foster/bitcoin-bitcoin-core
0
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-02-09 10:43:19 -05:00
Code Issues Activity

scripts: add PE dylib checking to symbol-check.py

Browse source
This commit is contained in:
fanquake 2020-03-21 14:23:02 +08:00
parent 5504703a9f
commit 1a0993ae35
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1
4 changed files with 53 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
contrib/devtools/README.md
View file

@ -109,7 +109,7 @@ certain symbols and are only linked against allowed libraries.
For Linux this means checking for allowed gcc, glibc and libstdc++ version symbols. For Linux this means checking for allowed gcc, glibc and libstdc++ version symbols.
This makes sure they are still compatible with the minimum supported distribution versions. This makes sure they are still compatible with the minimum supported distribution versions.
For macOS we check that the executables are only linked against libraries we allow. For macOS and Windows we check that the executables are only linked against libraries we allow.
Example usage after a gitian build: Example usage after a gitian build:

49
contrib/devtools/symbol-check.py
View file

@ -3,9 +3,8 @@
# Distributed under the MIT software license, see the accompanying # Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php. # file COPYING or http://www.opensource.org/licenses/mit-license.php.
''' '''
A script to check that the (Linux) executables produced by gitian only contain A script to check that the executables produced by gitian only contain
allowed gcc and glibc version symbols. This makes sure they are still compatible certain symbols and are only linked against allowed libraries.
with the minimum supported Linux distribution versions.
Example usage: Example usage:
@ -53,6 +52,7 @@ IGNORE_EXPORTS = {
} }
READELF_CMD = os.getenv('READELF', '/usr/bin/readelf') READELF_CMD = os.getenv('READELF', '/usr/bin/readelf')
CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt') CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt')
OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
OTOOL_CMD = os.getenv('OTOOL', '/usr/bin/otool') OTOOL_CMD = os.getenv('OTOOL', '/usr/bin/otool')
# Allowed NEEDED libraries # Allowed NEEDED libraries
@ -101,6 +101,26 @@ MACHO_ALLOWED_LIBRARIES = {
'libobjc.A.dylib', # Objective-C runtime library 'libobjc.A.dylib', # Objective-C runtime library
} }
PE_ALLOWED_LIBRARIES = {
'ADVAPI32.dll', # security & registry
'IPHLPAPI.DLL', # IP helper API
'KERNEL32.dll', # win32 base APIs
'msvcrt.dll', # C standard library for MSVC
'SHELL32.dll', # shell API
'USER32.dll', # user interface
'WS2_32.dll', # sockets
# bitcoin-qt only
'dwmapi.dll', # desktop window manager
'GDI32.dll', # graphics device interface
'IMM32.dll', # input method editor
'ole32.dll', # component object model
'OLEAUT32.dll', # OLE Automation API
'SHLWAPI.dll', # light weight shell API
'UxTheme.dll',
'VERSION.dll', # version checking
'WINMM.dll', # WinMM audio API
}
class CPPFilt(object): class CPPFilt(object):
''' '''
Demangle C++ symbol names. Demangle C++ symbol names.
@ -218,6 +238,26 @@ def check_MACHO_libraries(filename) -> bool:
ok = False ok = False
return ok return ok
def pe_read_libraries(filename) -> List[str]:
p = subprocess.Popen([OBJDUMP_CMD, '-x', filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
(stdout, stderr) = p.communicate()
if p.returncode:
raise IOError('Error opening file')
libraries = []
for line in stdout.splitlines():
if 'DLL Name:' in line:
tokens = line.split(': ')
libraries.append(tokens[1])
return libraries
def check_PE_libraries(filename) -> bool:
ok = True
for dylib in pe_read_libraries(filename):
if dylib not in PE_ALLOWED_LIBRARIES:
print('{} is not in ALLOWED_LIBRARIES!'.format(dylib))
ok = False
return ok
CHECKS = { CHECKS = {
'ELF': [ 'ELF': [
('IMPORTED_SYMBOLS', check_imported_symbols), ('IMPORTED_SYMBOLS', check_imported_symbols),
@ -226,6 +266,9 @@ CHECKS = {
], ],
'MACHO': [ 'MACHO': [
('DYNAMIC_LIBRARIES', check_MACHO_libraries) ('DYNAMIC_LIBRARIES', check_MACHO_libraries)
],
'PE' : [
('DYNAMIC_LIBRARIES', check_PE_libraries)
] ]
} }

1
contrib/gitian-descriptors/gitian-win.yml
View file

@ -145,6 +145,7 @@ script: |
CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} CFLAGS="${HOST_CFLAGS}" CXXFLAGS="${HOST_CXXFLAGS}" CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} CFLAGS="${HOST_CFLAGS}" CXXFLAGS="${HOST_CXXFLAGS}"
make ${MAKEOPTS} make ${MAKEOPTS}
make ${MAKEOPTS} -C src check-security make ${MAKEOPTS} -C src check-security
make ${MAKEOPTS} -C src check-symbols
make deploy make deploy
make install DESTDIR=${INSTALLPATH} make install DESTDIR=${INSTALLPATH}
cp -f --target-directory="${OUTDIR}" ./bitcoin-*-setup-unsigned.exe cp -f --target-directory="${OUTDIR}" ./bitcoin-*-setup-unsigned.exe

5
src/Makefile.am
View file

@ -703,6 +703,11 @@ if TARGET_DARWIN
$(AM_V_at) OTOOL=$(OTOOL) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS) $(AM_V_at) OTOOL=$(OTOOL) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
endif endif
if TARGET_WINDOWS
@echo "Checking Windows dynamic libraries..."
$(AM_V_at) OBJDUMP=$(OBJDUMP) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
endif
if GLIBC_BACK_COMPAT if GLIBC_BACK_COMPAT
@echo "Checking glibc back compat..." @echo "Checking glibc back compat..."
$(AM_V_at) READELF=$(READELF) CPPFILT=$(CPPFILT) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS) $(AM_V_at) READELF=$(READELF) CPPFILT=$(CPPFILT) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)