Fix Windows hardening check

The hardening check runs on all binaries and quite a few third party binaries are not hardened, thus leading to a warning on the buildslave. The change reduces the noise by not counting the binaries that are known to be "soft". They are still printed in the output though, for reference. Also fixed the search directory passed to the script. Change-Id: I1619066c687c9ba934ab38fccbbf2011108328e4 Reviewed-on: https://code.wireshark.org/review/12016 Reviewed-by: Graham Bloice <graham.bloice@trihedral.com> Tested-by: Graham Bloice <graham.bloice@trihedral.com>
2015-11-21 18:09:33 +00:00 · 2015-11-21 18:09:33 +00:00 · f1efeb1eba
parent 65528108c3
commit f1efeb1eba
2 changed files with 57 additions and 3 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -2644,7 +2644,7 @@ set_target_properties(test-programs PROPERTIES FOLDER "Tests")
 if (WIN32)
 	file (TO_NATIVE_PATH ${CMAKE_SOURCE_DIR}/tools/Get-HardenFlags.ps1 _win_harden_flags)
 	add_custom_target(hardening-check
-		COMMAND ${POWERSHELL_COMMAND} "${_win_harden_flags}" "${CMAKE_BINARY_DIR}"
+		COMMAND ${POWERSHELL_COMMAND} "${_win_harden_flags}" "${_dll_output_dir_win}"
 		DEPENDS ${PROGLIST}
 		COMMENT "Checking binaries for security features"
 	)
--- a/tools/Get-HardenFlags.ps1
+++ b/tools/Get-HardenFlags.ps1
@ -70,8 +70,59 @@ Param(
    $BinaryDir
 )

+# Create a list of 3rd party binaries that are not hardened
+$SoftBins = (
+    "libpixmap.dll",
+    "libwimp.dll",
+    "libgail.dll",
+    "airpcap.dll",
+    "comerr32.dll",
+    "gspawn-win32-helper-console.exe",
+    "gspawn-win32-helper.exe",
+    "k5sprt32.dll",
+    "krb5_32.dll",
+    "libatk-1.0-0.dll",
+    "libcairo-2.dll",
+    "libffi-6.dll",
+    "libfontconfig-1.dll",
+    "libfreetype-6.dll",
+    "libgcc_s_sjlj-1.dll",
+    "libgcrypt-20.dll",
+    "libgdk-win32-2.0-0.dll",
+    "libgdk_pixbuf-2.0-0.dll",
+    "libGeoIP-1.dll",
+    "libgio-2.0-0.dll",
+    "libglib-2.0-0.dll",
+    "libgmodule-2.0-0.dll",
+    "libgmp-10.dll",
+    "libgnutls-28.dll",
+    "libgobject-2.0-0.dll",
+    "libgpg-error-0.dll",
+    "libgtk-win32-2.0-0.dll",
+    "libharfbuzz-0.dll",
+    "libhogweed-2-4.dll",
+    "libintl-8.dll",
+    "libjasper-1.dll",
+    "libjpeg-8.dll",
+    "liblzma-5.dll",
+    "libnettle-4-6.dll",
+    "libp11-kit-0.dll",
+    "libpango-1.0-0.dll",
+    "libpangocairo-1.0-0.dll",
+    "libpangoft2-1.0-0.dll",
+    "libpangowin32-1.0-0.dll",
+    "libpixman-1-0.dll",
+    "libpng15-15.dll",
+    "libtasn1-6.dll",
+    "libtiff-5.dll",
+    "libxml2-2.dll",
+# Unfortunately the nsis uninstaller is not hardened.
+    "uninstall.exe"
+)
+
 # CD into the bindir, allows Resolve-Path to work in relative mode.
-Push-Location $BinDir
+Push-Location $BinaryDir
+[Console]::Error.WriteLine("Checking in $BinaryDir for unhardened binaries:")

 # Retrieve the list of binaries.  -Filter is quicker than -Include, but can only handle one item
 $Binaries = Get-ChildItem -Path $BinaryDir -Recurse -Include *.exe,*.dll
@ -92,7 +143,10 @@ $Binaries | ForEach-Object {
        # Write-Error outputs error records, we simply want the filename
        [Console]::Error.WriteLine((Resolve-Path $_ -Relative))

-        $Count++
+        # Don't count files that won't ever be OK
+        if ($SoftBins -notcontains (Split-Path $_ -Leaf)) {
+            $Count++
+        }
    }
 }