flatcar-scripts/hooks/install/qa-elf.sh

#!/bin/bash

# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

check_compiler_flags()
{
  local binary="$1"
  local flags=false
  local fortify=true
  local stack=true
  ${readelf} -p .GCC.command.line "${binary}" | \
  {
    while read flag ; do
      flags=true
      case "${flag}" in
        *"-U_FORTIFY_SOURCE"*)
          fortify=false
          ;;
        *"-fno-stack-protector"*)
          stack=false
          ;;
      esac
    done
    if ! ${flags}; then
      echo "File not built with -frecord-gcc-switches: ${binary}"
      return
    fi
    ${fortify} || echo "File not built with -D_FORTIFY_SOURCE: ${binary}"
    ${stack} || echo "File not built with -fstack-protector: ${binary}"
  }
}

check_linker_flags()
{
  local binary="$1"
  local pie=false
  local relro=false
  local now=false
  local gold=false
  ${readelf} -dlSW "${binary}" | \
  {
    while read line ; do
      case "${line}" in
        *".note.gnu.gold-version"*)
          gold=true
          ;;
        *"Shared object file"*)
          pie=true
          ;;
        *"GNU_RELRO"*)
          relro=true
          ;;
        *"BIND_NOW"*)
          now=true
          ;;
      esac
    done

    ${pie} || echo "File not PIE: ${binary}"
    ${relro} || echo "File not built with -Wl,-z,relro: ${binary}"
    ${now} || echo "File not built with -Wl,-z,now: ${binary}"
    ${gold} || echo "File not built with gold: ${binary}"
  }
}

check_binaries()
{
  local CTARGET="${CTARGET:-${CHOST}}"
  local readelf="${CTARGET}-readelf"
  local binary
  scanelf -y -B -F '%F' -R "${D}" | \
    while read binary ; do
      case "${binary}" in
        *.ko)
          ;;
        ${D}usr/lib/debug/*)
          ;;
        *)
          check_compiler_flags "${binary}"
          check_linker_flags "${binary}"
          ;;
      esac
    done
}

check_binaries