[packages/rpm-build-macros] - add macro to check ELF file for executable stack (see https://www.openwall.com/lists/oss-securit

baggins baggins at pld-linux.org
Tue Oct 30 23:09:51 CET 2018 

commit 56dfec1918e77fc905d31ee63dc804f392a27174
Author: Jan Rękorajski <baggins at pld-linux.org>
Date:   Tue Oct 30 23:07:26 2018 +0100

    - add macro to check ELF file for executable stack
      (see https://www.openwall.com/lists/oss-security/2018/10/22/3 and followup)
    - up to 1.735

 rpm-build-macros.spec |  4 ++--
 rpm.macros            | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)
---
diff --git a/rpm-build-macros.spec b/rpm-build-macros.spec
index 239faa4..90b0fef 100644
--- a/rpm-build-macros.spec
+++ b/rpm-build-macros.spec
@@ -1,10 +1,10 @@
-%define		rpm_macros_rev	1.734
+%define		rpm_macros_rev	1.735
 %define		find_lang_rev	1.40
 Summary:	PLD Linux RPM build macros
 Summary(pl.UTF-8):	Makra do budowania pakietów RPM dla Linuksa PLD
 Name:		rpm-build-macros
 Version:	%{rpm_macros_rev}
-Release:	2
+Release:	1
 License:	GPL
 Group:		Development/Building
 Source0:	rpm.macros
diff --git a/rpm.macros b/rpm.macros
index 896c953..4baa339 100644
--- a/rpm.macros
+++ b/rpm.macros
@@ -745,6 +745,31 @@ __spec_install_post_check_so() { \
 	%{!?no_install_post_check_so:return $fail;} \
 }; __spec_install_post_check_so }}
 
+#-----------------------------------------------------------------
+# Find all ELF files with executable stac. Warn and terminate if any found
+# (termination can be turned off by define).
+#%no_install_post_check_stackexec 1
+#%skip_post_check_stackexec libwithexecstackok.so.*
+#
+# NOTE: define skip_post_check_stackexec only if such program or library
+#       really requires executable stack and always leave a comment why
+#       it is required:
+#	# Programs full of nested functions that cannot be fixed
+#	%define skip_post_check_execstack /bin/foo libwithexecstack.so.*
+#
+%__spec_install_post_check_execstack { \
+__spec_install_post_check_execstack() { \
+%{!?debug:set +x;} \
+	fail=0; \
+	printf "Searching for ELF programs with executable stack..."; \
+	for f in $(find $RPM_BUILD_ROOT -type f -print) ; do \
+		LC_ALL=C readelf -lW $f 2>/dev/null | \
+		LC_ALL=C awk -v "file=$f" 'BEGIN { found=0; } /GNU_STACK/ { if ($7 ~ "E") { found=1 } } END { if (found) { print "\nExecutable stack found in: " file; %{?skip_post_check_execstack:split("%{skip_post_check_execstack}", R); for (i=1; i in R; i++) { if (file ~ "(^|/)" R[i] "$") { print "File marked with skip_post_check_execstack, ignoring errors.\n"; exit(0); } } } exit(1); } }' || fail=1 ; \
+	done ; \
+	echo " DONE"; \
+	%{!?no_install_post_check_execstack:return $fail;} \
+}; __spec_install_post_check_execstack }}
+
 #-----------------------------------------------------------------
 # Verify that for each directory under /var/run package contains
 # tmpfiles.d configuration. Warn and terminate build if config is
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/rpm-build-macros.git/commitdiff/56dfec1918e77fc905d31ee63dc804f392a27174

More information about the pld-cvs-commit mailing list