'LT_LANG' => 1,
+ 'LT_SUPPORTED_TAG' => 1,
+ 'AC_PATH_TOOL_PREFIX' => 1,
+ 'AM_RUN_LOG' => 1,
+ '_GCC_TOPLEV_NONCANONICAL_TARGET' => 1,
+ 'AC_ENABLE_FAST_INSTALL' => 1,
+ 'AC_CONFIG_MACRO_DIR_TRACE' => 1,
+ 'AM_PROG_LIBTOOL' => 1,
+ 'AC_LIBTOOL_CONFIG' => 1,
+ 'AC_PROG_NM' => 1,
+ 'ZW_CREATE_DEPDIR' => 1,
'AC_LIBTOOL_SYS_MAX_CMD_LEN' => 1,
- 'NCN_STRICT_CHECK_TOOLS' => 1,
+ 'ACX_HEADER_STRING' => 1,
+ '_LT_AC_PROG_ECHO_BACKSLASH' => 1,
+ 'AC_DISABLE_STATIC' => 1,
+ 'ACX_PROG_CMP_IGNORE_INITIAL' => 1,
+ 'AM_CONDITIONAL' => 1,
+ 'AC_LIBTOOL_COMPILER_OPTION' => 1,
+ 'ACX_NONCANONICAL_TARGET' => 1,
+ '_AM_SUBST_NOTMAKE' => 1,
+ 'AC_LIBTOOL_LANG_CXX_CONFIG' => 1,
'_AM_OUTPUT_DEPENDENCY_COMMANDS' => 1,
- '_LT_AC_PROG_CXXCPP' => 1,
- 'CXX_LIBTOOL_LINK_IFELSE' => 1,
- 'GCC_BASE_VER' => 1,
- 'LT_PATH_NM' => 1,
'_AM_AUTOCONF_VERSION' => 1,
- 'AC_PROG_LD' => 1,
- 'ACX_HEADER_STDBOOL' => 1,
- 'AC_LIBTOOL_PROG_LD_SHLIBS' => 1,
- 'ACX_NONCANONICAL_HOST' => 1,
- 'AC_LIBTOOL_LANG_CXX_CONFIG' => 1,
- 'ACX_CHECK_INSTALLED_TARGET_TOOL' => 1,
- 'AC_LIBTOOL_CONFIG' => 1,
- 'LT_CMD_MAX_LEN' => 1,
- '_LT_AC_SYS_LIBPATH_AIX' => 1,
- 'AM_AUX_DIR_EXPAND' => 1,
- 'AC_DISABLE_SHARED' => 1,
- 'LT_SUPPORTED_TAG' => 1,
- 'AM_ENABLE_SHARED' => 1,
- 'AM_PROG_NM' => 1,
- 'AC_LIBTOOL_PROG_CC_C_O' => 1,
- '_AM_SET_OPTION' => 1,
+ 'AC_PROG_LEX' => 1,
+ 'ANNOCHECK' => 1,
+ '_LT_PROG_CXX' => 1,
+ '_LT_AC_LANG_GCJ_CONFIG' => 1,
+ 'AC_CONFIG_MACRO_DIR' => 1,
+ 'AC_ENABLE_STATIC' => 1,
+ 'LT_SYS_DLOPEN_SELF' => 1,
+ 'AC_PREREQ' => 1,
+ 'AM_MISSING_HAS_RUN' => 1,
+ 'ACX_CHECK_CYGWIN_CAT_WORKS' => 1,
'_LT_PREPARE_SED_QUOTE_VARS' => 1,
- 'AC_LIBTOOL_PROG_COMPILER_PIC' => 1,
- 'AC_LIBTOOL_FC' => 1,
- 'GMP' => 1,
- '_m4_warn' => 1,
- 'GCC_TARGET_TOOL' => 1,
- 'ZW_CREATE_DEPDIR' => 1,
- 'ACX_NONCANONICAL_BUILD' => 1,
- '_LT_AC_LANG_CXX_CONFIG' => 1,
- '_GCC_TOPLEV_NONCANONICAL_TARGET' => 1,
- 'CLANG_PLUGIN' => 1,
- 'AC_LIBTOOL_DLOPEN' => 1,
- 'LTOPTIONS_VERSION' => 1,
+ 'm4_pattern_forbid' => 1,
+ 'ACX_LT_HOST_FLAGS' => 1,
+ 'AC_LIBTOOL_SYS_DYNAMIC_LINKER' => 1,
+ '_NCN_TOOL_PREFIXES' => 1,
+ 'AM_PROG_CC_C_O' => 1,
+ 'AM_PROG_LD' => 1,
+ 'AM_SET_CURRENT_AUTOMAKE_VERSION' => 1,
+ '_GCC_TOPLEV_NONCANONICAL_HOST' => 1,
'_LT_REQUIRED_DARWIN_CHECKS' => 1,
- 'AC_LTDL_ENABLE_INSTALL' => 1,
- '_LT_PROG_LTMAIN' => 1,
- 'AC_LIBTOOL_LANG_GCJ_CONFIG' => 1,
- 'LT_INIT' => 1,
- '_LT_CC_BASENAME' => 1,
- 'AM_INIT_AUTOMAKE' => 1,
- 'AC_LIBTOOL_PROG_COMPILER_NO_RTTI' => 1,
- 'ACX_TOOL_DIRS' => 1,
- 'DEBUGINFOD' => 1,
+ '_AM_SET_OPTION' => 1,
+ 'NCN_STRICT_CHECK_TOOLS' => 1,
+ 'CLANG_PLUGIN' => 1,
+ 'CXX_LIBTOOL_LINK_IFELSE' => 1,
+ 'AC_LIBTOOL_SETUP' => 1,
'AM_ENABLE_STATIC' => 1,
- 'LT_PROG_GCJ' => 1,
- 'AM_SUBST_NOTMAKE' => 1,
- 'ACX_NONCANONICAL_TARGET' => 1,
- 'AM_PROG_CC_C_O' => 1,
- 'AM_DEP_TRACK' => 1,
- '_LT_AC_CHECK_DLFCN' => 1,
- '_AM_SET_OPTIONS' => 1,
- 'AM_SANITY_CHECK' => 1,
- 'BUILD_DOCS' => 1,
- 'GCC_PLUGIN' => 1,
+ 'AM_PROG_INSTALL_SH' => 1,
+ 'AC_LIBTOOL_LINKER_OPTION' => 1,
+ '_LT_AC_FILE_LTDLL_C' => 1,
+ 'AC_LIBTOOL_PROG_CC_C_O' => 1,
+ 'ACX_CHECK_PROG_VER' => 1,
+ 'ACX_NONCANONICAL_HOST' => 1,
+ '_LT_AC_PROG_CXXCPP' => 1,
+ 'LTOBSOLETE_VERSION' => 1,
+ 'AC_PROG_LD' => 1,
'_LT_AC_TAGCONFIG' => 1,
- 'AM_DISABLE_SHARED' => 1,
- 'AC_ENABLE_SHARED' => 1,
- '_LT_AC_LANG_F77' => 1,
- 'LT_PATH_LD' => 1,
- 'AC_PROG_NM' => 1,
- '_GCC_TOPLEV_NONCANONICAL_BUILD' => 1,
- '_LT_PROG_CXX' => 1,
- 'AC_LIBTOOL_SETUP' => 1,
- 'AC_LIBTOOL_DLOPEN_SELF' => 1,
- 'LTVERSION_VERSION' => 1,
- '_AC_AM_CONFIG_HEADER_HOOK' => 1,
- 'AC_LTDL_OBJDIR' => 1,
- 'AM_MISSING_PROG' => 1,
- 'AC_LIBTOOL_PICMODE' => 1,
- '_LT_PROG_FC' => 1,
- 'AM_SET_LEADING_DOT' => 1,
- 'ACX_PKGVERSION' => 1,
- 'LT_LIB_M' => 1,
- 'AC_LIBTOOL_GCJ' => 1,
- '_GCC_AUTOCONF_VERSION_CHECK' => 1,
- 'AC_PATH_TOOL_PREFIX' => 1,
- '_AM_PROG_TAR' => 1,
+ '_AM_IF_OPTION' => 1,
+ 'LT_CMD_MAX_LEN' => 1,
'_LT_AC_LANG_GCJ' => 1,
- 'BUILD_ANNOCHECK' => 1,
- 'LT_PROG_RC' => 1,
- '_LT_AC_FILE_LTDLL_C' => 1,
- 'AC_LIBTOOL_RC' => 1,
- '_LT_COMPILER_BOILERPLATE' => 1,
- '_LT_DLL_DEF_P' => 1,
- 'LIBELF' => 1,
- 'LT_AC_PROG_SED' => 1,
- 'LT_OUTPUT' => 1,
- 'NCN_STRICT_CHECK_TARGET_TOOLS' => 1,
- 'LLVM_PLUGIN' => 1,
- '_LT_PROG_ECHO_BACKSLASH' => 1,
- 'AC_ENABLE_STATIC' => 1,
- 'AC_LIBTOOL_SYS_DYNAMIC_LINKER' => 1,
- '_LT_AC_LANG_C_CONFIG' => 1,
+ 'AC_DEFUN' => 1,
+ 'AC_LIBTOOL_GCJ' => 1,
'_LT_COMPILER_OPTION' => 1,
- '_LT_LINKER_OPTION' => 1,
- 'LT_LANG' => 1,
- 'AM_CONDITIONAL' => 1
+ 'AC_LIBTOOL_OBJDIR' => 1
}
], 'Autom4te::Request' ),
bless( [
'configure.ac'
],
{
- 'LT_CONFIG_LTDL_DIR' => 1,
+ 'AM_INIT_AUTOMAKE' => 1,
'AM_MAINTAINER_MODE' => 1,
- 'AM_CONDITIONAL' => 1,
- 'AC_CANONICAL_BUILD' => 1,
- 'AC_INIT' => 1,
- 'AM_POT_TOOLS' => 1,
- '_AM_COND_ENDIF' => 1,
'AM_PROG_MKDIR_P' => 1,
- 'AC_CONFIG_AUX_DIR' => 1,
+ 'AC_CONFIG_LIBOBJ_DIR' => 1,
+ '_m4_warn' => 1,
+ '_AM_MAKEFILE_INCLUDE' => 1,
+ 'AC_SUBST_TRACE' => 1,
+ 'AC_CONFIG_LINKS' => 1,
+ 'AC_CONFIG_SUBDIRS' => 1,
+ 'sinclude' => 1,
+ 'AC_PROG_LIBTOOL' => 1,
'AM_PROG_CC_C_O' => 1,
+ 'AM_GNU_GETTEXT_INTL_SUBDIR' => 1,
+ 'AM_XGETTEXT_OPTION' => 1,
'AM_GNU_GETTEXT' => 1,
'AM_MAKEFILE_INCLUDE' => 1,
- 'm4_pattern_forbid' => 1,
- 'include' => 1,
+ 'AM_PROG_CXX_C_O' => 1,
'AC_CONFIG_FILES' => 1,
+ 'm4_include' => 1,
+ 'AC_SUBST' => 1,
'AH_OUTPUT' => 1,
- 'm4_sinclude' => 1,
- 'AC_FC_PP_SRCEXT' => 1,
+ 'AC_CANONICAL_SYSTEM' => 1,
'AM_SILENT_RULES' => 1,
- 'AM_GNU_GETTEXT_INTL_SUBDIR' => 1,
- 'AC_CONFIG_HEADERS' => 1,
- 'AM_AUTOMAKE_VERSION' => 1,
+ 'AC_CANONICAL_HOST' => 1,
+ 'AM_ENABLE_MULTILIB' => 1,
+ 'm4_pattern_forbid' => 1,
+ 'AC_FC_PP_DEFINE' => 1,
+ 'AC_CANONICAL_TARGET' => 1,
+ 'AM_NLS' => 1,
+ 'AM_EXTRA_RECURSIVE_TARGETS' => 1,
+ 'LT_SUPPORTED_TAG' => 1,
'AM_PROG_FC_C_O' => 1,
- 'AC_CONFIG_SUBDIRS' => 1,
- 'AM_INIT_AUTOMAKE' => 1,
- 'AC_CANONICAL_SYSTEM' => 1,
+ 'AC_CONFIG_HEADERS' => 1,
+ 'AC_FC_FREEFORM' => 1,
+ 'AC_FC_SRCEXT' => 1,
+ 'm4_sinclude' => 1,
+ 'AM_PATH_GUILE' => 1,
'LT_INIT' => 1,
- 'AC_CANONICAL_TARGET' => 1,
'AM_PROG_F77_C_O' => 1,
- '_AM_SUBST_NOTMAKE' => 1,
- '_m4_warn' => 1,
- '_AM_MAKEFILE_INCLUDE' => 1,
- 'AM_XGETTEXT_OPTION' => 1,
- 'AC_SUBST_TRACE' => 1,
- 'AC_FC_PP_DEFINE' => 1,
- 'AM_PROG_CXX_C_O' => 1,
- 'AC_REQUIRE_AUX_FILE' => 1,
- 'AC_SUBST' => 1,
- 'sinclude' => 1,
- 'AM_PROG_AR' => 1,
- 'm4_include' => 1,
- 'AC_FC_FREEFORM' => 1,
+ 'AC_DEFINE_TRACE_LITERAL' => 1,
+ 'include' => 1,
'm4_pattern_allow' => 1,
+ 'AC_LIBSOURCE' => 1,
+ 'AC_CONFIG_AUX_DIR' => 1,
+ '_AM_COND_ENDIF' => 1,
+ 'AC_INIT' => 1,
+ 'AM_CONDITIONAL' => 1,
+ 'AM_POT_TOOLS' => 1,
+ 'AC_FC_PP_SRCEXT' => 1,
+ 'AC_CANONICAL_BUILD' => 1,
'_AM_COND_IF' => 1,
+ '_AM_COND_ELSE' => 1,
+ 'LT_CONFIG_LTDL_DIR' => 1,
+ 'AC_REQUIRE_AUX_FILE' => 1,
+ '_AM_SUBST_NOTMAKE' => 1,
+ 'AM_PROG_AR' => 1,
'_LT_AC_TAGCONFIG' => 1,
- 'AM_ENABLE_MULTILIB' => 1,
- 'AC_LIBSOURCE' => 1,
- 'AM_PATH_GUILE' => 1,
'AM_PROG_MOC' => 1,
- 'AC_CONFIG_LINKS' => 1,
- 'AM_NLS' => 1,
- 'AC_FC_SRCEXT' => 1,
- 'AC_CONFIG_LIBOBJ_DIR' => 1,
- 'AC_CANONICAL_HOST' => 1,
- '_AM_COND_ELSE' => 1,
- 'AC_DEFINE_TRACE_LITERAL' => 1,
- 'AC_PROG_LIBTOOL' => 1,
- 'LT_SUPPORTED_TAG' => 1,
- 'AM_EXTRA_RECURSIVE_TARGETS' => 1
+ 'AM_AUTOMAKE_VERSION' => 1
}
], 'Autom4te::Request' )
);
dir=`$CXX -print-file-name=plugin 2>/dev/null`
if test x"$dir" = xplugin; then
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([$CXX does not support plugins; reconfigure GCC with --enable-plugin])
- else
- AC_MSG_RESULT([yes])
+ dir=`$CXX -print-file-name=.`/plugin
fi
+ AC_MSG_RESULT([yes])
CPPFLAGS="$CPPFLAGS -I$dir/include"
dir=`$CXX -print-file-name=plugin 2>/dev/null`
if test x"$dir" = xplugin; then
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([$CXX does not support plugins; reconfigure GCC with --enable-plugin])
- else
- AC_MSG_RESULT([yes])
+ dir=`$CXX -print-file-name=.`/plugin
fi
+ AC_MSG_RESULT([yes])
CPPFLAGS="$CPPFLAGS -I$dir/include"
dir=`$CXX -print-file-name=plugin 2>/dev/null`
if test x"$dir" = xplugin; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- as_fn_error $? "$CXX does not support plugins; reconfigure GCC with --enable-plugin" "$LINENO" 5
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+ dir=`$CXX -print-file-name=.`/plugin
fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
CPPFLAGS="$CPPFLAGS -I$dir/include"
and how you can use them to determine what security features were used
when a program was built.
- This manual is for 'annobin' (Annobin) version 9.0.
+ This manual is for 'annobin' (Annobin) version 10.0.
This document is distributed under the terms of the GNU Free
Documentation License version 1.3. A copy of the license is included in
Note - the plugin method is just one way of generating the
information. Any interested party can create and add information to the
-objhect file, providing that they follow the Watermark specification.
+object file, providing that they follow the Watermark specification.
The information can be extracted from files via the use of tools like
'readelf' and 'objdump'. The 'annobin' package itself includes a
If the build system being used does not automatically enable the
'annobin' plugin then it can be specifically added to the compiler
command line by adding the '-fplugin=annobin' (for gcc) or
-'-fplugin=annobin-for-clang' (for clang) or '-fpluin=annobin-for-llvm'
+'-fplugin=annobin-for-clang' (for clang) or '-fplugin=annobin-for-llvm'
(for LLVM) option. It may also be necessary to tell the compiler where
to find the plugin by adding the '-iplugindir=' option, although this
should only be necessary if the plugin is installed in an unusual place.
annocheck
[-help]
+ [-help-TOOL]
[-version]
[-verbose]
[-quiet]
[-debug-rpm=FILE]
[-dwarf-dir=DIR]
[-prefix=TEXT]
+ [-enable-TOOL]
+ [-disable-TOOL]
+ [-TOOL-OPTION]
FILE...
The 'annocheck' program can analyse binary files and report
* Menu:
-* Built-By:: Which tool(s) were used to build the file(s) ?
+* Built By:: Which tool(s) were used to build the file(s) ?
* Hardened:: Were the file(s) built with the correct security options ?
* Notes:: What annobin notes are inside the file(s) ?
-* Section-Size:: What is the cumulative size of specific sections in the file(s) ?
+* Size:: What is the cumulative size of specific sections in the file(s) ?
* Timing:: How long did the checks take ?
The 'annocheck' program is able to scan inside rpm files and
Look in DIR for separate dwarf debug information files.
'--help'
- Display this message & exit.
+ Displays the generic annobin usage information and then exits.
+
+'--help-TOOL'
+ Display the usage information for TOOL and then exits.
'--report-unknown'
'--ignore-unknown'
separated into different options). If enabled, unknown file types
are reported when they are encountered. This includes non-ELF
format files, block devices and so on. Directories are not
- considered to be unknown and are automatically decended.
+ considered to be unknown and are automatically descended.
The second effect is how symbolic links are handled. If reporting
is enabled then they are treated as unknown and reported. If
'--version'
Report the version of the tool and then exit.
+'--enable-TOOL'
+ Enable TOOL. Most tools are disabled by default and so need to be
+ enabled via this option before they will act.
+
+'--disable-TOOL'
+ Disable TOOL. Normally used to disable the hardening checker,
+ which is enabled by default.
+
+'--TOOL-OPTION'
+ Pass OPTION on to TOOL.
+
+ Any other command line options will be passed to the tools in turn in
+order to give them a chance to claim and process them.
+
\1f
-File: annobin.info, Node: Built-By, Next: Hardened, Up: Annocheck
+File: annobin.info, Node: Built By, Next: Hardened, Up: Annocheck
4.1 The builder checker.
========================
annocheck
- [-disable-hardened]
-enable-builtby
[-all]
[-tool=NAME]
not built by a particular compiler.
\1f
-File: annobin.info, Node: Hardened, Next: Notes, Prev: Built-By, Up: Annocheck
+File: annobin.info, Node: Hardened, Next: Notes, Prev: Built By, Up: Annocheck
4.2 The Hardened security checker.
==================================
annocheck
[-skip-all]
- [-skip-bind-now]
- [-skip-branch-protection]
- [-skip-cf-protection]
- [-skip-dynamic-segment]
- [-skip-dynamic-tags]
- [-skip-entry]
- [-skip-fortify]
- [-skip-future]
- [-skip-glibcxx-assertions]
- [-skip-gnu-relro]
- [-skip-gnu-stack]
- [-skip-lto]
- [-skip-optimization]
- [-skip-pic]
- [-skip-pie]
- [-skip-production]
- [-skip-property-note]
- [-skip-run-path]
- [-skip-rwx-seg]
- [-skip-short-enum]
- [-skip-stack-clash]
- [-skip-stack-prot]
- [-skip-stack-realign]
- [-skip-textrel]
- [-skip-threads]
- [-skip-warnings]
- [-skip-writeable-got]
- [-test-NAME]
+ [-skip-NAME]
[-test-all]
+ [-test-NAME]
[-test-future]
+ [-profile-el7]
[-profile-el9]
[-profile-rawhide]
[-ignore-gaps]
+ [-report-gaps]
[-fixed-format-messages]
[-disable-colour]
[-enable-colour]
[-enable-hardened]
[-full-filenames]
[-base-filenames]
+ [-no-urls]
+ [-provide-urls]
FILE...
- The HARDENED tool checks that the specified files were compiled with
+ The HARDENED tool checks that the specified files were built with
specific security hardening features enabled. The features that are
-tested can be specified via command line options, but the default is to
+tested can be controlled via command line options, but the default is to
test for all of them.
New tests can be added to the HARDENED checker by adding an entry in
the TESTS array defined in 'hardened.c' and then creating the necessary
-code to support the test.
+code to support the test. There is more information on this process in
+this blog:
+<https://developers.redhat.com/articles/2021/07/15/build-your-own-tool-search-code-sequences-binary-files>
- Currently HARDENED can run the following tests:
+ Currently the HARDENED tool can run the following tests. Each test
+listed here starts with a short section describing the reason for the
+test, a probable solution to fix the test, criteria for when the test
+can be ignored and some examples of the error messages that are produced
+by annocheck when the test goes wrong.
* Menu:
-* Test bind-now:: The bind-now test
-* Test gnu-stack:: The gnu-stack test
-* Test writeable-got:: The writeable-got test
-* Undocumented Tests:: FIXME: Docs needed
-* Waiving Annocheck Results:: How to ignore specific annocheck tests.
+* Test bind now:: The bind-now test
+* Test gnu stack:: The gnu-stack test
+* Test writable got:: The writable-got test
+* Test rwx seg:: The rwx-seg test
+* Test textrel:: The textrel test
+* Test run path:: The run-path test
+* Test cf protection:: The cf-protection test
+* Test optimization:: The optimization test
+* Test stack prot:: The stack-prot test
+* Test stack clash:: The stack-clash test
+* Test fortify:: The fortify test
+* Test notes:: The notes test
+* Test gnu relro:: The gnu relro test
+* Test pie:: The pie test
+* Test pic:: The pic test
+* Test dynamic segment:: The dynamic-segment test
+* Test dynamic tags:: The dynamic-tags test
+* Test not dynamic tags:: The not-dynamic-tags test
+* Test branch protection:: The branch-protection test
+* Test not branch protection:: The not-branch-protection test
+* Test short enums:: The short-enums test
+* Test stack realign:: The stack-realign test
+* Test production:: The production test
+* Test lto:: The lto test
+* Test property note:: The property note test
+* Test threads:: The threads test
+* Test glibcxx assertions:: The glibcxx-assertions test
+* Test entry:: The entry test
+* Test go revision:: The go revision test
+* Test only go:: The only go test
+* Test warnings:: The warnings test
+* Test instrumentation:: The instrumentation test
+
+ The HARDENED tool does support some command line options of its own
+as well.
+
+* Menu:
+
+* Hardened Command Line Options:: Command line options specific to the hardened tool
+* Waiving Hardened Results:: How to ignore specific hardening tests.
\1f
-File: annobin.info, Node: Test bind-now, Next: Test gnu-stack, Up: Hardened
+File: annobin.info, Node: Test bind now, Next: Test gnu stack, Up: Hardened
4.2.1 The bind-now test
-----------------------
- Summary: An attacker could intercept calls to shared library functions
- FAIL: "not linked with -Wl,-z,now"
- Fix By: Add -Wl,-z,now to final link
+ Problem: An attacker could intercept calls to shared library functions
+ Fix By: Add -Wl,-z,now to final link command line
Waive If: No shared libraries used
+ Example: FAIL: bind-now test because not linked with -Wl,-z,now
+
This test checks that lazy binding is not enabled in the binary.
Lazy binding can be used to delay resolving the links between an
application and any shared libraries that it uses:
The type of binding is selected via a linker command line option, and
on a compiler command line the secure version usually looks like
-'-Wl,-z,now'. The lazy binding option is '-Wl,-z,lazy' although somne
+'-Wl,-z,now'. The lazy binding option is '-Wl,-z,lazy' although some
linkers are configured to use lazy binding by default, in which case
just the absence of the '-Wl,-z,now' option is enough to trigger this
test.
'--skip-bind-now' option and re-enabled by the '--test-bind-now' option.
\1f
-File: annobin.info, Node: Test gnu-stack, Next: Test writeable-got, Prev: Test bind-now, Up: Hardened
+File: annobin.info, Node: Test gnu stack, Next: Test writable got, Prev: Test bind now, Up: Hardened
4.2.2 The gnu-stack test
------------------------
- Summary: An attacker could place code on the stack and then run it
- FAIL: "the .stack section has incorrect permissions"
- FAIL: ".note.GNU-stack section has execute permission"
- FAIL: "the GNU stack segment has execute permission"
- FAIL: "the GNU stack segment does not have both read & write permissions"
- FAIL: "no .note.GNU-stack section found"
- MAYBE: "multiple stack sections detected"
- Fix By: Updating assembler sources and/or linker script
- Waive If: The application really really needs to be able to dynamically create and execute code
+ Problem: An attacker could place code on the stack and then run it
+ Fix By: Updating compiler, assembler sources and/or linker scripts
+ Waive If: The application *really* needs to be able to dynamically create and execute code
+
+ Example: FAIL: gnu-stack test because the .stack section has incorrect permissions
+ Example: FAIL: gnu-stack test because the .note.GNU-stack section has execute permission
+ Example: FAIL: gnu-stack test because the GNU stack segment has execute permission
+ Example: FAIL: gnu-stack test because the GNU stack segment does not have both read & write permissions
+ Example: FAIL: gnu-stack test because no .note.GNU-stack section found
+ Example: MAYB: gnu-stack test because multiple stack sections detected
This test checks that it is not possible to place code onto the stack
and then execute it. Normally the stack just holds data and addresses,
Most applications will have a section inserted into them by the
compiler called .NOTE.GNU-STACK. The section has no contents, but the
-read, write, and execute attribues of the section reflect the needs of
+read, write, and execute attributes of the section reflect the needs of
the application's stack.
- Ordinary compiled code sholuld never see this problem, but the test
-failure can be triggered by programs built from assembler sources or
-linked with a custom made linker map. To fix the problem either the
-linker map needs to be updated to ensure that the stack section is not
-executable or the assembler sources need to be extended to a note that
-the stack is not executable:
+ Ordinary compiled code should never see this problem, but the test
+failure can be triggered by programs built with an old compiler which
+does not support the .NOTE-GNU-STACK section, or if the program contains
+some assembler source files or linked with a custom made linker map.
+
+ To fix the problem either the compiler needs to be upgraded or the
+linker map needs to be updated or the assembler sources need to be
+extended to add the .NOTE-GNU-STACK section by adding code like this:
.section .note.GNU-stack,"",%progbits
option and re-enabled via the '--test-gnu-stack' option.
\1f
-File: annobin.info, Node: Test writeable-got, Next: Undocumented Tests, Prev: Test gnu-stack, Up: Hardened
+File: annobin.info, Node: Test writable got, Next: Test rwx seg, Prev: Test gnu stack, Up: Hardened
-4.2.3 The writeable-got test
-----------------------------
+4.2.3 The writable-got test
+---------------------------
- Summary: An attacker could intercept and redirect shared library function calls
- FAIL: "the GOT/PLT relocs are writeable"
+ Problem: An attacker could intercept and redirect shared library function calls
Fix By: Link with -Wl,--secure-plt
Waive If: No shared libraries are used
+ Example: FAIL: writable-got test because the GOT/PLT relocs are writable
+
This test checks that the instructions to set up the GOT and PLT
tables in a dynamic executable cannot be altered by an outside source.
Dynamic executables use two tables to help them connect to shared
libraries. These tables - the GOT and the PLT - are set up when the
program runs, based upon instructions held in special sections in the
-file. If these sections are writeable then an attacker could change
+file. If these sections are writable then an attacker could change
their contents and thus cause the program to call the wrong functions in
the shared libraries.
Under normal circumstances this test should never fail. If it does
-then something unusal is going on. One possible cure is to add the
+then something unusual is going on. One possible cure is to add the
'-Wl,--secure-plt' option to the final link command line.
- If necessary the test can be disabled via the '--skip-writeable-got'
-option and re-enabled via the '--test-writeable-got' option.
+ If necessary the test can be disabled via the '--skip-writable-got'
+option and re-enabled via the '--test-writable-got' option.
+
+\1f
+File: annobin.info, Node: Test rwx seg, Next: Test textrel, Prev: Test writable got, Up: Hardened
+
+4.2.4 The rwx-seg test
+----------------------
+
+ Problem: An attacker could add their own code to an executable
+ Fix By: Changing the linker script used to create the binary
+ Waive If: Don't.
+
+ Example: FAIL: rwx-seg test because segment has Read, Write and eXecute flags set
+
+ This test checks that the file does not have any segments that have
+all three of the READ, WRITE and EXECUTE permissions. Code segments
+should have read and execute permissions, but they should not be
+writable as otherwise an attacker can overwrite the code. Data segments
+should have read permission, and possibly write permission as well, but
+never execute permission as otherwise an attacker might be able to
+create their own code in a data area.
+
+ The linker will normally never create a binary file with a segment
+with all three permissions, but it is possible to force it to do so by
+using a custom linker script. If this flaw is detected then whatever
+linker script is being used should be corrected to remove the problem.
+
+ If necessary the test can be disabled via the '--skip-rwx-seg' option
+and re-enabled via the '--test-rwx-seg' option.
+
+\1f
+File: annobin.info, Node: Test textrel, Next: Test run path, Prev: Test rwx seg, Up: Hardened
+
+4.2.5 The textrel test
+----------------------
+
+ Problem: An attacker could change the code in an executable
+ Fix By: Compiling with -fPIC enabled
+ Waive If: The code _must_ be static
+
+ Example: FAIL: textrel test because the DT_TEXTREL tag was detected
+
+ This test checks to make sure that a binary file does not contain any
+relocations that alter the contents of a code section. Relocations are
+special instructions that the program loader uses to alter pieces of a
+application when it starts up. Normally these relocations are
+restricted to altering the application's data, but if any of them alter
+its code then an attacker might be able to exploit this to change the
+program.
+
+ This problem usually only arises when a binary is built to execute at
+a fixed address. Such binaries need text relocations to help them run
+at the address chosen. The safest solution therefore is to compile the
+binary to be position independent by using the '-fPIC' or '-fPIE'
+compiler command line options.
+
+ If necessary the test can be disabled via the '--skip-textrel' option
+and re-enabled via the '--test-textrel' option.
+
+\1f
+File: annobin.info, Node: Test run path, Next: Test cf protection, Prev: Test textrel, Up: Hardened
+
+4.2.6 The run-path test
+-----------------------
+
+ Problem: An attacker could cause an application to use a corrupted shared library
+ Fix By: Compiling with -Wl,--enable-new-dtags or moving the shared libraries needed to a proper location
+ Waive If: The application uses shared libraries held in non-standard locations
+ Waive If: The linker does not support --enable-new-dtags
+
+ Example: FAIL: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag is corrupt
+ Example: MAYB: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag exists but is empty
+ Example: FAIL: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag contains a path that does not start with /usr
+ Example: FAIL: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag has a path that contains '..'
+ Example: FAIL: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag has $ORIGIN after a non-$ORIGIN path
+ Example: MAYB: run-path test because the RPATH dynamic tag is deprecated. Link with --enable-new-dtags to use RUNPATH instead
+
+ An application that uses shared libraries contains information on how
+to locate those libraries. This information is a list of directories
+which should be searched for the libraries. The test checks that the
+list is secure.
+
+ The test actually covers several different aspects, such as all
+directory paths must be absolute, start with /USR and must not contain
+... If any of these rules are broken then an attacker might be able to
+exploit the search paths to force the application to load their own,
+corrupted version of a shared library.
+
+ Normally this test will only be triggered if an application is linked
+by an old linker which does not support the generation of the new format
+DT_RUNPATH search paths. Or if it is linked against shared libraries
+which do not reside in standard locations. Fixing the test depends upon
+whether these issues can be solved.
+
+ If necessary the test can be disabled via the '--skip-run-path'
+option and re-enabled via the '--test-run-path' option.
+
+\1f
+File: annobin.info, Node: Test cf protection, Next: Test optimization, Prev: Test run path, Up: Hardened
+
+4.2.7 The cf-protection test
+----------------------------
+
+ Problem: An attacker could compromise an unprotected binary
+ Fix By: Compiling with -fcf-protection=full
+ Waive If: The application will not run on the latest Intel hardware
+ Waive If: The application is built by a compiler that does not support CET
+
+ Example: FAIL: cf-protection test because only branch protection enabled
+ Example: FAIL: cf-protection test because only return protection enabled
+ Example: FAIL: cf-protection test because no protection enabled
+ Example: FAIL: cf-protection test because insufficient Control Flow sanitization
+ Example: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
+ Example: FAIL: cf-protection test because CET enabling note missing
+ Example: FAIL: cf-protection test because control flow protection is not enabled
+
+ Intel have introduced a new security feature called CET to their
+Tiger Lake and newer cores:
+
+ <https://newsroom.intel.com/editorials/intel-cet-answers-call-protect-common-malware-threats/#gs.avhl8k>
+
+ This test checks to see that this feature is enabled. Normally this
+is done by compiling the code with the '-fcf-protection=full' command
+line option enabled. But if an application contains assembler code, or
+it is linked against a library that has not been built with the
+protection enabled, or it is built by a compiler that does not support
+CET then this test can fail.
+
+ The feature has to be enabled in the compiler as it involves
+inserting new instructions into the compiled code. The feature is also
+an all-or-nothing type proposition for any process. Either all of the
+code in the process must have been built to support CET - in which case
+the feature can be enabled - or if even a single component does not
+support CET then it must be disabled for the entire process.
+
+ In order to enforce this the compiler inserts a special note into
+compiled object files (the .note.gnu.property section referred to
+above). This note actually contains more information about the binary
+than just the presence (or absence) of CET support. It also includes
+details of the minimum x86 architecture revision needed and so on.
+
+ Then when the object files are linked together to create the
+executable the linker checks all of these notes, and if any object file
+or library is missing a note then it does not create a note in the
+output executable. Or if all of the object files (and libraries of
+course) do have notes, but one or more of them do not have the
+CET-is-enabled flag, then it copies the notes into the executable, but
+always clears the CET-is-enabled flag.
+
+ Finally when a program is executed the run-time loader checks this
+note and if the CET-is-enabled flag is present then it enables the CET
+feature in the hardware.
+
+ Fixing this check either means enabling the '-fcf-protection=full'
+(for gcc) or the '-fcf-protection-branch' and '-fcf-protection-return'
+options (for Clang).
+
+ If an assembler source file is used as part of an application then it
+too needs to be updated. Any location in the assembler where a branch
+or function call can land must now have an ENDBR64 instruction as the
+first instruction executed. In addition the assembler needs a note to
+indicate that it supports CET. This note can be added via including this
+code snippet in the sources:
+
+ .section .note.gnu.property,"a"
+ .align 8
+ .long 1f - 0f
+ .long 4f - 1f
+ .long 5
+ 0:
+ .string "GNU"
+ 1:
+ .align 8
+ .long 0xc0000002
+ .long 3f - 2f
+ 2:
+ .long 0x3
+ 3:
+ .align 8
+ 4:
+
+ If necessary the test can be disabled via the '--skip-cf-protection'
+option and re-enabled via the '--test-cf-protection' option.
+
+\1f
+File: annobin.info, Node: Test optimization, Next: Test stack prot, Prev: Test cf protection, Up: Hardened
+
+4.2.8 The optimization test
+---------------------------
+
+ Problem: Insufficient optimization prevents security features from working
+ Fix By: Compiling with -O2
+ Waive If: The application does not use string/memory functions
+
+ Example: FAIL: optimization test because optimization level too low
+ Example: FAIL: optimization test because level too low
+ Example: MAYB: optimization test because no valid notes found regarding this test
+
+ This test checks that the application was compiled with sufficient
+optimization enabled.
+
+ The C library security hardening features enabled via the
+'-D_FORTIFY_SOURCE=2' or '-D_FORTIFY_SOURCE=3' preprocessor command line
+options will only work properly if the compiler is run at an
+optimization level of at least '-O2'. Hence this test checks to make
+sure that this level (or higher) has been used.
+
+ Normally the only reason for not using '-O2' or higher is because the
+application is space sensitive and needs to be compiled with '-Os' or
+the compilation process is so time intensive that using '-O0' is the
+only way to obtain reasonable build times.
+
+ If necessary the test can be disabled via the '--skip-optimization'
+option and re-enabled via the '--test-optimization' option.
+
+\1f
+File: annobin.info, Node: Test stack prot, Next: Test stack clash, Prev: Test optimization, Up: Hardened
+
+4.2.9 The stack-prot test
+-------------------------
+
+ Problem: Attackers exploiting stack overrun bugs can gain control of an application
+ Fix By: Compiling with -fstack-protector-strong
+ Waive If: Don't
+
+ Example: FAIL: stack-prot test because insufficient protection enabled
+ Example: FAIL: stack-prot test because stack protection deliberately disabled
+ Example: FAIL: stack-prot test because only some functions protected
+ Example: FAIL: stack-prot test because insufficient Stack Safe sanitization
+
+ This test checks that the application has been compiled with stack
+protection enabled. For gcc this means using the
+'-fstack-protector-strong' option and for Clang the
+'-fsanitize=safe-stack' option. The gcc option does have some levels of
+protection other than STRONG, but STRONG is the only one that provides
+full protection.
+
+ The stack protection feature adds checks to compiled code that
+attempt to detect buffer overflows for local buffers. These are often a
+source of vulnerability that can be exploited by an attacker.
+
+ If necessary the test can be disabled via the '--skip-stack-prot'
+option and re-enabled via the '--test-stack-prot' option.
+
+\1f
+File: annobin.info, Node: Test stack clash, Next: Test fortify, Prev: Test stack prot, Up: Hardened
+
+4.2.10 The stack-clash test
+---------------------------
+
+ Problem: Attackers exploiting stack overrun bugs can gain control of an application
+ Fix By: Compiling with -fstack-clash-protection
+ Waive If: Don't
+
+ Example: FAIL: stack-clash test because -fstack-clash-protection not enabled
+
+ This test checks that the application has been compiled with stack
+clash protection enabled. If this feature is not enabled then an
+attacker could trick the application into overlapping its heap and
+stack, allowing them to alter both.
+
+ For a full explanation of this topic see these blogs:
+
+ <https://developers.redhat.com/blog/2017/09/25/stack-clash-mitigation-gcc-background>
+
+ <https://developers.redhat.com/blog/2019/04/30/stack-clash-mitigation-in-gcc-why-fstack-check-is-not-the-answer>
+
+ <https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3>
+
+ If necessary the test can be disabled via the '--skip-stack-clash'
+option and re-enabled via the '--test-stack-clash' option.
+
+\1f
+File: annobin.info, Node: Test fortify, Next: Test notes, Prev: Test stack clash, Up: Hardened
+
+4.2.11 The fortify test
+-----------------------
+
+ Problem: Buffer overruns in string/memory library functions can be exploited by an attacker
+ Fix By: Compiling with -D_FORTIFY_SOURCE=2
+ Waive If: The application does not use C library string/memory functions
+
+ Example: FAIL: fortify test because -D_FORTIFY_SOURCE=2 was not present on the command line
+ Example: FAIL: fortify test because -O level is too low
+
+ This test checks that the application was compiled with either
+'-D_FORTIFY_SOURCE=2' or '-D_FORTIFY_SOURCE=3' specified on the compiler
+command line. Since these options need good optimization in order to
+work properly the test also checks that '-O2' or higher was used.
+
+ The '_FORTIFY_SOURCE' define enables the use of secure version of
+certain string and memory C library functions. For full details of what
+it does, see this blog:
+<https://access.redhat.com/blogs/766093/posts/1976213>
+
+ Any program that uses the string or memory functions in the GLIBC
+library should have this define present on the compiler command line.
+Programs that do not use these functions do not need the define, but it
+will not hurt to have it present anyway.
+
+ If necessary the test can be disabled via the '--skip-fortify' option
+and re-enabled via the '--test-fortify' option.
+
+\1f
+File: annobin.info, Node: Test notes, Next: Test gnu relro, Prev: Test fortify, Up: Hardened
+
+4.2.12 The notes test
+---------------------
+
+ Problem: Lack of annobin notes in a binary means that other tests will not work properly
+ Fix By: Compiling with -fplugin=annobin
+ Waive If: The annobin plugin is not available
+
+ Example: FAIL: notes test because gaps were detected in the annobin coverage
+ Example: MAYB: notes test because not all of the .text section is covered by notes
+ Example: FAIL: notes test because annobin notes were not found
+
+ Example: MAYB: lto test because no indication that LTO was used
+ Example: MAYB: stack-clash test because no notes found regarding this test
+ Example: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected)
+ Example: FAIL: warnings test because no indication that the necessary option was used (and a C compiler was detected)
+ Example: FAIL: stack-realign test because stack realign support is mandatory
+ Example: FAIL: branch-protection test because the -mbranch-protection option was not used
+
+ This test checks that there are annobin notes covering all of the
+file. Annobin notes are generated by the compiler and describe the
+security features that have been enabled. The notes contain range
+information, so that it is possible to determine if all of an
+application has been covered by the notes, or if there are parts that
+are missing notes.
+
+ If annobin notes are missing from a file then some of the other
+checks run by the HARDENED checker will not work, which can trigger FAIL
+or MAYB results for those tests.
+
+ Annobin notes are normally produced by a compiler plugin which can be
+enabled via the '-fplugin=annobin' option for gcc or Clang, and the
+'-fpass-plugin=annobin' option for LLVM. (Note for pre version-13 of
+LLVM the '-Xclang -load -Xclang annobin' option should be used instead).
+
+ Annobin notes can be generated for assembler sources by using the
+'-Wa,--generate-missing-build-notes=yes' option.
+
+ If necessary the test can be disabled via the '--skip-notes' and
+'--ignore-gaps' options and re-enabled via the '--test-notes' and
+'--report-gaps' options.
+
+\1f
+File: annobin.info, Node: Test gnu relro, Next: Test pie, Prev: Test notes, Up: Hardened
+
+4.2.13 The gnu-relro test
+-------------------------
+
+ Problem: An attacker could alter how an applications interacts with shared libraries
+ Fix By: Link with -Wl,-z,relro,-z,now
+ Waive If: The application runs in an space/time constrained environment
+
+ Example: FAIL: gnu relro test because not linked with -Wl,-z,relro
+
+ Some parts of an executable need to be modified when it starts, so
+that it can access any shared libraries that it uses. This process is
+called relocation, and once it is finished the altered code/data should
+not be modified again. The GNU RELRO test checks that write permission
+can be removed once the relocations have finished.
+
+ Enabling GNU RELRO increases the executable size on disk and in
+memory, and depending upon the application it can also cause a slow
+start time. It does not cause any significant execution time penalty,
+and using pre-linking can eliminate the startup penalty.
+
+ For programs that do not need to be reloaded often, such as daemons
+and servers, and on systems where disk and memory are relatively
+abundant such as desktops and servers, the overhead of GNU RELRO is very
+insignificant and highly recommended. For programs that need to be
+reloaded often, the execution penalty of GNU RELRO can be eliminated by
+using prelinking. For embedded systems where space is scarce, GNU RELRO
+is not recommended due to its space overhead.
+
+ To turn on GNU RELRO compile with the gcc '-Wl,-z,relro,-z,now'
+option.
+
+ If necessary the test can be disabled via the '--skip-gnu-relro'
+option and re-enabled via the '--test-gnu-relro' option.
+
+\1f
+File: annobin.info, Node: Test pie, Next: Test pic, Prev: Test gnu relro, Up: Hardened
+
+4.2.14 The pie test
+-------------------
+
+ Problem: Static binaries are more vulnerable to attacks
+ Fix By: Link with -Wl,-pie
+ Waive If: Don't
+
+ Example: FAIL: pie test because not built with '-Wl,-pie' (gcc/clang) or '-buildmode pie' (go)
+
+ Programs can be compiled to either load at a fixed address in memory
+(STATIC programs) or at a random address assigned at startup time
+(DYNAMIC programs). Static programs are more vulnerable to exploits
+because an attacker will know exactly where every part of the program is
+located. Thus building dynamic executables is recommended.
+
+ This test checks that the appropriate linker option ('-pie') has been
+used to generate dynamic executables. The option is only needed for
+linking executables, not shared libraries.
+
+ Note - this check is related to the *note Test pic:: test. This test
+checks that the correct linker option has been used. That test checks
+that the correct compile time option has been used.
+
+ If necessary the test can be disabled via the '--skip-pie' option and
+re-enabled via the '--test-pie' option.
+
+\1f
+File: annobin.info, Node: Test pic, Next: Test dynamic segment, Prev: Test pie, Up: Hardened
+
+4.2.15 The pic test
+-------------------
+
+ Problem: Static binaries are more vulnerable to attacks
+ Fix By: Compile with -fPIC or -fPIE
+ Waive If: Don't.
+
+ Example: FAIL: pic test because -fpic/-fpie not enabled
+
+ Programs can be compiled to either load at a fixed address in memory
+(STATIC programs) or at a random address assigned at startup time
+(DYNAMIC programs). Static programs are more vulnerable to exploits
+because an attacker will know exactly where every part of the program is
+located. Thus building dynamic executables is recommended.
+
+ This test checks that the appropriate compiler option has been used
+to generate dynamic code. For shared libraries this is the '-fPIE'
+option should be used. For dynamic executables the '-fPIC' option
+should be used. Note - there are lower case alternatives of these
+options (ie '-fpie' and '-fpic') which can also be used. The difference
+between the lower case and upper case versions is architecture
+dependent, but usually the lower case version will only work with
+smaller programs, wheres the upper case version works for all program
+sizes.
+
+ Note - this check is related to the *note Test pie:: test. This test
+checks that the correct compile time option has been used. That test
+checks that the correct link time option has been used.
+
+ If necessary the test can be disabled via the '--skip-pic' option and
+re-enabled via the '--test-pic' option.
+
+\1f
+File: annobin.info, Node: Test dynamic segment, Next: Test dynamic tags, Prev: Test pic, Up: Hardened
+
+4.2.16 The dynamic-segment test
+-------------------------------
+
+ Problem: Programs with more than one dynamic section will not be loaded properly
+ Fix By: Fix assembler source code and/or linker script
+ Waive If: Don't.
+
+ Example: FAIL: dynamic segment test because multiple dynamic sections detected
+
+ Dynamic executables must have a dynamic section which contains
+information that is used by the loader at program startup. The loader
+however only expects there to be one dynamic section in a program, and
+it does not cope it there are more than one. Normally this is not an
+issue however as the linker will ensure that there is only one dynamic
+section. It is possible however to use a custom linker script to create
+more than one dynamic section, or to write some assembler code
+specifically designed to create multiple dynamic sections.
+
+ If necessary the test can be disabled via the
+'--skip-dynamic-segment' option and re-enabled via the
+'--test-dynamic-segment' option.
+
+\1f
+File: annobin.info, Node: Test dynamic tags, Next: Test not dynamic tags, Prev: Test dynamic segment, Up: Hardened
+
+4.2.17 The dynamic-tags test
+----------------------------
+
+ Problem: Unprotected AArch64 binaries are vulnerable to ROP/JOP style attacks
+ Fix By: Compile with -mbranch-protection=standard
+ Waive If: Not running on AArch64
+ Waive If: The application will not run on Fedora 35 or later.
+ Waive If: The application will not run on newer AArch64 cores.
+
+ Example: FAIL: dynamic tags test because BTI_PLT and PAC_PLT flags missing from the dynamic tags
+ Example: FAIL: dynamic tags test because BTI_PLT flag is missing from the dynamic tags
+ Example: FAIL: dynamic tags test because PAC_PLT flag is missing from the dynamic tags
+ Example: FAIL: dynamic tags test because no dynamic tags found
+
+ AArch64 processors are vulnerable to a class of attack known as ROP
+and JOP style attacks. Preventing this kind of exploit requires
+assistance from the hardware itself, in the form of new instructions
+that need to be inserted by the compiler, and new bits in the core's
+status that need to be set.
+
+ This test checks to see if executable binaries have been marked as
+supporting the necessary security features to prevent this kind of
+attack. If they are marked then the runtime loader can enable the
+features in the processor core. This marking is done by setting flags
+in the tags found in the dynamic section of the executable. If the
+flags are missing then the executable is considered to be unprotected.
+
+ The security features are enabled by compiling with the
+'-mbranch-protection=standard' gcc command line option.
+
+ Note - these security features are only found on newer versions of
+the AArch64 architecture, and they need a compiler and a loader that
+will support them. Currently this means Fedora 35 or later, but not
+RHEL.
+
+ Note - this test is the inverse of the *note Test not dynamic tags::
+test and directly related to the *note Test branch protection:: test.
+
+ Note - this test is automatically enabled if the '--profile-rawhide'
+options are used.
+
+ If necessary the test can be disabled via the '--skip-dynamic-tags'
+option and re-enabled via the '--test-dynamic-tags' option.
+
+\1f
+File: annobin.info, Node: Test not dynamic tags, Next: Test branch protection, Prev: Test dynamic tags, Up: Hardened
+
+4.2.18 The not-dynamic-tags test
+--------------------------------
+
+ Problem: Protecting AArch64 binaries needs newer versions of AArch64 cores
+ Fix By: Compile with -mbranch-protection=off
+ Waive If: Not running on AArch64
+ Waive If: The application will run on Fedora 35 or later.
+ Waive If: The application will not run on newer AArch64 cores.
+
+ Example: FAIL: not dynamic tags test because BTI_PLT and PAC_PLT flags are present in the dynamic tags
+ Example: FAIL: not dynamic tags test because BTI_PLT flag is present in the dynamic tags
+ Example: FAIL: not dynamic tags test because PAC_PLT flag is present in the dynamic tags
+
+ Note - this test is the inverse of the *note Test dynamic tags:: test
+and directly related to the *note Test not branch protection:: test.
+
+ This test checks to see if executable AArch64 binaries have been
+marked as supporting the BTI and PAC security features. Such features
+require the support of the run-time loader in order to work, and this
+test is intended for environments where this support is missing. (Such
+as RHEL or pre version-35 Fedora).
+
+ The security features can be disabled by compiling with the
+'-mbranch-protection=none' gcc command line option.
+
+ Note - this test is automatically enabled if the '--profile-el7' or
+'--profile-el9' options are used.
+
+ If necessary the test can be disabled via the
+'--skip-not-dynamic-tags' option and re-enabled via the
+'--test-not-dynamic-tags' option.
+
+\1f
+File: annobin.info, Node: Test branch protection, Next: Test not branch protection, Prev: Test not dynamic tags, Up: Hardened
+
+4.2.19 The branch-protection test
+---------------------------------
+
+ Problem: Unprotected AArch64 binaries are vulnerable to ROP/JOP style attacks
+ Fix By: Compile with -mbranch-protection=standard
+ Waive If: Not running on AArch64
+ Waive If: The application will not run on Fedora 35 or later.
+ Waive If: The application will not run on newer AArch64 cores.
+
+ Example: FAIL: branch protection test because not enabled
+ Example: FAIL: branch protection test because only partially enabled
+ Example: FAIL: branch protection test because .note.gnu.property section not found (it is needed for branch protection support)
+ Example: FAIL: branch protection test because the -mbranch-protection option was not used
+
+ AArch64 processors are vulnerable to a class of attack known as ROP
+and JOP style attacks. Preventing this kind of exploit requires
+assistance from the hardware itself, in the form of new instructions
+that need to be inserted by the compiler, and new bits in the core's
+status that need to be set.
+
+ This test checks to see if the compile time option to enable the
+security feature was used. There are four levels of security available,
+ranging from none through partial (some functions are protected others
+are not) to full. The test checks that full security has been enabled.
+
+ The security feature is enabled by compiling with the
+'-mbranch-protection=standard' gcc command line option.
+
+ Note - these security features are only found on newer versions of
+the AArch64 architecture, and they need a compiler and a loader that
+will support them. Currently this means Fedora 35 or later, but not
+RHEL.
+
+ Note - this test is the inverse of the *note Test not branch
+protection:: test and directly related to the *note Test dynamic tags::
+test.
+
+ Note - this test is automatically enabled if the '--profile-rawhide'
+options are used.
+
+ If necessary the test can be disabled via the
+'--skip-branch-protection' option and re-enabled via the
+'--test-branch-protection' option.
+
+\1f
+File: annobin.info, Node: Test not branch protection, Next: Test short enums, Prev: Test branch protection, Up: Hardened
+
+4.2.20 The not-branch-protection test
+-------------------------------------
+
+ Problem: Protecting AArch64 binaries needs newer versions of AArch64 cores
+ Fix By: Compile with -mbranch-protection=none
+ Waive If: Not running on AArch64
+ Waive If: The application will run on Fedora 35 or later.
+ Waive If: The application will not run on newer AArch64 cores.
+
+ Example: FAIL: not branch protection test because protection enabled
+ Example: FAIL: not branch protection test because only partially disabled
+
+ Note - this test is the inverse of the *note Test branch protection::
+test and directly related to the *note Test not dynamic tags:: test.
+
+ This test checks to see if the compile time option to enable the
+AArch64 branch protection security feature was used. This feature is
+only supported on newer versions of AArch64 core, and will not work on
+older cores. Hence this test checks to make sure that the option was
+not used, or was used but was set to disable the feature.
+
+ The security features can be disabled by compiling with the
+'-mbranch-protection=none' gcc command line option.
+
+ Note - this test is automatically enabled if the '--profile-el7' or
+'--profile-el9' options are used.
+
+ If necessary the test can be disabled via the
+'--skip-not-branch-protection' option and re-enabled via the
+'--test-not-branch-protection' option.
+
+\1f
+File: annobin.info, Node: Test short enums, Next: Test stack realign, Prev: Test not branch protection, Up: Hardened
+
+4.2.21 The short-enums test
+---------------------------
+
+ Problem: Compiler options can change the size of enums
+ Fix By: Compile with consistent use of the -fshort-enum option
+ Waive If: Enums are not passed between different compilation units
+
+ Example: FAIL: short-enum test because both short and long enums supported
+
+ The '-fshort-enums' gcc compiler option can be used to reduce code
+size by storing enums in a SHORT instead of an INT. But if the code
+passes enums between functions compiled in different files then the
+'-fshort-enums' option must be used consistently or there could be
+problems.
+
+ This test checks that either all files in an application were
+compiled with the '-fshort-enums' option, or that the option was never
+used.
+
+ If necessary the test can be disabled via the '--skip-short-enums'
+option and re-enabled via the '--test-short-enums' option.
+
+\1f
+File: annobin.info, Node: Test stack realign, Next: Test production, Prev: Test short enums, Up: Hardened
+
+4.2.22 The stack-realign test
+-----------------------------
+
+ Problem: Legacy x86 code is incompatible with SSE instructions
+ Fix By: Compile with -mstackrealign
+ Waive If: The application is not going run in a 32-bit x86 environment
+ Waive If: The application will not use SSE (or later) instructions
+
+ Example: FAIL: stack-realign test because -mstack-realign not enabled
+ Example: FAIL: stack-realign test because stack realign support is mandatory
+
+ On the Intel 32-bit x86 architecture most instructions work with
+4-byte aligned addresses. The SSE extension (and later) however need
+16-byte aligned addresses. This causes problems for data that is held
+on the stack, if the stack pointer is not aligned to a 16-byte address.
+The '-mstackrealign' gcc command line option tells the compiler to
+generate extra code at function entry which ensures that 16-byte
+alignment is maintained.
+
+ This test checks to make sure that this option has been used when
+compiling x86 binaries.
+
+ If necessary the test can be disabled via the '--skip-stack-realign'
+option and re-enabled via the '--test-stack-realign' option.
+
+\1f
+File: annobin.info, Node: Test production, Next: Test lto, Prev: Test stack realign, Up: Hardened
+
+4.2.23 The production test
+--------------------------
+
+ Problem: Shipping code generated by an experimental compiler is bad
+ Fix By: Compile with a production ready compiler
+ Waive If: The code is never going to be shipped
+
+ Example: FAIL: production test because a production-ready compiler was not used to build the binary
+
+ This test checks to make sure that the binary was not produced by an
+experimental compiler. Experimental compilers can be detected by
+examining their version information, which will include the string
+NOT_FOR_PRODUCTION.
+
+ If necessary the test can be disabled via the '--skip-production'
+option and re-enabled via the '--test-production' option.
+
+\1f
+File: annobin.info, Node: Test lto, Next: Test property note, Prev: Test production, Up: Hardened
+
+4.2.24 The lto test
+-------------------
+
+ Problem: Mixed use of LTO and non-LTO binaries indicates a problem with the build system
+ Fix By: Using -flto consistently
+ Waive If: LTO building is not wanted
+
+ Example: FAIL: lto test because compiled with both -flto and -fno-lto
+
+ This test checks to see if the '-flto' compiler command line option
+was used. Whilst this option can produce better code, its use is not
+essential, hence this test currently only checks to see if both the
+'-flto' and the '-fno-lto' options were used together.
+
+ If necessary the test can be disabled via the '--skip-lto' option and
+re-enabled via the '--test-lto' option.
+
+\1f
+File: annobin.info, Node: Test property note, Next: Test threads, Prev: Test lto, Up: Hardened
+
+4.2.25 The property-note test
+-----------------------------
+
+ Problem: Badly formed or missing GNU property notes can compromise an application at runtime
+ Fix By: Investigate and fix the creation of the notes
+ Waive If: Using old tools that do not generate the notes
+
+ Example: FAIL: property-note test because there is more than one GNU Property note
+ Example: FAIL: property-note test because the property note does not have expected name
+ Example: FAIL: property-note test because the property note data has the wrong size
+ Example: FAIL: property-note test because the note section is present but empty
+ Example: FAIL: property-note test because the property note data has an invalid size
+ Example: FAIL: property-note test because the IBT property is not enabled
+ Example: FAIL: property-note test because the SHSTK property is not enabled
+ Example: FAIL: property-note test because unexpected property note type
+ Example: FAIL: property-note test because the BTI property is not enabled
+ Example: FAIL: property-note test because the GNU Property note segment not 8 byte aligned
+ Example: FAIL: property-note test because there is more than one GNU Property note in the note segment
+ Example: FAIL: property-note test because .note.gnu.property section not found (it is needed for branch protection support
+ Example: FAIL: property-note test because no .note.gnu.property section = no control flow information
+ Example: FAIL: property-note test because control flow protection is not enabled
+
+ GNU property notes are special markers in binary files that provide
+information about the program to the runtime loader. This information
+is architecture specific and it often includes details about any
+security features that were enabled when the program was compiled.
+
+ This test checks that the property note is present - if needed for
+the particular architcture - and that it is properly formatted.
+
+ Problems with property notes are usually related to other security
+options being missing, or the use of assembler source files which do not
+contain their own instructions for creating property notes.
+
+ If necessary the test can be disabled via the '--skip-property-note'
+option and re-enabled via the '--test-property-note' option.
+
+\1f
+File: annobin.info, Node: Test threads, Next: Test glibcxx assertions, Prev: Test property note, Up: Hardened
+
+4.2.26 The threads test
+-----------------------
+
+ Problem: Programs that do not support exceptions are more vulnerable to attacks
+ Fix By: Compile with -fexceptions
+ Waive If: Program size is an important issue
+
+ Example: FAIL: threads test because not compiled with -fexceptions
+
+ This test checks to make sure that the '-fexceptions' g++ command
+line option was used when building the binary. The test is only
+triggered if the binary uses the PTHREADS library as single threaded
+applications can cleanly tidy up after themselves if an exception is
+generated.
+
+ If necessary the test can be disabled via the '--skip-threads' option
+and re-enabled via the '--test-threads' option.
+
+\1f
+File: annobin.info, Node: Test glibcxx assertions, Next: Test entry, Prev: Test threads, Up: Hardened
+
+4.2.27 The glibcxx-assertions test
+----------------------------------
+
+ Problem: Compiled C++ code might contain bugs that could have been detected and fixed
+ Fix By: Compile with -D_GLIBCXX_ASSERTIONS
+ Waive If: Not compiling C++
+ Waive If: Not using functions from libstdc++
+
+ Example: FAIL: glibcxx-assertions test because compiled without -D_GLIBCXX_ASSERTIONS
+
+ This test checks to make sure that the '-D_GLIBCXX_ASSERTIONS' g+=
+compiler command line option was used when building binaries. This
+option is one of several supported by the LIBSTDC++ library and it is
+used to enable various NULL pointer and bounds checking security
+features. For more information see:
+
+ <https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_macros.html>
+
+ If necessary the test can be disabled via the
+'--skip-glibcxx-assertions' option and re-enabled via the
+'--test-glibcxx-assertions' option.
+
+\1f
+File: annobin.info, Node: Test entry, Next: Test go revision, Prev: Test glibcxx assertions, Up: Hardened
+
+4.2.28 The entry test
+---------------------
+
+ Problem: Intel's CET security feature requires that the first instruction in a program be ENDBR
+ Fix By: Compile statup code with -fcf-protection
+ Waive If: The application will not run on the latest Intel hardware
+
+ Example: FAIL: entry test because instruction at entry is not ENDBR32
+ Example: FAIL: entry test because instruction at entry is not ENDBR64
+
+ This test checks to make sure that the first instruction in a program
+for the x86 or x86_64 architectures is ENDBR. This is needed as part of
+Intel's CET security feature. (See *note Test cf protection:: for more
+details on CET).
+
+ If necessary the test can be disabled via the '--skip-entry' option
+and re-enabled via the '--test-entry' option.
+
+\1f
+File: annobin.info, Node: Test go revision, Next: Test only go, Prev: Test entry, Up: Hardened
+
+4.2.29 The go-revision test
+---------------------------
+
+ Problem: Using old versions of the GO compiler looses out on security enhacements
+ Fix By: Using a newer GO compiler
+ Waive If: No new GO compiler is available
+
+ Example: FAIL: go-revision test because GO revision must be >= 14
+ Example: FAIL: go-revision test because multiple, different GO version strings found
+ Example: FAIL: go-revision test because no Go compiler revision information found
+
+ This test checks to see that GO code has been compiled by at least a
+revision 14 compiler. Earlier versions of the compiler do not have all
+the bug fixes and security enhancements of later versions.
+
+ Note - it is likely that the minimum revision of the GO compiler will
+be increased in the future.
+
+ If necessary the test can be disabled via the '--skip-go-revision'
+option and re-enabled via the '--test-go-revision' option.
+
+\1f
+File: annobin.info, Node: Test only go, Next: Test warnings, Prev: Test go revision, Up: Hardened
+
+4.2.30 The only-go test
+-----------------------
+
+ Problem: Mixing GO and C is unsafe on x86 platforms
+ Fix By: Using a new GO compiler
+ Waive If: Always
+
+ Example: FAIL: only-go test because combining GO and non-GO object files on x86 systems is not safe - it disables CET
+
+ Note - this test is currently disabled. The GO compiler's lack of
+support for CET is a known issue that cannot be addressed by package
+maintainers. Hence there is no point in issuing an error message.
+
+ This test checks to see if GO and C are being used together in the
+same program. This is a problem for code that is going to run on x86
+architectures as the GO compiler does not support Intel's CET
+technology. (See *note Test cf protection:: for more details on CET).
+The GO language is inheritantly safer than C, but if the two are mixed,
+then the C parts will be missing out on the protection offered by CET.
+
+ If necessary the test can be disabled via the '--skip-only-go' option
+and re-enabled via the '--test-only-go' option.
\1f
-File: annobin.info, Node: Undocumented Tests, Next: Waiving Annocheck Results, Prev: Test writeable-got, Up: Hardened
-
-4.2.4 These tests need extended documentation
----------------------------------------------
-
-'No RWX segments.'
- No program segment should have all three of the read, write and
- execute permission bits set. Disabled by '--skip-rwx-seg'.
-
-'No text relocations'
- There should be no relocations against executable code. Disabled
- by '--skip-textrel'.
-
-'Correct runpaths'
- The runpath information used to locate shared libraries at runtime
- must only include directories rooted at /USR. Disabled by
- '--skip-run-path'.
-
-'Missing annobin data'
- The program must have been compiled with annobin notes enabled.
- Disabled by '--ignore-gaps'.
-
-'Strong stack protection'
- The program must have been compiled with the
- '-fstack-protector-strong' option enabled, and with
- '-D_FORTIFY_SOURCE=[2|3]' specified. It must also have been
- compiled at at least optimization level 2. Disabled by
- '--skip-stack-prot'.
-
-'Dynamic data present'
- Dynamic executables must have a dynamic segment. Disabled by
- '--skip-dynamic-segment'.
-
-'Position Independent compilation'
- Shared libraries must have been compiled with '-fPIC' or '-fPIE'
- but not '-static'. This check can be disabled by '--skip-pic'.
-
- Dynamic executables must have been compiled with '-fPIE' and linked
- with '-pie'. This check can be disabled by '--skip-pie'.
-
-'Safe exceptions'
- Program which use exception handling must have been compiled with
- '-fexceptions' enabled and with '-D_GLIBCXX_ASSERTIONS' specified.
- Disabled by '--skip-threads' and/or '--skip-glibcxx-assertions'.
-
-'Stack Clash protection'
- If available the '-fstack-clash-protection' must have been used.
- Disabled by '--skip-stack-clash'.
-
-'Control Flow protection'
- If available the '-fcf-protection=full' option must have been used.
- Disabled by '--skip-cf-protection'. If this option is disabled
- then the check for GNU Property notes will also be disabled.
-
-'Branch protection'
- For AARCH64 binaries the '-mbranch-protection' option, if
- available, must have either not. Disabled by
- '--skip-branch-protection'.
-
-'Stack realignment'
- For I686 binaries, the '-mstackrealign' option must have been
- specified. Disabled by '--skip-stack-realign'.
-
-'Source fortification'
- The program must have been compiled with the
- '-D_FORTIFY_SOURCE=[2|3]' command line option specified. Disabled
- by '--skip-fortify'.
-
-'Optimization'
- The program must have been compiled with at least '-O2'
- optimization enabled. Disabled by '--skip-optimization'.
-
-'Link Time Optimization'
- The program must have been compiled with link time optimization
- ('-flto') enabled. Currently this is a soft check, so failing this
- test is not considered a reason to fail the overall run. Disabled
- by '--skip-lto'.
-
-'Read only relocations'
- The program must not have any relocations that are held in a
- writeable section. Disabled by '--skip-gnu-relro'.
-
-'GNU Property Note'
- For X86_64, AARCH64 and POWERPC binaries, check that a correctly
- formatted GNU Property note is present. The contents of the notes
- are architecture specific. Disabled by '--skip-property-note'.
-
-'Enum Size'
- Check that the program makes consistent use of the '-fshort-enum'
- option.
-
-'Production Ready Compiler'
- Check that the program was built by a production-ready compiler.
- Disabled by '--skip-production'.
-
- The tool does support a couple of other command line options as well:
+File: annobin.info, Node: Test warnings, Next: Test instrumentation, Prev: Test only go, Up: Hardened
+
+4.2.31 The warnings test
+------------------------
+
+ Problem: Compiling without warnings enabled can result in poor code
+ Fix By: Add -Wall to the compiler command line
+ Waive If: There are known problems with using -Wall
+
+ Example: FAIL: warnings test because compiled without either -Wall or -Wformat-security
+
+ This test checks to see that a file has been compiled with either or
+both of the '-Wall' and '-Wformat-security' options specified. Enabling
+warnings - and then fixing the problems reported - results in better
+quality code that is less likely to contain bugs.
+
+ If necessary the test can be disabled via the '--skip-warnings'
+option and re-enabled via the '--test-warnings' option.
+
+\1f
+File: annobin.info, Node: Test instrumentation, Next: Hardened Command Line Options, Prev: Test warnings, Up: Hardened
+
+4.2.32 The instrumentation test
+-------------------------------
+
+ Problem: Instrumented binaries are bigger and slower than regular binaries
+ Fix By: Removing instrumentation options from compiler command line
+ Waive If: Instrumentation is needed.
+
+ Example: WARN: Instrumentation enabled - this is probably a mistake for production binaries
+
+ This test checks to see if any of gcc's instrumentation command line
+options have been used when the binary built. These options are:
+'_fsanitize', '-finstrument-functions', '-p', '-pg', and
+'-fprofile-arcs'.
+
+ There is no way to disable this test.
+
+\1f
+File: annobin.info, Node: Hardened Command Line Options, Next: Waiving Hardened Results, Prev: Test instrumentation, Up: Hardened
+
+4.2.33 Command line options specific to the hardened tool
+---------------------------------------------------------
'--skip-all'
Disable all tests. Not really useful unless followed by...
'--test-NAME'
Enable test NAME.
+'--test-all'
+ Enable all the tests.
+
'--test-future'
Report _future fail_ tests. These are tests for security features
which are not yet implemented, but are planned for the future. The
'--profile-el9'
'--profile-rawhide'
+'--profile-el7'
Rather than enabling and disabling specific tests a selection can
be chosen via a profile option. The '--profile-el9' option will
select the tests suitable for _RHEL-9_ binaries. The
'--profile-rawhide' option will select tests suitable for _Fedora
- rawhide_ binaries. Other profiles may be added in the future.
+ rawhide_ binaries and the '--profile-el7' option will select tests
+ suitable for _RHEL-7_ binaries.
+
+ Other profiles may be added in the future.
'--disable-hardened'
Disable the tool.
'--ignore-gaps'
Do not complain about gaps in the note data.
+'--report-gaps'
+ Do complain about gaps in the note data.
+
'--fixed-format-messages'
Display messages in a fixed, machine parseable format. The format
is:
and enabled in 'verbose' mode. This option and its inverse
'--base-filenames' can be used to set a fixed choice.
+'--no-urls'
+'--provide-urls'
+ By default when a FAIL or MAYB result is displayed by the HARDENED
+ checker a URL to the online version of the relevant section in this
+ document is also provided. (Unless the '--fixed-format-messages'
+ option has been enabled). The '--no-urls' option disables the
+ display of the URLs and the '--provide-urls' re-enables the
+ display.
+
\1f
-File: annobin.info, Node: Waiving Annocheck Results, Prev: Undocumented Tests, Up: Hardened
+File: annobin.info, Node: Waiving Hardened Results, Prev: Hardened Command Line Options, Up: Hardened
+
+4.2.34 How to waive the results of the hardening tests
+------------------------------------------------------
-4.2.5 How to waive the results of annocheck tests
--------------------------------------------------
+[This section is Red Hat specific.]
-Now that 'annocheck' is being used by the builders for Fedora and RHEL
-packages it is possible that certain tests may need to be waived for
-certain packages. This can be done on a per-package basis by editting
-the contents of the 'rpminspect.yaml' file and adding an entry like
-this:
+ Now that 'annocheck' is being used by the builders for Fedora and
+RHEL packages it is possible that certain tests may need to be waived
+for certain packages. This can be done on a per-package basis by
+editing the contents of the 'rpminspect.yaml' file and adding an entry
+like this:
annocheck:
- hardened: --skip-property-note --ignore-unknown --verbose
- This example shows how the _property note_ test can be ignored. Note
-that doing this overrides the default options that are passed to
-annocheck by the rpminspect framework, which is why the
+ This example shows how the _property note_ test can be ignored.
+Beware however that doing this overrides the default options that are
+passed to annocheck by the rpminspect framework, which is why the
'--ignore-unknown' and '--verbose' options are also included in the
example.
+ For more information on rpmdiff see:
+
+ <https://docs.engineering.redhat.com/display/HTD/rpmdiff-elf-binarylibrary>
+
+ For more information on the use of annobin in RHEL see:
+
+ <https://one.redhat.com/rhel-developer-guide/#_annocheck_ensuring_comprehensive_elf_distro_flags>
+
+ To get more help on deciding whether or not a test should be waived
+please ask on either of the OS-DEVEL-LIST@REDHAT.COM OS Devel or the
+RHEL-DEVEL@REDHAT.COM RHEL Devel mailing lists.
+
\1f
-File: annobin.info, Node: Notes, Next: Section-Size, Prev: Hardened, Up: Annocheck
+File: annobin.info, Node: Notes, Next: Size, Prev: Hardened, Up: Annocheck
4.3 The annobin note displayer
==============================
option to the command line.
\1f
-File: annobin.info, Node: Section-Size, Next: Timing, Prev: Notes, Up: Annocheck
+File: annobin.info, Node: Size, Next: Timing, Prev: Notes, Up: Annocheck
4.4 The section size recorder
=============================
the section must have the WRITE, ALLOC or EXECUTE flags set
respectively. If the ! exclamation mark character is present then it
negates the meaning of the following flags. Thus
-'--section-sec-flags=W' option will search for any writeable section
+'--section-sec-flags=W' option will search for any writable section
whereas the '--size-sec-flags=W!A' option will search only for sections
-that are writeable but not allocated.
+that are writable but not allocated.
Instead of searching for sections by flags it is also possible to
search for segments by flags using the '--size-seg-flags=<flags>'
-option. The flags recognised for segments are W for writeable, R for
+option. The flags recognised for segments are W for writable, R for
readable and X for executable. Again the ! character can be used to
invert the meaning of the flags that follow it.
nearest byte, kibibyte, mebibyte or gibibyte, as appropriate.
\1f
-File: annobin.info, Node: Timing, Prev: Section-Size, Up: Annocheck
+File: annobin.info, Node: Timing, Prev: Size, Up: Annocheck
4.5 How long did the check take ?
=================================
default the configure system will detect if the library is
installed and if not, then it will disable the building of
'annocheck' and the running of the tests. (Since they use
- 'annocheck'). This behaviour can be overrridden by the
+ 'annocheck'). This behaviour can be overridden by the
'--without-libelf' option which forces the build to assume that
libelf is absent even if it would normally be detected.
example 6.2.1.
'--maxver=VERSION'
- Only report binaries built by a tool whoes version is VERSION or
+ Only report binaries built by a tool whose version is VERSION or
lower. Can be combined with the '--minver' option to restrict
output to those binaries created by tools within a specific version
range.
'-s'
Produce no output. Just return an exit status.
-'--inconsitencies'
+'--inconsistencies'
'-i'
Only report files with potential ABI problems.
Do not report file types that are not supported or recognised.
'--ignore-ABI|ENUM|FORTIFY|STACK-PROT'
- Disables individual ABI checks. Multiple occurences of this option
- accumulate. Possible option values are:
+ Disables individual ABI checks. Multiple occurrences of this
+ option accumulate. Possible option values are:
'ABI'
Disable checks of the general ABI information.
Enables verbose mode, causing the script to detail each action it
takes.
- If this option is repeated it has the special effect of cancelling
+ If this option is repeated it has the special effect of canceling
out the automatic addition of the '-i' to recursive invocations of
the script.
'--'
Stops processing of command line options. This allows the script
- to be run with a program whoes name starts with a dash.
+ to be run with a program whose name starts with a dash.
\1f
File: annobin.info, Node: GNU FDL, Prev: Legacy Scripts, Up: Top
\1f
Tag Table:
Node: Top\7f705
-Node: Introduction\7f1767
+Node: Introduction\7f1768
Node: Plugins\7f3816
-Node: Examining\7f11941
-Node: The Version Encoding\7f14670
-Node: The STACK Encoding\7f15910
-Node: The PIC Encoding\7f16508
-Node: The GOW Encoding\7f17136
-Node: The CF Encoding\7f18939
-Node: The ENUM Encoding\7f20011
-Node: The INSTRUMENT Encoding\7f20400
-Node: Annocheck\7f21774
-Node: Built-By\7f25036
-Node: Hardened\7f26566
-Node: Test bind-now\7f28536
-Node: Test gnu-stack\7f30040
-Node: Test writeable-got\7f32152
-Node: Undocumented Tests\7f33401
-Node: Waiving Annocheck Results\7f39376
-Node: Notes\7f40220
-Node: Section-Size\7f40864
-Node: Timing\7f43018
-Node: Configure Options\7f43665
-Node: Legacy Scripts\7f46005
-Node: Who Built Me\7f46780
-Node: ABI Checking\7f49540
-Node: Hardening Checks\7f51654
-Node: Checking Archives\7f55740
-Node: GNU FDL\7f58162
+Node: Examining\7f11942
+Node: The Version Encoding\7f14671
+Node: The STACK Encoding\7f15911
+Node: The PIC Encoding\7f16509
+Node: The GOW Encoding\7f17137
+Node: The CF Encoding\7f18940
+Node: The ENUM Encoding\7f20012
+Node: The INSTRUMENT Encoding\7f20401
+Node: Annocheck\7f21775
+Node: Built By\7f25665
+Node: Hardened\7f27168
+Node: Test bind now\7f30682
+Node: Test gnu stack\7f32225
+Node: Test writable got\7f34620
+Node: Test rwx seg\7f35888
+Node: Test textrel\7f37158
+Node: Test run path\7f38408
+Node: Test cf protection\7f40603
+Node: Test optimization\7f44551
+Node: Test stack prot\7f45937
+Node: Test stack clash\7f47266
+Node: Test fortify\7f48413
+Node: Test notes\7f49835
+Node: Test gnu relro\7f52111
+Node: Test pie\7f53828
+Node: Test pic\7f55029
+Node: Test dynamic segment\7f56577
+Node: Test dynamic tags\7f57700
+Node: Test not dynamic tags\7f59988
+Node: Test branch protection\7f61620
+Node: Test not branch protection\7f63818
+Node: Test short enums\7f65350
+Node: Test stack realign\7f66383
+Node: Test production\7f67657
+Node: Test lto\7f68470
+Node: Test property note\7f69258
+Node: Test threads\7f71727
+Node: Test glibcxx assertions\7f72559
+Node: Test entry\7f73595
+Node: Test go revision\7f74502
+Node: Test only go\7f75538
+Node: Test warnings\7f76691
+Node: Test instrumentation\7f77529
+Node: Hardened Command Line Options\7f78282
+Node: Waiving Hardened Results\7f81421
+Node: Notes\7f82805
+Node: Size\7f83441
+Node: Timing\7f85584
+Node: Configure Options\7f86223
+Node: Legacy Scripts\7f88562
+Node: Who Built Me\7f89337
+Node: ABI Checking\7f92097
+Node: Hardening Checks\7f94213
+Node: Checking Archives\7f98299
+Node: GNU FDL\7f100720
\1f
End Tag Table
@setchapternewpage odd
@c man begin INCLUDE
-@set VERSION 9.0
+@set VERSION 10.0
@set VERSION_PACKAGE (Annobin)
@set UPDATED September 2021
@c man end
Note - the plugin method is just one way of generating the
information. Any interested party can create and add information to
-the objhect file, providing that they follow the Watermark
+the object file, providing that they follow the Watermark
specification.
The information can be extracted from files via the use of tools like
@samp{annobin} plugin then it can be specifically added to the compiler
command line by adding the @option{-fplugin=annobin} (for gcc) or
@option{-fplugin=annobin-for-clang} (for clang) or
-@option{-fpluin=annobin-for-llvm} (for LLVM) option. It may
+@option{-fplugin=annobin-for-llvm} (for LLVM) option. It may
also be necessary to tell the compiler where to find the plugin by
adding the @option{-iplugindir=} option, although this should only be
necessary if the plugin is installed in an unusual place.
@c man begin SYNOPSIS annocheck
annocheck
[@b{--help}]
+ [@b{--help-@var{tool}}]
[@b{--version}]
[@b{--verbose}]
[@b{--quiet}]
[@b{--debug-rpm=}@var{file}]
[@b{--dwarf-dir=}@var{dir}]
[@b{--prefix=}@var{text}]
+ [@b{--enable-@var{tool}}]
+ [@b{--disable-@var{tool}}]
+ [@b{--@var{tool}-@var{option}}]
@var{file}@dots{}
@c man end
@end smallexample
Currently the following tools are implemented:
@menu
-* Built-By:: Which tool(s) were used to build the file(s) ?
+* Built By:: Which tool(s) were used to build the file(s) ?
* Hardened:: Were the file(s) built with the correct security options ?
* Notes:: What annobin notes are inside the file(s) ?
-* Section-Size:: What is the cumulative size of specific sections in the file(s) ?
+* Size:: What is the cumulative size of specific sections in the file(s) ?
* Timing:: How long did the checks take ?
@end menu
Look in @var{dir} for separate dwarf debug information files.
@item --help
-Display this message & exit.
+Displays the generic annobin usage information and then exits.
+
+@item --help-@var{tool}
+Display the usage information for @var{tool} and then exits.
@item --report-unknown
@itemx --ignore-unknown
separated into different options). If enabled, unknown file types are
reported when they are encountered. This includes non-ELF format
files, block devices and so on. Directories are not considered to be
-unknown and are automatically decended.
+unknown and are automatically descended.
The second effect is how symbolic links are handled. If reporting is
enabled then they are treated as unknown and reported. If reporting
@item --version
Report the version of the tool and then exit.
+@item --enable-@var{tool}
+Enable @var{tool}. Most tools are disabled by default and so need to
+be enabled via this option before they will act.
+
+@item --disable-@var{tool}
+Disable @var{tool}. Normally used to disable the hardening checker,
+which is enabled by default.
+
+@item --@var{tool}-@var{option}
+Pass @var{option} on to @var{tool}.
+
@end table
+Any other command line options will be passed to the tools in turn in
+order to give them a chance to claim and process them.
+
@c man end
@c -----------------------------------------------------------------
-@node Built-By
+@node Built By
@section The builder checker.
@smallexample
@c man begin SYNOPSIS annocheck: builtby
annocheck
- [@b{--disable-hardened}]
@b{--enable-builtby}
[@b{--all}]
[@b{--tool=}@var{name}]
@section The Hardened security checker.
@smallexample
-@c man begin SYNOPSIS annocheck: hardened
+@c man begin SYNOPSIS annocheck-hardened
annocheck
[@b{--skip-all}]
- [@b{--skip-bind-now}]
- [@b{--skip-branch-protection}]
- [@b{--skip-cf-protection}]
- [@b{--skip-dynamic-segment}]
- [@b{--skip-dynamic-tags}]
- [@b{--skip-entry}]
- [@b{--skip-fortify}]
- [@b{--skip-future}]
- [@b{--skip-glibcxx-assertions}]
- [@b{--skip-gnu-relro}]
- [@b{--skip-gnu-stack}]
- [@b{--skip-lto}]
- [@b{--skip-optimization}]
- [@b{--skip-pic}]
- [@b{--skip-pie}]
- [@b{--skip-production}]
- [@b{--skip-property-note}]
- [@b{--skip-run-path}]
- [@b{--skip-rwx-seg}]
- [@b{--skip-short-enum}]
- [@b{--skip-stack-clash}]
- [@b{--skip-stack-prot}]
- [@b{--skip-stack-realign}]
- [@b{--skip-textrel}]
- [@b{--skip-threads}]
- [@b{--skip-warnings}]
- [@b{--skip-writeable-got}]
- [@b{--test-@var{name}}]
+ [@b{--skip-@var{name}}]
[@b{--test-all}]
+ [@b{--test-@var{name}}]
[@b{--test-future}]
+ [@b{--profile-el7}]
[@b{--profile-el9}]
[@b{--profile-rawhide}]
[@b{--ignore-gaps}]
+ [@b{--report-gaps}]
[@b{--fixed-format-messages}]
[@b{--disable-colour}]
[@b{--enable-colour}]
[@b{--enable-hardened}]
[@b{--full-filenames}]
[@b{--base-filenames}]
+ [@b{--no-urls}]
+ [@b{--provide-urls}]
@var{file}@dots{}
@c man end
@end smallexample
-@c man begin DESCRIPTION annocheck: hardened
-The @var{hardened} tool checks that the specified files were compiled
+@c man begin DESCRIPTION annocheck-hardened
+The @var{hardened} tool checks that the specified files were built
with specific security hardening features enabled. The features that
-are tested can be specified via command line options, but the default
+are tested can be controlled via command line options, but the default
is to test for all of them.
New tests can be added to the @var{hardened} checker by adding an
entry in the @var{tests} array defined in @file{hardened.c} and then
-creating the necessary code to support the test.
+creating the necessary code to support the test. There is more
+information on this process in this blog:
+@url {https://developers.redhat.com/articles/2021/07/15/build-your-own-tool-search-code-sequences-binary-files}
+
+Currently the @var{hardened} tool can run the following tests. Each
+test listed here starts with a short section describing the reason for
+the test, a probable solution to fix the test, criteria for when the
+test can be ignored and some examples of the error messages that are
+produced by annocheck when the test goes wrong.
+
+@menu
+* Test bind now:: The bind-now test
+* Test gnu stack:: The gnu-stack test
+* Test writable got:: The writable-got test
+* Test rwx seg:: The rwx-seg test
+* Test textrel:: The textrel test
+* Test run path:: The run-path test
+* Test cf protection:: The cf-protection test
+* Test optimization:: The optimization test
+* Test stack prot:: The stack-prot test
+* Test stack clash:: The stack-clash test
+* Test fortify:: The fortify test
+* Test notes:: The notes test
+* Test gnu relro:: The gnu relro test
+* Test pie:: The pie test
+* Test pic:: The pic test
+* Test dynamic segment:: The dynamic-segment test
+* Test dynamic tags:: The dynamic-tags test
+* Test not dynamic tags:: The not-dynamic-tags test
+* Test branch protection:: The branch-protection test
+* Test not branch protection:: The not-branch-protection test
+* Test short enums:: The short-enums test
+* Test stack realign:: The stack-realign test
+* Test production:: The production test
+* Test lto:: The lto test
+* Test property note:: The property note test
+* Test threads:: The threads test
+* Test glibcxx assertions:: The glibcxx-assertions test
+* Test entry:: The entry test
+* Test go revision:: The go revision test
+* Test only go:: The only go test
+* Test warnings:: The warnings test
+* Test instrumentation:: The instrumentation test
+@end menu
-Currently @var{hardened} can run the following tests:
+The @var{hardened} tool does support some command line options of its
+own as well.
@menu
-* Test bind-now:: The bind-now test
-* Test gnu-stack:: The gnu-stack test
-* Test writeable-got:: The writeable-got test
-* Undocumented Tests:: FIXME: Docs needed
-* Waiving Annocheck Results:: How to ignore specific annocheck tests.
+* Hardened Command Line Options:: Command line options specific to the hardened tool
+* Waiving Hardened Results:: How to ignore specific hardening tests.
@end menu
+@c NOTE; the names of the nodes that follow use a fixed format that
+@c allows annocheck to automatically generated references to this
+@c documentation in its error messages.
+
@c -----------------------------------------------------------------
-@node Test bind-now
+@node Test bind now
@subsection The bind-now test
@smallexample
- Summary: An attacker could intercept calls to shared library functions
- FAIL: "not linked with -Wl,-z,now"
- Fix By: Add -Wl,-z,now to final link
+ Problem: An attacker could intercept calls to shared library functions
+ Fix By: Add -Wl,-z,now to final link command line
Waive If: No shared libraries used
+
+ Example: FAIL: bind-now test because not linked with -Wl,-z,now
@end smallexample
This test checks that lazy binding is not enabled in the binary. Lazy
The type of binding is selected via a linker command line option, and
on a compiler command line the secure version usually looks like
@option{-Wl,-z,now}. The lazy binding option is @option{-Wl,-z,lazy}
-although somne linkers are configured to use lazy binding by default,
+although some linkers are configured to use lazy binding by default,
in which case just the absence of the @option{-Wl,-z,now} option is
enough to trigger this test.
@option{--test-bind-now} option.
@c -----------------------------------------------------------------
-@node Test gnu-stack
+@node Test gnu stack
@subsection The gnu-stack test
@smallexample
- Summary: An attacker could place code on the stack and then run it
- FAIL: "the .stack section has incorrect permissions"
- FAIL: ".note.GNU-stack section has execute permission"
- FAIL: "the GNU stack segment has execute permission"
- FAIL: "the GNU stack segment does not have both read & write permissions"
- FAIL: "no .note.GNU-stack section found"
- MAYBE: "multiple stack sections detected"
- Fix By: Updating assembler sources and/or linker script
- Waive If: The application really really needs to be able to dynamically create and execute code
+ Problem: An attacker could place code on the stack and then run it
+ Fix By: Updating compiler, assembler sources and/or linker scripts
+ Waive If: The application *really* needs to be able to dynamically create and execute code
+
+ Example: FAIL: gnu-stack test because the .stack section has incorrect permissions
+ Example: FAIL: gnu-stack test because the .note.GNU-stack section has execute permission
+ Example: FAIL: gnu-stack test because the GNU stack segment has execute permission
+ Example: FAIL: gnu-stack test because the GNU stack segment does not have both read & write permissions
+ Example: FAIL: gnu-stack test because no .note.GNU-stack section found
+ Example: MAYB: gnu-stack test because multiple stack sections detected
@end smallexample
This test checks that it is not possible to place code onto the stack
Most applications will have a section inserted into them by the
compiler called @var{.note.GNU-stack}. The section has no contents,
-but the read, write, and execute attribues of the section reflect the
+but the read, write, and execute attributes of the section reflect the
needs of the application's stack.
-Ordinary compiled code sholuld never see this problem, but the test
-failure can be triggered by programs built from assembler sources or
-linked with a custom made linker map. To fix the problem either the
-linker map needs to be updated to ensure that the stack section is not
-executable or the assembler sources need to be extended to a note that
-the stack is not executable:
+Ordinary compiled code should never see this problem, but the test
+failure can be triggered by programs built with an old compiler which
+does not support the @var{.note-GNU-stack} section, or if the program
+contains some assembler source files or linked with a custom made
+linker map.
+
+To fix the problem either the compiler needs to be upgraded or the
+linker map needs to be updated or the assembler sources need to be
+extended to add the @var{.note-GNU-stack} section by adding code like
+this:
@smallexample
.section .note.GNU-stack,"",%progbits
@option{--test-gnu-stack} option.
@c -----------------------------------------------------------------
-@node Test writeable-got
-@subsection The writeable-got test
+@node Test writable got
+@subsection The writable-got test
@smallexample
- Summary: An attacker could intercept and redirect shared library function calls
- FAIL: "the GOT/PLT relocs are writeable"
+ Problem: An attacker could intercept and redirect shared library function calls
Fix By: Link with -Wl,--secure-plt
Waive If: No shared libraries are used
+
+ Example: FAIL: writable-got test because the GOT/PLT relocs are writable
@end smallexample
This test checks that the instructions to set up the @var{GOT} and
Dynamic executables use two tables to help them connect to shared
libraries. These tables - the @var{GOT} and the @var{PLT} - are set
up when the program runs, based upon instructions held in special
-sections in the file. If these sections are writeable then an
+sections in the file. If these sections are writable then an
attacker could change their contents and thus cause the program to
call the wrong functions in the shared libraries.
Under normal circumstances this test should never fail. If it does
-then something unusal is going on. One possible cure is to add the
+then something unusual is going on. One possible cure is to add the
@option{-Wl,--secure-plt} option to the final link command line.
If necessary the test can be disabled via the
-@option{--skip-writeable-got} option and re-enabled via the
-@option{--test-writeable-got} option.
+@option{--skip-writable-got} option and re-enabled via the
+@option{--test-writable-got} option.
@c -----------------------------------------------------------------
-@node Undocumented Tests
-@subsection These tests need extended documentation
+@node Test rwx seg
+@subsection The rwx-seg test
-@table @code
+@smallexample
+ Problem: An attacker could add their own code to an executable
+ Fix By: Changing the linker script used to create the binary
+ Waive If: Don't.
+
+ Example: FAIL: rwx-seg test because segment has Read, Write and eXecute flags set
+@end smallexample
-@item No RWX segments.
-No program segment should have all three of the read, write and
-execute permission bits set.
-Disabled by @option{--skip-rwx-seg}.
-
-@item No text relocations
-There should be no relocations against executable code.
-Disabled by @option{--skip-textrel}.
-
-@item Correct runpaths
-The runpath information used to locate shared libraries at runtime
-must only include directories rooted at @var{/usr}.
-Disabled by @option{--skip-run-path}.
-
-@item Missing annobin data
-The program must have been compiled with annobin notes enabled.
-Disabled by @option{--ignore-gaps}.
-
-@item Strong stack protection
-The program must have been compiled with the
-@option{-fstack-protector-strong} option enabled, and with
-@option{-D_FORTIFY_SOURCE=[2|3]} specified. It must also have been
-compiled at at least optimization level 2.
-Disabled by @option{--skip-stack-prot}.
-
-@item Dynamic data present
-Dynamic executables must have a dynamic segment.
-Disabled by @option{--skip-dynamic-segment}.
-
-@item Position Independent compilation
-Shared libraries must have been compiled with @option{-fPIC} or
-@code{-fPIE} but not @option{-static}.
-This check can be disabled by @option{--skip-pic}.
-
-Dynamic executables must have been compiled with @option{-fPIE} and
-linked with @option{-pie}. This check can be disabled by
-@option{--skip-pie}.
-
-@item Safe exceptions
-Program which use exception handling must have been compiled with
-@option{-fexceptions} enabled and with @option{-D_GLIBCXX_ASSERTIONS}
-specified.
-Disabled by @option{--skip-threads} and/or @option{--skip-glibcxx-assertions}.
-
-@item Stack Clash protection
-If available the @option{-fstack-clash-protection} must have been
-used.
-Disabled by @option{--skip-stack-clash}.
-
-@item Control Flow protection
-If available the @option{-fcf-protection=full} option must have been used.
-Disabled by @option{--skip-cf-protection}. If this option is disabled
-then the check for GNU Property notes will also be disabled.
-
-@item Branch protection
-For @var{AArch64} binaries the @option{-mbranch-protection} option,
-if available, must have either not.
-Disabled by @option{--skip-branch-protection}.
-
-@item Stack realignment
-For @var{i686} binaries, the @option{-mstackrealign} option must have
-been specified.
-Disabled by @option{--skip-stack-realign}.
-
-@item Source fortification
-The program must have been compiled with the
-@option{-D_FORTIFY_SOURCE=[2|3]} command line option specified.
-Disabled by @option{--skip-fortify}.
-
-@item Optimization
-The program must have been compiled with at least @option{-O2}
+This test checks that the file does not have any segments that have
+all three of the @var{read}, @var{write} and @var{execute}
+permissions. Code segments should have read and execute permissions,
+but they should not be writable as otherwise an attacker can
+overwrite the code. Data segments should have read permission, and
+possibly write permission as well, but never execute permission
+as otherwise an attacker might be able to create their own code in a
+data area.
+
+The linker will normally never create a binary file with a segment
+with all three permissions, but it is possible to force it to do so by
+using a custom linker script. If this flaw is detected then whatever
+linker script is being used should be corrected to remove the problem.
+
+If necessary the test can be disabled via the @option{--skip-rwx-seg}
+option and re-enabled via the @option{--test-rwx-seg} option.
+
+@c -----------------------------------------------------------------
+@node Test textrel
+@subsection The textrel test
+
+@smallexample
+ Problem: An attacker could change the code in an executable
+ Fix By: Compiling with -fPIC enabled
+ Waive If: The code @emph{must} be static
+
+ Example: FAIL: textrel test because the DT_TEXTREL tag was detected
+@end smallexample
+
+This test checks to make sure that a binary file does not contain any
+relocations that alter the contents of a code section. Relocations
+are special instructions that the program loader uses to alter pieces
+of a application when it starts up. Normally these relocations are
+restricted to altering the application's data, but if any of them
+alter its code then an attacker might be able to exploit this to
+change the program.
+
+This problem usually only arises when a binary is built to execute at
+a fixed address. Such binaries need text relocations to help them run
+at the address chosen. The safest solution therefore is to compile
+the binary to be position independent by using the @option{-fPIC} or
+@option{-fPIE} compiler command line options.
+
+If necessary the test can be disabled via the @option{--skip-textrel}
+option and re-enabled via the @option{--test-textrel} option.
+
+@c -----------------------------------------------------------------
+@node Test run path
+@subsection The run-path test
+
+@smallexample
+ Problem: An attacker could cause an application to use a corrupted shared library
+ Fix By: Compiling with -Wl,--enable-new-dtags or moving the shared libraries needed to a proper location
+ Waive If: The application uses shared libraries held in non-standard locations
+ Waive If: The linker does not support --enable-new-dtags
+
+ Example: FAIL: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag is corrupt
+ Example: MAYB: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag exists but is empty
+ Example: FAIL: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag contains a path that does not start with /usr
+ Example: FAIL: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag has a path that contains '..'
+ Example: FAIL: run-path test because the DT_RPATH/DT_RUNPATH dynamic tag has $ORIGIN after a non-$ORIGIN path
+ Example: MAYB: run-path test because the RPATH dynamic tag is deprecated. Link with --enable-new-dtags to use RUNPATH instead
+@end smallexample
+
+An application that uses shared libraries contains information on how
+to locate those libraries. This information is a list of directories
+which should be searched for the libraries. The test checks that the
+list is secure.
+
+The test actually covers several different aspects, such as all
+directory paths must be absolute, start with @var{/usr} and must not
+contain @var{..}. If any of these rules are broken then an attacker
+might be able to exploit the search paths to force the application to
+load their own, corrupted version of a shared library.
+
+Normally this test will only be triggered if an application is linked
+by an old linker which does not support the generation of the new
+format @var{DT_RUNPATH} search paths. Or if it is linked against
+shared libraries which do not reside in standard locations. Fixing
+the test depends upon whether these issues can be solved.
+
+If necessary the test can be disabled via the @option{--skip-run-path}
+option and re-enabled via the @option{--test-run-path} option.
+
+@c -----------------------------------------------------------------
+@node Test cf protection
+@subsection The cf-protection test
+
+@smallexample
+ Problem: An attacker could compromise an unprotected binary
+ Fix By: Compiling with -fcf-protection=full
+ Waive If: The application will not run on the latest Intel hardware
+ Waive If: The application is built by a compiler that does not support CET
+
+ Example: FAIL: cf-protection test because only branch protection enabled
+ Example: FAIL: cf-protection test because only return protection enabled
+ Example: FAIL: cf-protection test because no protection enabled
+ Example: FAIL: cf-protection test because insufficient Control Flow sanitization
+ Example: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
+ Example: FAIL: cf-protection test because CET enabling note missing
+ Example: FAIL: cf-protection test because control flow protection is not enabled
+@end smallexample
+
+Intel have introduced a new security feature called @var{CET} to their
+Tiger Lake and newer cores:
+
+@url{https://newsroom.intel.com/editorials/intel-cet-answers-call-protect-common-malware-threats/#gs.avhl8k}
+
+This test checks to see that this feature is enabled. Normally this
+is done by compiling the code with the
+@option{-fcf-protection=full} command line option enabled. But if an
+application contains assembler code, or it is linked against a library
+that has not been built with the protection enabled, or it is built by
+a compiler that does not support @var{CET} then this test can fail.
+
+The feature has to be enabled in the compiler as it involves inserting
+new instructions into the compiled code. The feature is also an
+all-or-nothing type proposition for any process. Either all of the
+code in the process must have been built to support CET - in which
+case the feature can be enabled - or if even a single component does
+not support CET then it must be disabled for the entire process.
+
+In order to enforce this the compiler inserts a special note into
+compiled object files (the .note.gnu.property section referred to
+above). This note actually contains more information about the binary
+than just the presence (or absence) of CET support. It also includes
+details of the minimum x86 architecture revision needed and so on.
+
+Then when the object files are linked together to create the
+executable the linker checks all of these notes, and if any object
+file or library is missing a note then it does not create a note in
+the output executable. Or if all of the object files (and libraries
+of course) do have notes, but one or more of them do not have the
+CET-is-enabled flag, then it copies the notes into the executable, but
+always clears the CET-is-enabled flag.
+
+Finally when a program is executed the run-time loader checks this note
+and if the CET-is-enabled flag is present then it enables the CET
+feature in the hardware.
+
+Fixing this check either means enabling the
+@option{-fcf-protection=full} (for gcc) or the
+@option{-fcf-protection-branch} and @option{-fcf-protection-return}
+options (for Clang).
+
+If an assembler source file is used as part of an application then it
+too needs to be updated. Any location in the assembler where a branch
+or function call can land must now have an @var{ENDBR64} instruction
+as the first instruction executed. In addition the assembler needs a
+note to indicate that it supports CET. This note can be added via
+including this code snippet in the sources:
+
+@smallexample
+ .section .note.gnu.property,"a"
+ .align 8
+ .long 1f - 0f
+ .long 4f - 1f
+ .long 5
+0:
+ .string "GNU"
+1:
+ .align 8
+ .long 0xc0000002
+ .long 3f - 2f
+2:
+ .long 0x3
+3:
+ .align 8
+4:
+@end smallexample
+
+If necessary the test can be disabled via the @option{--skip-cf-protection}
+option and re-enabled via the @option{--test-cf-protection} option.
+
+@c -----------------------------------------------------------------
+@node Test optimization
+@subsection The optimization test
+
+@smallexample
+ Problem: Insufficient optimization prevents security features from working
+ Fix By: Compiling with -O2
+ Waive If: The application does not use string/memory functions
+
+ Example: FAIL: optimization test because optimization level too low
+ Example: FAIL: optimization test because level too low
+ Example: MAYB: optimization test because no valid notes found regarding this test
+@end smallexample
+
+This test checks that the application was compiled with sufficient
optimization enabled.
-Disabled by @option{--skip-optimization}.
-
-@item Link Time Optimization
-The program must have been compiled with link time optimization
-(@option{-flto}) enabled. Currently this is a soft check, so
-failing this test is not considered a reason to fail the overall
-run.
-Disabled by @option{--skip-lto}.
-
-@item Read only relocations
-The program must not have any relocations that are held in a writeable
-section.
-Disabled by @option{--skip-gnu-relro}.
-
-@item GNU Property Note
-For @var{x86_64}, @var{AArch64} and @var{PowerPC} binaries, check that
-a correctly formatted GNU Property note is present. The contents of
-the notes are architecture specific.
-Disabled by @option{--skip-property-note}.
-
-@item Enum Size
-Check that the program makes consistent use of the
-@option{-fshort-enum} option.
-
-@item Production Ready Compiler
-Check that the program was built by a production-ready compiler.
-Disabled by @option{--skip-production}.
-@end table
-The tool does support a couple of other command line options as well:
+The C library security hardening features enabled via the
+@option{-D_FORTIFY_SOURCE=2} or @option{-D_FORTIFY_SOURCE=3}
+preprocessor command line options will only work properly if the
+compiler is run at an optimization level of at least @option{-O2}.
+Hence this test checks to make sure that this level (or higher) has
+been used.
+
+Normally the only reason for not using @option{-O2} or higher is
+because the application is space sensitive and needs to be compiled
+with @option{-Os} or the compilation process is so time intensive that
+using @option{-O0} is the only way to obtain reasonable build times.
+
+If necessary the test can be disabled via the @option{--skip-optimization}
+option and re-enabled via the @option{--test-optimization} option.
+
+@c -----------------------------------------------------------------
+@node Test stack prot
+@subsection The stack-prot test
+
+@smallexample
+ Problem: Attackers exploiting stack overrun bugs can gain control of an application
+ Fix By: Compiling with -fstack-protector-strong
+ Waive If: Don't
+
+ Example: FAIL: stack-prot test because insufficient protection enabled
+ Example: FAIL: stack-prot test because stack protection deliberately disabled
+ Example: FAIL: stack-prot test because only some functions protected
+ Example: FAIL: stack-prot test because insufficient Stack Safe sanitization
+@end smallexample
+
+This test checks that the application has been compiled with stack
+protection enabled. For gcc this means using the
+@option{-fstack-protector-strong} option and for Clang the
+@option{-fsanitize=safe-stack} option. The gcc option does have some
+levels of protection other than @var{strong}, but @var{strong} is the
+only one that provides full protection.
+
+The stack protection feature adds checks to compiled code that attempt
+to detect buffer overflows for local buffers. These are often a
+source of vulnerability that can be exploited by an attacker.
+
+If necessary the test can be disabled via the @option{--skip-stack-prot}
+option and re-enabled via the @option{--test-stack-prot} option.
+
+@c -----------------------------------------------------------------
+@node Test stack clash
+@subsection The stack-clash test
+
+@smallexample
+ Problem: Attackers exploiting stack overrun bugs can gain control of an application
+ Fix By: Compiling with -fstack-clash-protection
+ Waive If: Don't
+
+ Example: FAIL: stack-clash test because -fstack-clash-protection not enabled
+@end smallexample
+
+This test checks that the application has been compiled with stack
+clash protection enabled. If this feature is not enabled then an
+attacker could trick the application into overlapping its heap and
+stack, allowing them to alter both.
+
+For a full explanation of this topic see these blogs:
+
+@url{https://developers.redhat.com/blog/2017/09/25/stack-clash-mitigation-gcc-background}
+
+@url{https://developers.redhat.com/blog/2019/04/30/stack-clash-mitigation-in-gcc-why-fstack-check-is-not-the-answer}
+
+@url{https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3}
+
+If necessary the test can be disabled via the @option{--skip-stack-clash}
+option and re-enabled via the @option{--test-stack-clash} option.
+
+@c -----------------------------------------------------------------
+@node Test fortify
+@subsection The fortify test
+
+@smallexample
+ Problem: Buffer overruns in string/memory library functions can be exploited by an attacker
+ Fix By: Compiling with -D_FORTIFY_SOURCE=2
+ Waive If: The application does not use C library string/memory functions
+
+ Example: FAIL: fortify test because -D_FORTIFY_SOURCE=2 was not present on the command line
+ Example: FAIL: fortify test because -O level is too low
+@end smallexample
+
+This test checks that the application was compiled with either
+@option{-D_FORTIFY_SOURCE=2} or @option{-D_FORTIFY_SOURCE=3} specified
+on the compiler command line. Since these options need good
+optimization in order to work properly the test also checks that
+@option{-O2} or higher was used.
+
+The @option{_FORTIFY_SOURCE} define enables the use of secure version
+of certain string and memory C library functions. For full details of
+what it does, see this blog:
+@url{https://access.redhat.com/blogs/766093/posts/1976213}
+
+Any program that uses the string or memory functions in the
+@var{glibc} library should have this define present on the compiler
+command line. Programs that do not use these functions do not need
+the define, but it will not hurt to have it present anyway.
+
+If necessary the test can be disabled via the @option{--skip-fortify}
+option and re-enabled via the @option{--test-fortify} option.
+
+@c -----------------------------------------------------------------
+@node Test notes
+@subsection The notes test
+
+@smallexample
+ Problem: Lack of annobin notes in a binary means that other tests will not work properly
+ Fix By: Compiling with -fplugin=annobin
+ Waive If: The annobin plugin is not available
+
+ Example: FAIL: notes test because gaps were detected in the annobin coverage
+ Example: MAYB: notes test because not all of the .text section is covered by notes
+ Example: FAIL: notes test because annobin notes were not found
+
+ Example: MAYB: lto test because no indication that LTO was used
+ Example: MAYB: stack-clash test because no notes found regarding this test
+ Example: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected)
+ Example: FAIL: warnings test because no indication that the necessary option was used (and a C compiler was detected)
+ Example: FAIL: stack-realign test because stack realign support is mandatory
+ Example: FAIL: branch-protection test because the -mbranch-protection option was not used
+@end smallexample
+
+This test checks that there are annobin notes covering all of the
+file. Annobin notes are generated by the compiler and describe the
+security features that have been enabled. The notes contain range
+information, so that it is possible to determine if all of an
+application has been covered by the notes, or if there are parts that
+are missing notes.
+
+If annobin notes are missing from a file then some of the other checks
+run by the @var{hardened} checker will not work, which can trigger
+FAIL or MAYB results for those tests.
+
+Annobin notes are normally produced by a compiler plugin which can be
+enabled via the @option{-fplugin=annobin} option for gcc or Clang, and
+the @option{-fpass-plugin=annobin} option for LLVM. (Note for pre
+version-13 of LLVM the @option{-Xclang -load -Xclang annobin} option
+should be used instead).
+
+Annobin notes can be generated for assembler sources by using the
+@option{-Wa,--generate-missing-build-notes=yes} option.
+
+If necessary the test can be disabled via the @option{--skip-notes}
+and @option{--ignore-gaps} options and re-enabled via the
+@option{--test-notes} and @option{--report-gaps} options.
+
+@c -----------------------------------------------------------------
+@node Test gnu relro
+@subsection The gnu-relro test
+
+@smallexample
+ Problem: An attacker could alter how an applications interacts with shared libraries
+ Fix By: Link with -Wl,-z,relro,-z,now
+ Waive If: The application runs in an space/time constrained environment
+
+ Example: FAIL: gnu relro test because not linked with -Wl,-z,relro
+@end smallexample
+
+Some parts of an executable need to be modified when it starts, so
+that it can access any shared libraries that it uses. This process is
+called relocation, and once it is finished the altered code/data
+should not be modified again. The @var{gnu relro} test checks that
+write permission can be removed once the relocations have finished.
+
+Enabling @var{gnu relro} increases the executable size on disk and in
+memory, and depending upon the application it can also cause a slow
+start time. It does not cause any significant execution time penalty,
+and using pre-linking can eliminate the startup penalty.
+
+For programs that do not need to be reloaded often, such as daemons
+and servers, and on systems where disk and memory are relatively
+abundant such as desktops and servers, the overhead of @var{gnu relro}
+is very insignificant and highly recommended. For programs that need
+to be reloaded often, the execution penalty of @var{gnu relro} can be
+eliminated by using prelinking. For embedded systems where space is
+scarce, @var{gnu relro} is not recommended due to its space overhead.
+
+To turn on @var{gnu relro} compile with the gcc
+@option{-Wl,-z,relro,-z,now} option.
+
+If necessary the test can be disabled via the
+@option{--skip-gnu-relro} option and re-enabled via the
+@option{--test-gnu-relro} option.
+
+@c -----------------------------------------------------------------
+@node Test pie
+@subsection The pie test
+
+@smallexample
+ Problem: Static binaries are more vulnerable to attacks
+ Fix By: Link with -Wl,-pie
+ Waive If: Don't
+
+ Example: FAIL: pie test because not built with '-Wl,-pie' (gcc/clang) or '-buildmode pie' (go)
+@end smallexample
+
+Programs can be compiled to either load at a fixed address in memory
+(@var{static} programs) or at a random address assigned at startup
+time (@var{dynamic} programs). Static programs are more vulnerable to
+exploits because an attacker will know exactly where every part of the
+program is located. Thus building dynamic executables is
+recommended.
+
+This test checks that the appropriate linker option (@option{-pie})
+has been used to generate dynamic executables. The option is only
+needed for linking executables, not shared libraries.
+
+Note - this check is related to the @ref{Test pic} test. This test
+checks that the correct linker option has been used. That test
+checks that the correct compile time option has been used.
+
+If necessary the test can be disabled via the @option{--skip-pie}
+option and re-enabled via the @option{--test-pie} option.
+
+@c -----------------------------------------------------------------
+@node Test pic
+@subsection The pic test
+
+@smallexample
+ Problem: Static binaries are more vulnerable to attacks
+ Fix By: Compile with -fPIC or -fPIE
+ Waive If: Don't.
+
+ Example: FAIL: pic test because -fpic/-fpie not enabled
+@end smallexample
+
+Programs can be compiled to either load at a fixed address in memory
+(@var{static} programs) or at a random address assigned at startup
+time (@var{dynamic} programs). Static programs are more vulnerable to
+exploits because an attacker will know exactly where every part of the
+program is located. Thus building dynamic executables is
+recommended.
+
+This test checks that the appropriate compiler option has been used to
+generate dynamic code. For shared libraries this is the
+@option{-fPIE} option should be used. For dynamic executables the
+@option{-fPIC} option should be used. Note - there are lower case
+alternatives of these options (ie @option{-fpie} and @option{-fpic})
+which can also be used. The difference between the lower case and
+upper case versions is architecture dependent, but usually the lower
+case version will only work with smaller programs, wheres the upper
+case version works for all program sizes.
+
+Note - this check is related to the @ref{Test pie} test. This test
+checks that the correct compile time option has been used. That test
+checks that the correct link time option has been used.
+
+If necessary the test can be disabled via the @option{--skip-pic}
+option and re-enabled via the @option{--test-pic} option.
+
+@c -----------------------------------------------------------------
+@node Test dynamic segment
+@subsection The dynamic-segment test
+
+@smallexample
+ Problem: Programs with more than one dynamic section will not be loaded properly
+ Fix By: Fix assembler source code and/or linker script
+ Waive If: Don't.
+
+ Example: FAIL: dynamic segment test because multiple dynamic sections detected
+@end smallexample
+
+Dynamic executables must have a dynamic section which contains
+information that is used by the loader at program startup. The loader
+however only expects there to be one dynamic section in a program, and
+it does not cope it there are more than one. Normally this is not an
+issue however as the linker will ensure that there is only one dynamic
+section. It is possible however to use a custom linker script to
+create more than one dynamic section, or to write some assembler code
+specifically designed to create multiple dynamic sections.
+
+If necessary the test can be disabled via the @option{--skip-dynamic-segment}
+option and re-enabled via the @option{--test-dynamic-segment} option.
+
+@c -----------------------------------------------------------------
+@node Test dynamic tags
+@subsection The dynamic-tags test
+
+@smallexample
+ Problem: Unprotected AArch64 binaries are vulnerable to ROP/JOP style attacks
+ Fix By: Compile with -mbranch-protection=standard
+ Waive If: Not running on AArch64
+ Waive If: The application will not run on Fedora 35 or later.
+ Waive If: The application will not run on newer AArch64 cores.
+
+ Example: FAIL: dynamic tags test because BTI_PLT and PAC_PLT flags missing from the dynamic tags
+ Example: FAIL: dynamic tags test because BTI_PLT flag is missing from the dynamic tags
+ Example: FAIL: dynamic tags test because PAC_PLT flag is missing from the dynamic tags
+ Example: FAIL: dynamic tags test because no dynamic tags found
+@end smallexample
+
+AArch64 processors are vulnerable to a class of attack known as
+@var{ROP} and @var{JOP} style attacks. Preventing this kind of
+exploit requires assistance from the hardware itself, in the form of
+new instructions that need to be inserted by the compiler, and new
+bits in the core's status that need to be set.
+
+This test checks to see if executable binaries have been marked as
+supporting the necessary security features to prevent this kind of
+attack. If they are marked then the runtime loader can enable the
+features in the processor core. This marking is done by setting flags
+in the tags found in the dynamic section of the executable. If the
+flags are missing then the executable is considered to be unprotected.
+
+The security features are enabled by compiling with the
+@option{-mbranch-protection=standard} gcc command line option.
+
+Note - these security features are only found on newer versions of the
+AArch64 architecture, and they need a compiler and a loader that will
+support them. Currently this means Fedora 35 or later, but not RHEL.
+
+Note - this test is the inverse of the @ref{Test not dynamic tags}
+test and directly related to the @ref{Test branch protection} test.
+
+Note - this test is automatically enabled if the
+@option{--profile-rawhide} options are used.
+
+If necessary the test can be disabled via the @option{--skip-dynamic-tags}
+option and re-enabled via the @option{--test-dynamic-tags} option.
+
+@c -----------------------------------------------------------------
+@node Test not dynamic tags
+@subsection The not-dynamic-tags test
+
+@smallexample
+ Problem: Protecting AArch64 binaries needs newer versions of AArch64 cores
+ Fix By: Compile with -mbranch-protection=off
+ Waive If: Not running on AArch64
+ Waive If: The application will run on Fedora 35 or later.
+ Waive If: The application will not run on newer AArch64 cores.
+
+ Example: FAIL: not dynamic tags test because BTI_PLT and PAC_PLT flags are present in the dynamic tags
+ Example: FAIL: not dynamic tags test because BTI_PLT flag is present in the dynamic tags
+ Example: FAIL: not dynamic tags test because PAC_PLT flag is present in the dynamic tags
+@end smallexample
+
+Note - this test is the inverse of the @ref{Test dynamic tags} test
+and directly related to the @ref{Test not branch protection} test.
+
+This test checks to see if executable AArch64 binaries have been
+marked as supporting the @var{BTI} and @var{PAC} security features.
+Such features require the support of the run-time loader in order to
+work, and this test is intended for environments where this support is
+missing. (Such as RHEL or pre version-35 Fedora).
+
+The security features can be disabled by compiling with the
+@option{-mbranch-protection=none} gcc command line option.
+
+Note - this test is automatically enabled if the
+@option{--profile-el7} or @option{--profile-el9} options are used.
+
+If necessary the test can be disabled via the @option{--skip-not-dynamic-tags}
+option and re-enabled via the @option{--test-not-dynamic-tags} option.
+
+@c -----------------------------------------------------------------
+@node Test branch protection
+@subsection The branch-protection test
+
+@smallexample
+ Problem: Unprotected AArch64 binaries are vulnerable to ROP/JOP style attacks
+ Fix By: Compile with -mbranch-protection=standard
+ Waive If: Not running on AArch64
+ Waive If: The application will not run on Fedora 35 or later.
+ Waive If: The application will not run on newer AArch64 cores.
+
+ Example: FAIL: branch protection test because not enabled
+ Example: FAIL: branch protection test because only partially enabled
+ Example: FAIL: branch protection test because .note.gnu.property section not found (it is needed for branch protection support)
+ Example: FAIL: branch protection test because the -mbranch-protection option was not used
+@end smallexample
+
+AArch64 processors are vulnerable to a class of attack known as
+@var{ROP} and @var{JOP} style attacks. Preventing this kind of
+exploit requires assistance from the hardware itself, in the form of
+new instructions that need to be inserted by the compiler, and new
+bits in the core's status that need to be set.
+
+This test checks to see if the compile time option to enable the
+security feature was used. There are four levels of security
+available, ranging from none through partial (some functions are
+protected others are not) to full. The test checks that full security
+has been enabled.
+
+The security feature is enabled by compiling with the
+@option{-mbranch-protection=standard} gcc command line option.
+
+Note - these security features are only found on newer versions of the
+AArch64 architecture, and they need a compiler and a loader that will
+support them. Currently this means Fedora 35 or later, but not RHEL.
+
+Note - this test is the inverse of the @ref{Test not branch protection}
+test and directly related to the @ref{Test dynamic tags} test.
+
+Note - this test is automatically enabled if the
+@option{--profile-rawhide} options are used.
+
+If necessary the test can be disabled via the
+@option{--skip-branch-protection} option and re-enabled via the
+@option{--test-branch-protection} option.
+
+@c -----------------------------------------------------------------
+@node Test not branch protection
+@subsection The not-branch-protection test
+
+@smallexample
+ Problem: Protecting AArch64 binaries needs newer versions of AArch64 cores
+ Fix By: Compile with -mbranch-protection=none
+ Waive If: Not running on AArch64
+ Waive If: The application will run on Fedora 35 or later.
+ Waive If: The application will not run on newer AArch64 cores.
+
+ Example: FAIL: not branch protection test because protection enabled
+ Example: FAIL: not branch protection test because only partially disabled
+@end smallexample
+
+Note - this test is the inverse of the @ref{Test branch protection} test
+and directly related to the @ref{Test not dynamic tags} test.
+
+This test checks to see if the compile time option to enable the
+AArch64 branch protection security feature was used. This feature
+is only supported on newer versions of AArch64 core, and will not work
+on older cores. Hence this test checks to make sure that the option
+was not used, or was used but was set to disable the feature.
+
+The security features can be disabled by compiling with the
+@option{-mbranch-protection=none} gcc command line option.
+
+Note - this test is automatically enabled if the
+@option{--profile-el7} or @option{--profile-el9} options are used.
+
+If necessary the test can be disabled via the
+@option{--skip-not-branch-protection} option and re-enabled via the
+@option{--test-not-branch-protection} option.
+
+@c -----------------------------------------------------------------
+@node Test short enums
+@subsection The short-enums test
+
+@smallexample
+ Problem: Compiler options can change the size of enums
+ Fix By: Compile with consistent use of the -fshort-enum option
+ Waive If: Enums are not passed between different compilation units
+
+ Example: FAIL: short-enum test because both short and long enums supported
+@end smallexample
+
+The @option{-fshort-enums} gcc compiler option can be used to reduce
+code size by storing enums in a @var{short} instead of an @var{int}.
+But if the code passes enums between functions compiled in different
+files then the @option{-fshort-enums} option must be used consistently
+or there could be problems.
+
+This test checks that either all files in an application were compiled
+with the @option{-fshort-enums} option, or that the option was never
+used.
+
+If necessary the test can be disabled via the
+@option{--skip-short-enums} option and re-enabled via the
+@option{--test-short-enums} option.
+
+@c -----------------------------------------------------------------
+@node Test stack realign
+@subsection The stack-realign test
+
+@smallexample
+ Problem: Legacy x86 code is incompatible with SSE instructions
+ Fix By: Compile with -mstackrealign
+ Waive If: The application is not going run in a 32-bit x86 environment
+ Waive If: The application will not use SSE (or later) instructions
+
+ Example: FAIL: stack-realign test because -mstack-realign not enabled
+ Example: FAIL: stack-realign test because stack realign support is mandatory
+@end smallexample
+
+On the Intel 32-bit x86 architecture most instructions work with
+4-byte aligned addresses. The @var{SSE} extension (and later) however
+need 16-byte aligned addresses. This causes problems for data that is
+held on the stack, if the stack pointer is not aligned to a 16-byte
+address. The @option{-mstackrealign} gcc command line option tells
+the compiler to generate extra code at function entry which ensures
+that 16-byte alignment is maintained.
+
+This test checks to make sure that this option has been used when
+compiling x86 binaries.
+
+If necessary the test can be disabled via the
+@option{--skip-stack-realign} option and re-enabled via the
+@option{--test-stack-realign} option.
+
+@c -----------------------------------------------------------------
+@node Test production
+@subsection The production test
+
+@smallexample
+ Problem: Shipping code generated by an experimental compiler is bad
+ Fix By: Compile with a production ready compiler
+ Waive If: The code is never going to be shipped
+
+ Example: FAIL: production test because a production-ready compiler was not used to build the binary
+@end smallexample
+
+This test checks to make sure that the binary was not produced by an
+experimental compiler. Experimental compilers can be detected by
+examining their version information, which will include the string
+@var{NOT_FOR_PRODUCTION}.
+
+If necessary the test can be disabled via the
+@option{--skip-production} option and re-enabled via the
+@option{--test-production} option.
+
+@c -----------------------------------------------------------------
+@node Test lto
+@subsection The lto test
+
+@smallexample
+ Problem: Mixed use of LTO and non-LTO binaries indicates a problem with the build system
+ Fix By: Using -flto consistently
+ Waive If: LTO building is not wanted
+
+ Example: FAIL: lto test because compiled with both -flto and -fno-lto
+@end smallexample
+
+This test checks to see if the @option{-flto} compiler command line
+option was used. Whilst this option can produce better code, its use
+is not essential, hence this test currently only checks to see if both
+the @option{-flto} and the @option{-fno-lto} options were used together.
+
+If necessary the test can be disabled via the
+@option{--skip-lto} option and re-enabled via the
+@option{--test-lto} option.
+
+@c -----------------------------------------------------------------
+@node Test property note
+@subsection The property-note test
+
+@smallexample
+ Problem: Badly formed or missing GNU property notes can compromise an application at runtime
+ Fix By: Investigate and fix the creation of the notes
+ Waive If: Using old tools that do not generate the notes
+
+ Example: FAIL: property-note test because there is more than one GNU Property note
+ Example: FAIL: property-note test because the property note does not have expected name
+ Example: FAIL: property-note test because the property note data has the wrong size
+ Example: FAIL: property-note test because the note section is present but empty
+ Example: FAIL: property-note test because the property note data has an invalid size
+ Example: FAIL: property-note test because the IBT property is not enabled
+ Example: FAIL: property-note test because the SHSTK property is not enabled
+ Example: FAIL: property-note test because unexpected property note type
+ Example: FAIL: property-note test because the BTI property is not enabled
+ Example: FAIL: property-note test because the GNU Property note segment not 8 byte aligned
+ Example: FAIL: property-note test because there is more than one GNU Property note in the note segment
+ Example: FAIL: property-note test because .note.gnu.property section not found (it is needed for branch protection support
+ Example: FAIL: property-note test because no .note.gnu.property section = no control flow information
+ Example: FAIL: property-note test because control flow protection is not enabled
+@end smallexample
+
+GNU property notes are special markers in binary files that provide
+information about the program to the runtime loader. This information
+is architecture specific and it often includes details about any
+security features that were enabled when the program was compiled.
+
+This test checks that the property note is present - if needed for the
+particular architcture - and that it is properly formatted.
+
+Problems with property notes are usually related to other security
+options being missing, or the use of assembler source files which do
+not contain their own instructions for creating property notes.
+
+If necessary the test can be disabled via the
+@option{--skip-property-note} option and re-enabled via the
+@option{--test-property-note} option.
+
+@c -----------------------------------------------------------------
+@node Test threads
+@subsection The threads test
+
+@smallexample
+ Problem: Programs that do not support exceptions are more vulnerable to attacks
+ Fix By: Compile with -fexceptions
+ Waive If: Program size is an important issue
+
+ Example: FAIL: threads test because not compiled with -fexceptions
+@end smallexample
+
+This test checks to make sure that the @option{-fexceptions} g++
+command line option was used when building the binary. The test is
+only triggered if the binary uses the @var{pthreads} library as single
+threaded applications can cleanly tidy up after themselves if an
+exception is generated.
+
+If necessary the test can be disabled via the
+@option{--skip-threads} option and re-enabled via the
+@option{--test-threads} option.
+
+@c -----------------------------------------------------------------
+@node Test glibcxx assertions
+@subsection The glibcxx-assertions test
+
+@smallexample
+ Problem: Compiled C++ code might contain bugs that could have been detected and fixed
+ Fix By: Compile with -D_GLIBCXX_ASSERTIONS
+ Waive If: Not compiling C++
+ Waive If: Not using functions from libstdc++
+
+ Example: FAIL: glibcxx-assertions test because compiled without -D_GLIBCXX_ASSERTIONS
+@end smallexample
+
+This test checks to make sure that the @option{-D_GLIBCXX_ASSERTIONS}
+g+= compiler command line option was used when building binaries.
+This option is one of several supported by the @var{libstdc++} library
+and it is used to enable various NULL pointer and bounds checking
+security features. For more information see:
+
+@url{https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_macros.html}
+
+If necessary the test can be disabled via the
+@option{--skip-glibcxx-assertions} option and re-enabled via the
+@option{--test-glibcxx-assertions} option.
+
+@c -----------------------------------------------------------------
+@node Test entry
+@subsection The entry test
+
+@smallexample
+ Problem: Intel's CET security feature requires that the first instruction in a program be ENDBR
+ Fix By: Compile statup code with -fcf-protection
+ Waive If: The application will not run on the latest Intel hardware
+
+ Example: FAIL: entry test because instruction at entry is not ENDBR32
+ Example: FAIL: entry test because instruction at entry is not ENDBR64
+@end smallexample
+
+This test checks to make sure that the first instruction in a program
+for the x86 or x86_64 architectures is @var{ENDBR}. This is needed as
+part of Intel's @var{CET} security feature. (See @ref{Test cf
+protection} for more details on @var{CET}).
+
+If necessary the test can be disabled via the
+@option{--skip-entry} option and re-enabled via the
+@option{--test-entry} option.
+
+@c -----------------------------------------------------------------
+@node Test go revision
+@subsection The go-revision test
+
+@smallexample
+ Problem: Using old versions of the GO compiler looses out on security enhacements
+ Fix By: Using a newer GO compiler
+ Waive If: No new GO compiler is available
+
+ Example: FAIL: go-revision test because GO revision must be >= 14
+ Example: FAIL: go-revision test because multiple, different GO version strings found
+ Example: FAIL: go-revision test because no Go compiler revision information found
+@end smallexample
+
+This test checks to see that GO code has been compiled by at least a
+revision 14 compiler. Earlier versions of the compiler do not have
+all the bug fixes and security enhancements of later versions.
+
+Note - it is likely that the minimum revision of the GO compiler will
+be increased in the future.
+
+If necessary the test can be disabled via the
+@option{--skip-go-revision} option and re-enabled via the
+@option{--test-go-revision} option.
+
+@c -----------------------------------------------------------------
+@node Test only go
+@subsection The only-go test
+
+@smallexample
+ Problem: Mixing GO and C is unsafe on x86 platforms
+ Fix By: Using a new GO compiler
+ Waive If: Always
+
+ Example: FAIL: only-go test because combining GO and non-GO object files on x86 systems is not safe - it disables CET
+@end smallexample
+
+Note - this test is currently disabled. The GO compiler's lack of
+support for @var{CET} is a known issue that cannot be addressed by
+package maintainers. Hence there is no point in issuing an error
+message.
+
+This test checks to see if GO and C are being used together in the
+same program. This is a problem for code that is going to run on x86
+architectures as the GO compiler does not support Intel's @var{CET}
+technology. (See @ref{Test cf protection} for more details on
+@var{CET}). The GO language is inheritantly safer than C, but if the
+two are mixed, then the C parts will be missing out on the protection
+offered by @var{CET}.
+
+If necessary the test can be disabled via the
+@option{--skip-only-go} option and re-enabled via the
+@option{--test-only-go} option.
+
+@c -----------------------------------------------------------------
+@node Test warnings
+@subsection The warnings test
+
+@smallexample
+ Problem: Compiling without warnings enabled can result in poor code
+ Fix By: Add -Wall to the compiler command line
+ Waive If: There are known problems with using -Wall
+
+ Example: FAIL: warnings test because compiled without either -Wall or -Wformat-security
+@end smallexample
+
+This test checks to see that a file has been compiled with either or
+both of the @option{-Wall} and @option{-Wformat-security} options
+specified. Enabling warnings - and then fixing the problems reported
+- results in better quality code that is less likely to contain bugs.
+
+If necessary the test can be disabled via the
+@option{--skip-warnings} option and re-enabled via the
+@option{--test-warnings} option.
+
+@c -----------------------------------------------------------------
+@node Test instrumentation
+@subsection The instrumentation test
+
+@smallexample
+ Problem: Instrumented binaries are bigger and slower than regular binaries
+ Fix By: Removing instrumentation options from compiler command line
+ Waive If: Instrumentation is needed.
+
+ Example: WARN: Instrumentation enabled - this is probably a mistake for production binaries
+@end smallexample
+
+This test checks to see if any of gcc's instrumentation command line
+options have been used when the binary built. These options are:
+@option{_fsanitize}, @option{-finstrument-functions}, @option{-p},
+@option{-pg}, and @option{-fprofile-arcs}.
+
+There is no way to disable this test.
+
+@c -----------------------------------------------------------------
+@node Hardened Command Line Options
+@subsection Command line options specific to the hardened tool
@table @code
@item --test-@var{name}
Enable test @var{name}.
+@item --test-all
+Enable all the tests.
+
@item --test-future
Report @emph{future fail} tests. These are tests for security
features which are not yet implemented, but are planned for the
@item --profile-el9
@itemx --profile-rawhide
+@itemx --profile-el7
Rather than enabling and disabling specific tests a selection can be
chosen via a profile option. The @option{--profile-el9} option will
select the tests suitable for @emph{RHEL-9} binaries. The
@option{--profile-rawhide} option will select tests suitable for
-@emph{Fedora rawhide} binaries. Other profiles may be added in the
-future.
+@emph{Fedora rawhide} binaries and the @option{--profile-el7} option
+will select tests suitable for @emph{RHEL-7} binaries.
+
+Other profiles may be added in the future.
@item --disable-hardened
Disable the tool.
@item --ignore-gaps
Do not complain about gaps in the note data.
+@item --report-gaps
+Do complain about gaps in the note data.
+
@item --fixed-format-messages
Display messages in a fixed, machine parseable format. The format is:
enabled in @option{verbose} mode. This option and its inverse
@option{--base-filenames} can be used to set a fixed choice.
+@item --no-urls
+@itemx --provide-urls
+By default when a FAIL or MAYB result is displayed by the
+@var{hardened} checker a URL to the online version of the relevant
+section in this document is also provided. (Unless the
+@option{--fixed-format-messages} option has been enabled). The
+@option{--no-urls} option disables the display of the URLs and the
+@option{--provide-urls} re-enables the display.
+
@end table
@c man end
@c -----------------------------------------------------------------
-@node Waiving Annocheck Results
-@subsection How to waive the results of annocheck tests
+@node Waiving Hardened Results
+@subsection How to waive the results of the hardening tests
+
+[This section is Red Hat specific.]
Now that @command{annocheck} is being used by the builders for Fedora
and RHEL packages it is possible that certain tests may need to be
waived for certain packages. This can be done on a per-package
-basis by editting the contents of the @file{rpminspect.yaml} file and
+basis by editing the contents of the @file{rpminspect.yaml} file and
adding an entry like this:
@smallexample
@end smallexample
This example shows how the @emph{property note} test can be ignored.
-Note that doing this overrides the default options that are passed to
-annocheck by the rpminspect framework, which is why the
+Beware however that doing this overrides the default options that are
+passed to annocheck by the rpminspect framework, which is why the
@option{--ignore-unknown} and @option{--verbose} options are also
included in the example.
+For more information on rpmdiff see:
+
+@url{https://docs.engineering.redhat.com/display/HTD/rpmdiff-elf-binarylibrary}
+
+For more information on the use of annobin in RHEL see:
+
+@url{https://one.redhat.com/rhel-developer-guide/#_annocheck_ensuring_comprehensive_elf_distro_flags}
+
+To get more help on deciding whether or not a test should be waived
+please ask on either of the
+@var{os-devel-list@@redhat.com} OS Devel
+or the
+@var{rhel-devel@@redhat.com} RHEL Devel mailing lists.
+
@c -----------------------------------------------------------------
@node Notes
@section The annobin note displayer
@smallexample
-@c man begin SYNOPSIS annocheck
+@c man begin SYNOPSIS annocheck-notes
annocheck
[@b{--disable-hardened}]
@c man end
@end smallexample
-@c man begin DESCRIPTION annocheck
+@c man begin DESCRIPTION annocheck-notes
The @var{notes} tool displays the contents of any annobin notes inside
the specified files. It groups the notes by address range, which
@c man end
@c -----------------------------------------------------------------
-@node Section-Size
+@node Size
@section The section size recorder
@smallexample
-@c man begin SYNOPSIS annocheck
+@c man begin SYNOPSIS annocheck-size
annocheck
[@b{--disable-hardened}]
@c man end
@end smallexample
-@c man begin DESCRIPTION annocheck
+@c man begin DESCRIPTION annocheck-size
The @var{section-size} tool records the size of named sections within
a list of files and then reports the accumulated size at the end.
Since it is part of the @command{annocheck} framework, it is able to
@var{Write}, @var{Alloc} or @var{Execute} flags set respectively. If
the @var{!} exclamation mark character is present then it negates the
meaning of the following flags. Thus @option{--section-sec-flags=W}
-option will search for any writeable section whereas the
+option will search for any writable section whereas the
@option{--size-sec-flags=W!A} option will search only for sections
-that are writeable but not allocated.
+that are writable but not allocated.
Instead of searching for sections by flags it is also possible to
search for segments by flags using the
@option{--size-seg-flags=<flags>} option. The flags recognised for
-segments are @var{W} for writeable, @var{R} for readable and @var{X}
+segments are @var{W} for writable, @var{R} for readable and @var{X}
for executable. Again the @var{!} character can be used to invert the
meaning of the flags that follow it.
@section How long did the check take ?
@smallexample
-@c man begin SYNOPSIS annocheck
+@c man begin SYNOPSIS annocheck-timing
annocheck
@b{--enable-timing}
@c man end
@end smallexample
-@c man begin DESCRIPTION annocheck
+@c man begin DESCRIPTION annocheck-timing
The @var{timing} tool reports on the time taken by other tools to
scan the list of files. The tool is disabled by default, but it can
be enabled by the command line option @option{--enable-timing}.
default the configure system will detect if the library is installed
and if not, then it will disable the building of @command{annocheck}
and the running of the tests. (Since they use @command{annocheck}).
-This behaviour can be overrridden by the @option{--without-libelf}
+This behaviour can be overridden by the @option{--without-libelf}
option which forces the build to assume that libelf is absent even if
it would normally be detected.
for example @var{6.2.1}.
@item --maxver=@var{version}
-Only report binaries built by a tool whoes version is @var{version} or
+Only report binaries built by a tool whose version is @var{version} or
lower. Can be combined with the @option{--minver} option to restrict
output to those binaries created by tools within a specific version
range.
@itemx -s
Produce no output. Just return an exit status.
-@item --inconsitencies
+@item --inconsistencies
@itemx -i
Only report files with potential ABI problems.
Do not report file types that are not supported or recognised.
@item --ignore-@var{ABI|enum|FORTIFY|stack-prot}
-Disables individual ABI checks. Multiple occurences of this option
+Disables individual ABI checks. Multiple occurrences of this option
accumulate. Possible option values are:
@table @samp
@node Checking Archives
@section The run-on-binaries-in script
-@c man title run-on-binries Checking Archives
+@c man title run-on-binaries Checking Archives
@smallexample
@c man begin SYNOPSIS run-on-binaries-in
Enables verbose mode, causing the script to detail each action it
takes.
-If this option is repeated it has the special effect of cancelling out
+If this option is repeated it has the special effect of canceling out
the automatic addition of the @option{-i} to recursive invocations of
the script.
@item --
Stops processing of command line options. This allows the script to
-be run with a program whoes name starts with a dash.
+be run with a program whose name starts with a dash.
@end table
@include fdl.texi
@bye
-
cp -r current annobin-$release
cd annobin-$release
rm -fr .git autom4te.cache
+
+sleep 1
+touch aclocal.m4 gcc-plugin/config.h.in
+touch configure */configure Makefile.in */Makefile.in
+touch doc/annobin.info
+
cd ..
tar cf - annobin-$release | xz -9 -c > annobin-$release.tar.xz
rm -fr annobin-$release
echo "Created: annobin-$release.tar.xz"
exit 0
-
-cp -r current annobin-gcc-plugin-$release
-cd annobin-gcc-plugin-$release
-rm -fr .git autom4te.cache scripts annocheck tests clang-plugin llvm-plugin doc tests
-sed --in-place -e 's/"$with_docs" != no/"$with_docs" == yes/' configure.ac
-sed --in-place -e 's/"$with_tests" != no/"$with_tests" == yes/' configure.ac
-sed --in-place -e 's/"$with_annocheck" != no/"$with_annocheck" == yes/' configure.ac
-sed --in-place -e 's/if test "$with_docs" != no; then/if test "$with_docs" == yes; then/' configure
-sed --in-place -e 's/if test "$with_tests" != no; then/if test "$with_tests" == yes; then/' configure
-sed --in-place -e 's/if test "$with_annocheck" != no; then/if test "$with_annocheck" == yes; then/' configure
-cd ..
-
-tar cf - annobin-gcc-plugin-$release | xz -9 -c > annobin-gcc-plugin-$release.tar.xz
-rm -fr annobin-gcc-plugin-$release
-
-echo "Created: annobin-gcc-plugin-$release.tar.xz"
git://sourceware.org / annobin.git / commitdiff