1#!/usr/bin/make -f 2 3include ../hardening.make 4 5BUILD_TREE:=../build-tree 6 7SYMLINKED_LD?= 8WRAPPERS?= 9SYNTAX_STAMP?= 10BUILD_EXTRA?= 11 12CFLAGS += -O2 13LDFLAGS?= 14 15HELLO=hello.c 16 17TEST_REQS=$(HELLO) $(WRAPPERS) $(SYMLINKED_LD) 18 19TESTS=\ 20 $(SYNTAX_STAMP) \ 21 $(BUILD_TREE)/$(NAME)-test-stock \ 22 $(BUILD_TREE)/$(NAME)-test-compiled \ 23 $(SYMLINKED_LD) \ 24 $(BUILD_TREE)/$(NAME)-test-linked \ 25 $(BUILD_TREE)/$(NAME)-test-fPIC-direct \ 26 $(BUILD_TREE)/$(NAME)-test-fPIC \ 27 $(BUILD_TREE)/$(NAME)-test-format-security \ 28 $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-protect \ 29 $(BUILD_TREE)/$(NAME)-test-ssp-buffer-type-protect \ 30 $(BUILD_TREE)/$(NAME)-test-all.o \ 31 $(BUILD_TREE)/$(NAME)-test-all.a \ 32 $(BUILD_TREE)/$(NAME)-test-none.o \ 33 $(BUILD_TREE)/$(NAME)-test-none.a \ 34 $(BUILD_EXTRA) 35 36TESTS_DISABLED=\ 37 $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-skip 38 39check: $(TESTS) 40 41clean: 42 rm -f $(TESTS) 43 44########## 45# Compilation and linking results tests 46 47$(BUILD_TREE)/$(NAME)-test-stock: $(HELLO) $(WRAPPERS) 48 # Compiler and linker options disabled. 49 DEB_BUILD_HARDENING=0 $(CC) -o $@ $< 50 readelf -ldrsW $@ 51 $@ 52 53$(BUILD_TREE)/$(NAME)-test-compiled: $(HELLO) $(WRAPPERS) 54 # Compiler options enabled. (linker is not wrapper) 55 $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< 56 readelf -ldrsW $@ 57 # Run twice to show off PIE, if available in kernel 58 $@ 59 $@ 60 61 62# Figure out how to call "hardening-check" for this architecture 63HARDENING_CHECK_ARGS:= 64ifneq (1,$(DEB_BUILD_HARDENING_PIE)) 65 HARDENING_CHECK_ARGS+=-p 66endif 67ifneq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) 68 HARDENING_CHECK_ARGS+=-s 69endif 70ifneq (1,$(DEB_BUILD_HARDENING_FORTIFY)) 71 HARDENING_CHECK_ARGS+=-f 72endif 73ifneq (1,$(DEB_BUILD_HARDENING_RELRO)) 74 HARDENING_CHECK_ARGS+=-r 75endif 76 77$(BUILD_TREE)/$(NAME)-test-linked: $(TEST_REQS) 78 # Compiler and linker options enabled. 79 $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< 80 readelf -ldrsW $@ 81 # Run twice to show off PIE, if available in kernel 82 $@ 83 $@ 84 # Check state of hardening features via check script 85 perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@ 86 # Manually check state of hardening features 87ifeq (1,$(DEB_BUILD_HARDENING_PIE)) 88 # Test PIE 89 readelf -lW $@ | grep '^Elf file type is DYN' 90else 91 # Skipped PIE test 92endif 93ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) 94 # Test Stack Protector 95 nm $@ | egrep '__stack_chk_fail($$|@@GLIBC)' 96else 97 # Skipped Stack Protector test 98endif 99ifeq (1,$(DEB_BUILD_HARDENING_FORTIFY)) 100 # Test Fortify 101 nm $@ | egrep '__(sn)?printf_chk($$|@@GLIBC)' 102else 103 # Skipped Fortify test 104endif 105ifeq (1,$(DEB_BUILD_HARDENING_FORMAT)) 106 # Test Format (no-op currently) 107else 108 # Skipped Format test 109endif 110ifeq (1,$(DEB_BUILD_HARDENING_RELRO)) 111 # Test for RELRO 112 readelf -lW $@ | grep GNU_RELRO 113else 114 # Skipping RELRO test 115endif 116ifeq (1,$(DEB_BUILD_HARDENING_BINDNOW)) 117 # Test for BIND_NOW 118 readelf -dW $@ | grep BIND_NOW 119else 120 # Skipping BINDNOW test 121endif 122 123 124########## 125# Compiler arg calling style tests 126 127# cmake likes to pass -fPIC to everything, which broke pre-1.10 wrappers 128$(BUILD_TREE)/$(NAME)-test-fPIC-direct: $(TEST_REQS) 129 # Build directly with -fPIC already defined 130 $(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ $< 131 $@ 132 133$(BUILD_TREE)/$(NAME)-test-fPIC.o: $(TEST_REQS) 134 # Build .o with -fPIC already defined 135 $(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ -c $< 136 137$(BUILD_TREE)/$(NAME)-test-fPIC: $(BUILD_TREE)/$(NAME)-test-fPIC.o $(TEST_REQS) 138 # Link .o with -fPIC already defined 139 $(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ $< 140 $@ 141 142$(BUILD_TREE)/$(NAME)-test-format-security: format.c $(TEST_REQS) 143 # Make sure build fails due to -Werror=format-security 144 ! $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< 145 # Make sure build succeeds with -Wno-format-security 146 $(CC) $(CFLAGS) -Wno-format-security $(LDFLAGS) -o $@ $< 147 148$(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-protect: ssp-buffer-size-protect.c $(TEST_REQS) 149ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) 150 # Make sure build stack-protects a small ssp buffer 151 $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< 152 # Test Stack Protector 153 nm $@ | egrep '__stack_chk_fail($$|@@GLIBC)' 154else 155 # Skipped SSP buffer size test 156endif 157 158$(BUILD_TREE)/$(NAME)-test-ssp-buffer-type-protect: ssp-buffer-type-protect.c $(TEST_REQS) 159ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) 160 # Make sure build stack-protects a non-char array 161 $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< 162 # Test Stack Protector 163 nm $@ | egrep '__stack_chk_fail($$|@@GLIBC)' 164else 165 # Skipped SSP buffer size test 166endif 167 168$(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-skip: ssp-buffer-size-skip.c $(TEST_REQS) 169ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) 170 # Make sure build does not stack-protects a tiny ssp buffer 171 $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< 172 # Test Stack Protector is correctly skipped 173 ! nm $@ | egrep '__stack_chk_fail($$|@@GLIBC)' 174else 175 # Skipped SSP buffer size test 176endif 177 178$(BUILD_TREE)/$(NAME)-test-all.o: $(TEST_REQS) 179 $(CC) $(CFLAGS) $(LDFLAGS) -c -o $@ $< 180$(BUILD_TREE)/$(NAME)-test-all.a: $(BUILD_TREE)/$(NAME)-test-all.o 181 $(AR) r $@ $< 182 readelf -ldrsW $@ 183 perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@ 184 185$(BUILD_TREE)/$(NAME)-test-none.o: $(TEST_REQS) 186 DEB_BUILD_HARDENING=0 $(CC) -c -o $@ $< 187$(BUILD_TREE)/$(NAME)-test-none.a: $(BUILD_TREE)/$(NAME)-test-none.o 188 $(AR) r $@ $< 189 readelf -ldrsW $@ 190 if perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@; then exit 1; fi 191