suggestions for hardened checks

[Alessandro-Barbieri]

Would be nice to integrate app-admin/checksec into this tool. It can report un-hardened libraries and executables, in multiple formats like json and csv.
Just be sure to ignore /usr/lib/debug in the report

[gyakovlev]

several years ago I had a project where I build full system with annobin enabled
https://sourceware.org/annobin/annobin.html/index.html

it's a gcc (and llvm/clang now too) plugin, that you can add to cflags. it works in a similar way to gcc's own -frecord-gcc-switches and annotates elf objects in special sections, and includes tools to query binaries.

I abandoned project due to lack of interest of other people ( I was not a developer yet) and due to annobin's hard dependency on RPM. I heard rpm dep and integration was relaxed, so maybe worth exploring again.

It had tools for checking hardened, optimization, fortify and other flags.
those were the scripts: https://sourceware.org/annobin/annobin.html/Legacy-Scripts.html#Legacy-Scripts
looks like they are replaced now.

if there's interest I can look at packaging annobin again and maybe working on adding QA checks based on information it gathers and provides.

[ionenwks]

Thanks for the ideas.

For now this just been on my TODO along other potential features, unsure if or when I'll get to this one -- will check my options then.

[gyakovlev]

I re-checked annobin - autoconf files in very bad state and it still requires a lot of patching done.
I'll drop half-baked ebuild here just for historical purposes, it's not ready, missing deps and eclass calls, and full of hacks, but I'll definitely loose it otherwise =)

# Copyright 2018-2022 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

EAPI=7

inherit autotools llvm toolchain-funcs

DESCRIPTION="Binary annotation compiler plugin and tools"
HOMEPAGE="https://nickc.fedorapeople.org"

if [[ ${PV} == 9999 ]]; then
	inherit git-r3
	EGIT_REPO_URI="https://sourceware.org/git/${PN}.git"
else
	SRC_URI="https://nickc.fedorapeople.org/${P}.tar.xz"
	KEYWORDS="~ppc64"
fi

LICENSE="GPL-3"
SLOT="0"
IUSE="clang doc llvm test"

REQUIRED_USE="clang? ( llvm )"

DEPEND=""

RDEPEND="${DEPEND}"

pkg_pretend() {
	if [[ ${MERGE_TYPE} != binary ]]; then
		if ! tc-is-gcc ; then
			eerror "${PN} is a gcc plugin. Please emerge using gcc as CC"
			die "use gcc"
		fi
	fi
}

src_prepare() {
	default
	sed -i 's|2.69|2.71|g' config/override.m4 || die

	if use llvm; then
		local llvmdir="$(get_llvm_prefix -d)"
		local llvm_plugindir
		llvm_plugindir="$(
			clang --print-search-dirs | gawk -e\
			'BEGIN { FS = ":" } /libraries/ { print gensub(" =","",1,$2) } END { }'
		)"
		einfo $llvm_plugindir

		sed -i "/^INCDIR.*/ s|$| -I${llvmdir}/include|" {llvm,clang}-plugin/Makefile.in || die
		sed -i "/^CLANG_LIBS.*/ s|$| -L${llvmdir}/$(get_libdir)|" clang-plugin/Makefile.in || die
		sed -i 's/print-seach-dirs/print-search-dirs/g' {llvm,clang}-plugin/Makefile.in || die
		sed -i "s|^PLUGIN_INSTALL_DIR =.*|PLUGIN_INSTALL_DIR = ${D%/}/$(realpath ${llvm_plugindir})|" \
			{llvm,clang}-plugin/Makefile.in || die
	fi

	eautoreconf
}

src_configure() {
	local myconf=(
		--without-annocheck
		--with-libelf
		--with-gcc-plugin-dir=$($(tc-getCC) -print-file-name=plugin)
		--without-debuginfod # we don't have it enabled, comes with elfutils
		$(use_with clang)
		$(use_with llvm)
		$(use_with test tests)
		$(use_with doc docs)
	)
	econf "${myconf[@]}"
}