⋊> ~ annocheck -v /usr/bin/rg 08:42:41 Hardened: /usr/bin/rg: Could not find separate debug file: rg-0.8.1-5.fc29.x86_64.debug. Hardened: /usr/bin/rg: GAP: (352fc..22858b) in annobin notes. Hardened: /usr/bin/rg: GAP: (22858c..228813) in annobin notes. Hardened: /usr/bin/rg: GAP: (228814..22890e) in annobin notes. Hardened: /usr/bin/rg: GAP: (22890f..2289b1) in annobin notes. Hardened: /usr/bin/rg: GAP: (2289b2..229915) in annobin notes. Hardened: /usr/bin/rg: GAP: (229916..229a2c) in annobin notes. Hardened: /usr/bin/rg: GAP: (229a2d..22d886) in annobin notes. Hardened: /usr/bin/rg: GAP: (22d887..231a1f) in annobin notes. Hardened: /usr/bin/rg: GAP: (231a20..23d030) in annobin notes. Hardened: /usr/bin/rg: fail: (addr range: 0x23d030..0x23d091): No stack protection enabled. Hardened: /usr/bin/rg: fail: (addr range: 0x23d030..0x23d091): Compiled without -fcf-protection. Hardened: /usr/bin/rg: fail: (addr range: 0x23d030..0x23d091): Insufficient value for -D_FORTIFY_SOURCE: 0. Hardened: /usr/bin/rg: fail: (addr range: 0x23d030..0x23d091): Compiled without -D_GLIBCXX_ASSERTIONS. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0a0..0x23d0b0): Compiled without -fcf-protection. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0a0..0x23d0b0): Insufficient value for -D_FORTIFY_SOURCE: 0. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0a0..0x23d0b0): Compiled without -D_GLIBCXX_ASSERTIONS. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0b0..0x23d0bf): Compiled without -fcf-protection. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0b0..0x23d0bf): Insufficient value for -D_FORTIFY_SOURCE: 0. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0b0..0x23d0bf): Compiled without -D_GLIBCXX_ASSERTIONS. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0c0..0x23d0d0): Compiled without -fcf-protection. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0c0..0x23d0d0): Insufficient value for -D_FORTIFY_SOURCE: 0. Hardened: /usr/bin/rg: fail: (addr range: 0x23d0c0..0x23d0d0): Compiled without -D_GLIBCXX_ASSERTIONS. Hardened: /usr/bin/rg: MAYB: Gaps were detected in the annobin coverage. Hardened: /usr/bin/rg: FAIL: -fcf-protection not enabled. Hardened: /usr/bin/rg: pass: Dynamic segment is present. Hardened: /usr/bin/rg: FAIL: -D_FORTIFY_SOURCE level too small. Hardened: /usr/bin/rg: FAIL: -D_GLIBCXX_ASSERTIONS not used. Hardened: /usr/bin/rg: pass: Linked with -Wl,-z,relro. Hardened: /usr/bin/rg: pass: Stack not executable. Hardened: /usr/bin/rg: pass: Sufficient compiler optimization used. Hardened: /usr/bin/rg: pass: Compiled with PIC/PIE. Hardened: /usr/bin/rg: pass: DT_RPATH/DT_RUNPATH absent or rooted at /usr. Hardened: /usr/bin/rg: pass: No RWX segments found. Hardened: /usr/bin/rg: pass: Compiled with -fstack-clash-protection. Hardened: /usr/bin/rg: FAIL: Stack protection is insufficient. Hardened: /usr/bin/rg: pass: No text relocations found. Hardened: /usr/bin/rg: pass: No thread cancellation problems. Hardened: /usr/bin/rg: pass: GOT/PLT relocations are read only. I wonder if I need to do any fix in packaging or we need to fix rustc to pass some necessary stuff around or fix annobin to support rust binaries. Any guidance is appreciated!
Hi Igor, What package provides /usr/bin/rg ? I may be confused, but I think that rust uses llvm as its compiler core. rather than gcc. Since annobin notes are only generated when gcc[1] is used that would explain why there are gaps in the coverage. I could improve annocheck so that it tests for the compiler used to create the binary file and then only checks for specific command line options if the compiler was gcc... Cheers Nick [1] At least for now. One day I would like to add llvm support to annobin.
(In reply to Nick Clifton from comment #1) > Hi Igor, > > What package provides /usr/bin/rg ? dnf install /usr/bin/rg ;) That's the ripgrep.x86_64 (rust-ripgrep.src). > I may be confused, but I think that rust uses llvm as its compiler core. > rather than gcc. Since annobin notes are only generated when gcc[1] is > used that would explain why there are gaps in the coverage. Yeah, rust uses LLVM. However it uses gcc to link binary ;) > I could improve annocheck so that it tests for the compiler used to create > the binary file and then only checks for specific command line options > if the compiler was gcc... That would be nice. > Cheers > Nick > > [1] At least for now. One day I would like to add llvm support to annobin. And this would be even better ;)
I have now updated the annocheck program to skip checks for specific compile time options if the binary was not built by gcc. This means that /usr/bin/rg now gets a PASS result from annocheck. Adding support for LLVM annotation is something to consider in the future. Fixed in: annobin-8.22-1.fc29
[brain@igor-t480s tmp]$ annocheck /usr/bin/rg -v Hardened: /usr/bin/rg: Could not find separate debug file: rg-0.9.0-1.fc29.x86_64.debug. Hardened: /usr/bin/rg: gap: (37949..24b8f0) in annobin notes. Hardened: /usr/bin/rg: MAYB: Gaps were detected in the annobin coverage. [brain@igor-t480s tmp]$ rpm -q annobin annobin-8.23-1.fc29.x86_64
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
Nick, seems it broke at some point: ⋊> ~/P/f/r/librsvg2 on master ⨯ annocheck /usr/bin/rg -v 19:13:41 annocheck: Version 8.70. Hardened: /usr/bin/rg: Could not find separate debug file: rg-0.10.0-1.module_2621+7cd44648.x86_64.debug. Hardened: /usr/bin/rg: gap: (442f9..323d60) in annobin notes. Hardened: /usr/bin/rg: gap: (3273fa..32cba0) in annobin notes. Hardened: /usr/bin/rg: gap: (33144b..341650) in annobin notes. Hardened: /usr/bin/rg: FAIL: Gaps were detected in the annobin coverage. Hardened: /usr/bin/rg: PASS: Linked with -Wl,-z,now. Hardened: /usr/bin/rg: PASS: Compiled with -fcf-protection. Hardened: /usr/bin/rg: PASS: One dynamic section/segment found. Hardened: /usr/bin/rg: PASS: Entry point instruction is ENDBR. Hardened: /usr/bin/rg: PASS: Compiled with -D_FORTIFY_SOURCE=2. Hardened: /usr/bin/rg: PASS: Compiled with -D_GLIBCXX_ASSERTIONS. Hardened: /usr/bin/rg: PASS: Linked with -Wl,-z,relro. Hardened: /usr/bin/rg: PASS: Stack not executable. Hardened: /usr/bin/rg: PASS: Compiled with sufficient optimization. Hardened: /usr/bin/rg: PASS: Compiled with PIC/PIE. Hardened: /usr/bin/rg: PASS: Compiled as a position independent binary. Hardened: /usr/bin/rg: FAIL: GNU Property note is missing, but -fcf-protection is enabled. Hardened: /usr/bin/rg: PASS: DT_RPATH/DT_RUNPATH absent or rooted at /usr. Hardened: /usr/bin/rg: PASS: No RWX segments found. Hardened: /usr/bin/rg: PASS: Consistent use of the -fshort-enum option. Hardened: /usr/bin/rg: PASS: Compiled with -fstack-clash-protection. Hardened: /usr/bin/rg: PASS: Compiled with sufficient stack protection. Hardened: /usr/bin/rg: skip: Test for stack realignment support. (Only needed on i686 binaries). Hardened: /usr/bin/rg: PASS: No text relocations found. Hardened: /usr/bin/rg: PASS: No thread cancellation problems. Hardened: /usr/bin/rg: PASS: GOT/PLT relocations are read only. ⋊> ~/P/f/r/librsvg2 on master ⨯ rpm -q annobin ripgrep 19:13:44 annobin-8.70-1.fc30.x86_64 ripgrep-0.10.0-1.module_2621+7cd44648.x86_64
Hi Igor, What is the name of the package containing /usr/bin/rg in rawhide ? I tried installing "rg", "ripgrep" and "rust-ripgrep", but none of these worked. Cheers Nick
(In reply to Nick Clifton from comment #7) > Hi Igor, > > What is the name of the package containing /usr/bin/rg in rawhide ? > I tried installing "rg", "ripgrep" and "rust-ripgrep", but none of > these worked. > The package "ripgrep" contains the "rg" binary. It's shipped as a module in the fedora-modular repo now. :/
Feel free to take it from here: https://koji.fedoraproject.org/koji/buildinfo?buildID=1210630.
(In reply to Igor Gnatenko from comment #9) > Feel free to take it from here: > https://koji.fedoraproject.org/koji/buildinfo?buildID=1210630. Thanks. Unfortunately, the x86_64 rpms from that location appear to work! % annocheck ripgrep-0.10.0-1.module_f30+2903+8bdbc0c9.x86_64.rpm --debug-rpm ripgrep-debuginfo-0.10.0-1.module_f30+2903+8bdbc0c9.x86_64.rpm -v annocheck: Version 8.70. Hardened: ./usr/bin/rg: skip: Not checking for gaps (non-gcc compiled binary). Hardened: ./usr/bin/rg: skip: Test for -Wl,-z,now. (Binary was not built by gcc). Hardened: ./usr/bin/rg: skip: Test for control flow protection. (Not built by gcc). Hardened: ./usr/bin/rg: PASS: One dynamic section/segment found. Hardened: ./usr/bin/rg: PASS: Entry point instruction is ENDBR. Hardened: ./usr/bin/rg: skip: Test for -D_FORTIFY_SOURCE=2. (The binary was not built by gcc). Hardened: ./usr/bin/rg: skip: Test for -D_GLIBCXX_ASSERTONS. (The binary was not built by gcc). Hardened: ./usr/bin/rg: skip: Test for -Wl,z,relro. (Not built by gcc). Hardened: ./usr/bin/rg: PASS: Stack not executable. Hardened: ./usr/bin/rg: skip: Test of optimization level. (The binary was not built by gcc). Hardened: ./usr/bin/rg: skip: Test for PIC compilation. (The binary was not built by gcc). Hardened: ./usr/bin/rg: skip: Test for -pie. (Not built with gcc). Hardened: ./usr/bin/rg: skip: -fcf-protection is enabled, but some parts of the binary have been created by a non-GCC tool, and so do not have the necessary markup. This means that CET protection will *not* be enabled for any part of the binary. Hardened: ./usr/bin/rg: PASS: DT_RPATH/DT_RUNPATH absent or rooted at /usr. Hardened: ./usr/bin/rg: PASS: No RWX segments found. Hardened: ./usr/bin/rg: PASS: Consistent use of the -fshort-enum option. Hardened: ./usr/bin/rg: skip: Test for stack clash support. (Not built by gcc). Hardened: ./usr/bin/rg: skip: Test for stack protection. (The binary was not built by gcc). Hardened: ./usr/bin/rg: skip: Test for stack realignment support. (Only needed on i686 binaries). Hardened: ./usr/bin/rg: PASS: No text relocations found. Hardened: ./usr/bin/rg: PASS: No thread cancellation problems. Hardened: ./usr/bin/rg: PASS: GOT/PLT relocations are read only. Hardened: ./usr/bin/rg: PASS. I think that the issue is this line, near the start of the output you report in comment #6 Hardened: /usr/bin/rg: Could not find separate debug file: rg-0.10.0-1.module_2621+7cd44648.x86_64.debug. Without the separate debug info, annocheck cannot determine that the binary was not compiled by gcc, and that therefore it should not run some of its checks. When you ran the test, was the debug information installed into the file system ? Cheers Nick
Hmmm, it seems that I had some old version of ripgrep installed (probably compiled using old gcc/whatsoever). That exact build can be found here: https://koji.fedoraproject.org/koji/buildinfo?buildID=1173374 But after updating ripgrep to latest version, I see that annocheck is happy.
Great - in which case I will close the issue.