CMake: Add a hardening-check target.
On Windows, add a hardening-check target which checks for DYNAMICBASE and NXCOMPAT using the PowerShell script Get-HardenFlags.ps1. For a Visual Studio solution, run the check by calling: msbuild /m /p:Configuration=RelWithDebInfo hardening-check.vcxproj using the config as appropriate for your build. Otherwise if we find the Debian/Fedora hardening-check script add a target which runs it for each of our executables. Change-Id: I62263e81d155c66e8c8edc751ffab535bf9f3b96 Reviewed-on: https://code.wireshark.org/review/10641 Reviewed-by: Gerald Combs <gerald@wireshark.org>
This commit is contained in:
parent
44d17c7844
commit
ff1dbba6ec
|
@ -2476,6 +2476,33 @@ add_custom_target(test-programs
|
|||
)
|
||||
set_target_properties(test-programs PROPERTIES FOLDER "Tests")
|
||||
|
||||
if (WIN32)
|
||||
file (TO_NATIVE_PATH ${CMAKE_SOURCE_DIR}/tools/Get-HardenFlags.ps1 _win_harden_flags)
|
||||
add_custom_target(hardening-check
|
||||
COMMAND ${POWERSHELL_COMMAND} "${_win_harden_flags}" "${CMAKE_BINARY_DIR}"
|
||||
DEPENDS ${PROGLIST}
|
||||
COMMENT "Checking binaries for security features"
|
||||
)
|
||||
set_target_properties(hardening-check PROPERTIES FOLDER "Tests")
|
||||
else ()
|
||||
find_program(HARDENING_CHECK_EXECUTABLE hardening-check
|
||||
DOC "Path to the hardening-check utility."
|
||||
)
|
||||
if (NOT "${HARDENING_CHECK_EXECUTABLE}" STREQUAL "HARDENING_CHECK_EXECUTABLE-NOTFOUND")
|
||||
foreach(_prog ${PROGLIST})
|
||||
get_target_property(_prog_dir ${_prog} RUNTIME_OUTPUT_DIRECTORY)
|
||||
if (${_prog_dir} STREQUAL "_prog_dir-NOTFOUND")
|
||||
set(_prog_dir "${CMAKE_BINARY_DIR}/run")
|
||||
endif()
|
||||
set(_prog_paths ${_prog_paths} "${_prog_dir}/${_prog}")
|
||||
endforeach()
|
||||
add_custom_target(hardening-check
|
||||
COMMAND ${HARDENING_CHECK_EXECUTABLE} ${_prog_paths}
|
||||
DEPENDS ${PROGLIST}
|
||||
COMMENT "Checking binaries for security features"
|
||||
)
|
||||
endif()
|
||||
endif()
|
||||
|
||||
#
|
||||
# Editor modelines - http://www.wireshark.org/tools/modelines.html
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
#
|
||||
# Get-HardenFlags - Checks hardening flags on the binaries.
|
||||
#
|
||||
# Copyright 2015 Graham Bloice <graham.bloice@trihedral.com>
|
||||
#
|
||||
# Wireshark - Network traffic analyzer
|
||||
# By Gerald Combs <gerald@wireshark.org>
|
||||
# Copyright 1998 Gerald Combs
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
#requires -version 2
|
||||
|
||||
# Get-HardenFlags does:
|
||||
# call the dumpbin utility to get the binary header flags
|
||||
# on all the binaries in the distribution, and then filters
|
||||
# for the NXCOMPAT and DYNAMICBASE flags.
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Checks the NXCOMPAT and DYNAMICBASE flags on all the binaries.
|
||||
|
||||
.DESCRIPTION
|
||||
This script downloads and extracts third-party libraries required to compile
|
||||
Wireshark.
|
||||
|
||||
.PARAMETER BinaryDir
|
||||
Specifies the directory where the binaries may be found.
|
||||
|
||||
.INPUTS
|
||||
-BinaryDir Directory containing the binaries to be checked.
|
||||
|
||||
.OUTPUTS
|
||||
Any binary that doesn't have the flags is written to the error stream
|
||||
|
||||
.EXAMPLE
|
||||
C:\PS> .\tools\Get-HardenFlags.ps1 -BinaryDir run\RelWithDebInfo
|
||||
#>
|
||||
|
||||
Param(
|
||||
[Parameter(Mandatory=$true, Position=0)]
|
||||
[String]
|
||||
$BinaryDir
|
||||
)
|
||||
|
||||
# CD into the bindir, allows Resolve-Path to work in relative mode.
|
||||
Push-Location $BinDir
|
||||
|
||||
# Retrieve the list of binaries. -Filter is quicker than -Include, but can only handle one item
|
||||
$Binaries = Get-ChildItem -Path $BinaryDir -Recurse -Include *.exe,*.dll
|
||||
|
||||
# Number of "soft" binaries found
|
||||
$Count = 0;
|
||||
|
||||
# Iterate over the list
|
||||
$Binaries | ForEach-Object {
|
||||
|
||||
# Get the flags
|
||||
$flags = dumpbin $_ /HEADERS;
|
||||
|
||||
# Check for the required flags
|
||||
$match = $flags | Select-String -Pattern "NX compatible", "Dynamic base"
|
||||
if ($match.Count -ne 2) {
|
||||
|
||||
# Write-Error outputs error records, we simply want the filename
|
||||
[Console]::Error.WriteLine((Resolve-Path $_ -Relative))
|
||||
|
||||
$Count++
|
||||
}
|
||||
}
|
||||
|
||||
exit $Count
|
|
@ -132,12 +132,13 @@ EXTRA_DIST = \
|
|||
dftestlib/util.py \
|
||||
extract_asn1_from_spec.pl \
|
||||
fix-encoding-args.pl \
|
||||
fix_pragma_wdocumentation.sh \
|
||||
fix_pragma_wdocumentation.sh \
|
||||
fixhf.pl \
|
||||
ftsanity.py \
|
||||
fuzz-test.sh \
|
||||
gen-bugnote \
|
||||
generate-bacnet-vendors.py \
|
||||
generate-bacnet-vendors.py \
|
||||
Get-HardenFlags.ps1 \
|
||||
git-compare-abis.sh \
|
||||
git-export-release.sh \
|
||||
html2text.py \
|
||||
|
@ -164,7 +165,7 @@ EXTRA_DIST = \
|
|||
npl/npl.c \
|
||||
npl/parser.l \
|
||||
npl/xmem.h \
|
||||
parse_xml2skinny_dissector.py \
|
||||
parse_xml2skinny_dissector.py \
|
||||
pkt-from-core.py \
|
||||
pre-commit \
|
||||
process-x11-fields.pl \
|
||||
|
|
Loading…
Reference in New Issue