mk: Add support for SSP checks.

4 files changed, 193 insertions, 2 deletions

diff --git a/mk/check/bsd.check-vars.mk b/mk/check/bsd.check-vars.mk
index 053c51adcfd..52c9a6e5b3d 100644
--- a/mk/check/bsd.check-vars.mk
+++ b/mk/check/bsd.check-vars.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.check-vars.mk,v 1.9 2017/07/04 18:29:24 khorben Exp $
+# $NetBSD: bsd.check-vars.mk,v 1.10 2017/10/03 09:43:06 jperkin Exp $
 #
 # This Makefile fragment is included separately by bsd.pkg.mk and
 # defines some variables which must be defined earlier than where
@@ -8,8 +8,10 @@
 CHECK_FILES_SUPPORTED?=		yes
 CHECK_RELRO_SUPPORTED?=		yes
 CHECK_SHLIBS_SUPPORTED?=	yes
+CHECK_SSP_SUPPORTED?=		yes
 
 _OPSYS_CAN_CHECK_RELRO?=	${_OPSYS_CAN_CHECK_SHLIBS}
+_OPSYS_CAN_CHECK_SSP?=		${_OPSYS_CAN_CHECK_SHLIBS}
 
 .if ${_OPSYS_CAN_CHECK_RELRO:tl} == "yes"
 _USE_CHECK_RELRO_NATIVE=	yes
@@ -23,4 +25,10 @@ _USE_CHECK_SHLIBS_NATIVE=	yes
 _USE_CHECK_SHLIBS_NATIVE=	no
 .endif
 
+.if ${_OPSYS_CAN_CHECK_SSP:tl} == "yes"
+_USE_CHECK_SSP_NATIVE=		yes
+.else
+_USE_CHECK_SSP_NATIVE=		no
+.endif
+
 USE_TOOLS+=	awk cat cmp diff echo find grep rm sed test touch true
diff --git a/mk/check/bsd.check.mk b/mk/check/bsd.check.mk
index 78eab8d9a22..0a698c47ac9 100644
--- a/mk/check/bsd.check.mk
+++ b/mk/check/bsd.check.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.check.mk,v 1.9 2017/07/04 18:29:24 khorben Exp $
+# $NetBSD: bsd.check.mk,v 1.10 2017/10/03 09:43:06 jperkin Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to build and install checks.
@@ -32,6 +32,7 @@
 .include "check-portability.mk"
 .include "check-relro.mk"
 .include "check-shlibs.mk"
+.include "check-ssp.mk"
 .include "check-stripped.mk"
 .include "check-vulnerable.mk"
 .include "check-wrkref.mk"
diff --git a/mk/check/check-ssp-elf.awk b/mk/check/check-ssp-elf.awk
new file mode 100644
index 00000000000..c2cf41c66b3
--- /dev/null
+++ b/mk/check/check-ssp-elf.awk
@@ -0,0 +1,93 @@
+# $NetBSD: check-ssp-elf.awk,v 1.1 2017/10/03 09:43:06 jperkin Exp $
+#
+# Copyright (c) 2007 Joerg Sonnenberger <joerg@NetBSD.org>.
+# Copyright (c) 2017 Pierre Pronchery <khorben@NetBSD.org>.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Joerg Sonnenberger.
+#
+# Originally developed as part of Google's Summer of Code 2007 program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE
+# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+#
+# Read a list of potential ELF binaries from stdin.
+# For each, extract the list of program headers.
+# Check that the SSP library is present.
+#
+
+function shquote(IN, out) {
+	out = IN;
+	gsub("\\\\", "\\\\", out);
+	gsub("\\\n", "\\n", out);
+	gsub("\\\t", "\\t", out);
+	gsub(" ", "\\ ", out);
+	gsub("'", "\\'", out);
+	gsub("`", "\\`", out);
+	gsub("\"", "\\\"", out);
+	gsub(";", "\\;", out);
+	gsub("&", "\\&", out);
+	gsub("<", "\\<", out);
+	gsub(">", "\\>", out);
+	gsub("\\(", "\\(", out);
+	gsub("\\)", "\\)", out);
+	gsub("\\|", "\\|", out);
+	gsub("\\*", "\\*", out);
+	gsub("\\?", "\\?", out);
+	gsub("\\{", "\\{", out);
+	gsub("\\}", "\\}", out);
+	gsub("\\[", "\\[", out);
+	gsub("\\]", "\\]", out);
+	gsub("\\$", "\\$", out);
+	gsub("!", "\\!", out);
+	gsub("#", "\\#", out);
+	gsub("\\^", "\\^", out);
+	gsub("~", "\\~", out);
+	return out;
+}
+
+function checkssp(ELF, got_ssp, found) {
+	cmd = readelf " -Wd " shquote(ELF) " 2>/dev/null"
+	while ((cmd | getline) > 0) {
+		found = 1
+		if ($2 == "(NEEDED)" && $5 ~ /libssp/) {
+			got_ssp = 1
+			break
+		}
+	}
+	close(cmd)
+	if (found == 1 && got_ssp != 1) {
+		print ELF ": missing SSP"
+	}
+}
+
+BEGIN {
+	readelf = ENVIRON["READELF"]
+	if (readelf == "")
+		readelf = "readelf"
+}
+
+{ checkssp($0); }
diff --git a/mk/check/check-ssp.mk b/mk/check/check-ssp.mk
new file mode 100644
index 00000000000..a0bfac15c84
--- /dev/null
+++ b/mk/check/check-ssp.mk
@@ -0,0 +1,89 @@
+# $NetBSD: check-ssp.mk,v 1.1 2017/10/03 09:43:06 jperkin Exp $
+#
+# This file verifies that SSP was applied accordingly at build-time.
+#
+# User-settable variables:
+#
+# CHECK_SSP
+#	Whether the check should be enabled or not.
+#
+#	Default value: "yes" for PKG_DEVELOPERs, "no" otherwise.
+#
+# Package-settable variables:
+#
+# CHECK_SSP_SKIP
+#	A list of shell patterns (like man/*) that should be excluded
+#	from the check. Note that a * in a pattern also matches a slash
+#	in a pathname.
+#
+#	Default value: empty.
+#
+# CHECK_SSP_SUPPORTED
+#	Whether the check should be enabled for this package or not.
+#
+#	Default value: yes
+#
+
+_VARGROUPS+=			check-ssp
+_USER_VARS.check-ssp=		CHECK_SSP
+_PKG_VARS.check-ssp=		CHECK_SSP_SUPPORTED
+
+.if ${_PKGSRC_USE_SSP:Uno} != "no" && \
+    ${PKG_DEVELOPER:Uno} != "no"
+CHECK_SSP?=			yes
+.else
+CHECK_SSP?=			no
+.endif
+CHECK_SSP_SUPPORTED?=		yes
+CHECK_SSP_SKIP?=		# none
+
+# All binaries and shared libraries.
+_CHECK_SSP_ERE=		(bin/|sbin/|libexec/|\.so$$|lib/lib.*\.so)
+
+_CHECK_SSP_FILELIST_CMD?=	${SED} -e '/^@/d' ${PLIST} |		\
+	(while read file; do						\
+		${TEST} -h "$$file" || ${ECHO} "$$file";		\
+	done)
+
+.if !empty(CHECK_SSP:M[Yy][Ee][Ss]) && \
+    !empty(CHECK_SSP_SUPPORTED:M[Yy][Ee][Ss])
+privileged-install-hook: _check-ssp
+.endif
+
+.if ${_USE_CHECK_SSP_NATIVE} == "yes"
+CHECK_SSP_NATIVE_ENV=
+.  if ${OBJECT_FMT} == "ELF"
+USE_TOOLS+=		readelf
+CHECK_SSP_NATIVE=	${PKGSRCDIR}/mk/check/check-ssp-elf.awk
+CHECK_SSP_NATIVE_ENV+=	PLATFORM_RPATH=${_OPSYS_SYSTEM_RPATH:Q}
+CHECK_SSP_NATIVE_ENV+=	READELF=${TOOLS_PATH.readelf:Q}
+.  endif
+CHECK_SSP_NATIVE_ENV+=	CROSS_DESTDIR=${_CROSS_DESTDIR:Q}
+CHECK_SSP_NATIVE_ENV+=	PKG_INFO_CMD=${PKG_INFO:Q}
+CHECK_SSP_NATIVE_ENV+=	DEPENDS_FILE=${_RRDEPENDS_FILE:Q}
+CHECK_SSP_NATIVE_ENV+=	DESTDIR=${DESTDIR:Q}
+CHECK_SSP_NATIVE_ENV+=	WRKDIR=${WRKDIR:Q}
+.  if defined(CHECK_WRKREF) && !empty(CHECK_WRKREF:Mextra)
+CHECK_SSP_NATIVE_ENV+=	CHECK_WRKREF_EXTRA_DIRS=${CHECK_WRKREF_EXTRA_DIRS:Q}
+.  endif
+
+_check-ssp: error-check .PHONY
+	@${STEP_MSG} "Checking for SSP in ${PKGNAME}"
+	${RUN} rm -f ${ERROR_DIR}/${.TARGET}
+	${RUN}							\
+	cd ${DESTDIR:Q}${PREFIX:Q};				\
+	${_CHECK_SSP_FILELIST_CMD} |				\
+	${EGREP} -h ${_CHECK_SSP_ERE:Q} |			\
+	while read file; do					\
+		case "$$file" in				\
+		${CHECK_SSP_SKIP:@p@${p}) continue ;;@}		\
+		*) ;;						\
+		esac;						\
+		${ECHO} $$file;					\
+	done |							\
+	${PKGSRC_SETENV} ${CHECK_SSP_NATIVE_ENV} ${AWK} -f ${CHECK_SSP_NATIVE} > ${ERROR_DIR}/${.TARGET}
+
+.else
+_check-ssp: error-check .PHONY
+	@${WARNING_MSG} "Skipping check for SSP in DESTDIR mode."
+.endif