diff --git a/.cirrus.yml b/.cirrus.yml index b74068aaa5..55136d7d89 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -154,7 +154,7 @@ task: FILE_ENV: "./ci/test/00_setup_env_native_nowallet.sh" task: - name: 'macOS 10.12 [gui, no tests] [jammy]' + name: 'macOS 11.0 [gui, no tests] [jammy]' << : *GLOBAL_TASK_TEMPLATE container: image: ubuntu:jammy diff --git a/configure.ac b/configure.ac index 08006d3c98..2adf2d7560 100644 --- a/configure.ac +++ b/configure.ac @@ -1048,6 +1048,7 @@ if test x$TARGET_OS = xdarwin; then AX_CHECK_LINK_FLAG([[-Wl,-dead_strip]], [LDFLAGS="$LDFLAGS -Wl,-dead_strip"],, [[$LDFLAG_WERROR]]) AX_CHECK_LINK_FLAG([[-Wl,-dead_strip_dylibs]], [LDFLAGS="$LDFLAGS -Wl,-dead_strip_dylibs"],, [[$LDFLAG_WERROR]]) AX_CHECK_LINK_FLAG([[-Wl,-bind_at_load]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-bind_at_load"],, [[$LDFLAG_WERROR]]) + AX_CHECK_LINK_FLAG([[-Wl,-fixup_chains]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-fixup_chains"], [], [[$LDFLAG_WERROR]]) fi AC_CHECK_HEADERS([endian.h sys/endian.h byteswap.h stdio.h stdlib.h unistd.h strings.h sys/types.h sys/stat.h sys/select.h sys/prctl.h sys/sysctl.h vm/vm_param.h sys/vmmeter.h sys/resources.h]) diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index cb49dba3b1..fae1394a7f 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -158,13 +158,6 @@ def check_MACHO_NOUNDEFS(binary) -> bool: ''' return binary.header.has(lief.MachO.HEADER_FLAGS.NOUNDEFS) -def check_MACHO_LAZY_BINDINGS(binary) -> bool: - ''' - Check for no lazy bindings. - We don't use or check for MH_BINDATLOAD. See #18295. - ''' - return binary.dyld_info.lazy_bind == (0,0) - def check_MACHO_Canary(binary) -> bool: ''' Check for use of stack canary @@ -214,7 +207,6 @@ BASE_PE = [ BASE_MACHO = [ ('NOUNDEFS', check_MACHO_NOUNDEFS), - ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS), ('Canary', check_MACHO_Canary), ] diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index 33f481f77b..ae64010cab 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -242,7 +242,7 @@ def check_MACHO_libraries(binary) -> bool: return ok def check_MACHO_min_os(binary) -> bool: - if binary.build_version.minos == [10,15,0]: + if binary.build_version.minos == [11,0,0]: return True return False diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index 7bfe08e391..9da76f6c1c 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -120,13 +120,13 @@ class TestSecurityChecks(unittest.TestCase): if arch == lief.ARCHITECTURES.X86: self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS Canary PIE NX CONTROL_FLOW')) + (1, executable+': failed NOUNDEFS Canary PIE NX CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS PIE NX CONTROL_FLOW')) + (1, executable+': failed NOUNDEFS PIE NX CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS PIE CONTROL_FLOW')) + (1, executable+': failed NOUNDEFS PIE CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']), - (1, executable+': failed LAZY_BINDINGS PIE CONTROL_FLOW')) + (1, executable+': failed PIE CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']), (1, executable+': failed PIE CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']), @@ -136,11 +136,9 @@ class TestSecurityChecks(unittest.TestCase): else: # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS Canary')) + (1, executable+': failed NOUNDEFS Canary')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS')) - self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all']), - (1, executable+': failed LAZY_BINDINGS')) + (1, executable+': failed NOUNDEFS')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-bind_at_load','-fstack-protector-all']), (0, '')) diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py index 6d5f693090..c6e8a554fe 100755 --- a/contrib/devtools/test-symbol-check.py +++ b/contrib/devtools/test-symbol-check.py @@ -121,7 +121,7 @@ class TestSymbolChecks(unittest.TestCase): } ''') - self.assertEqual(call_symbol_check(cc, source, executable, ['-Wl,-platform_version','-Wl,macos', '-Wl,10.15', '-Wl,11.4']), + self.assertEqual(call_symbol_check(cc, source, executable, ['-Wl,-platform_version','-Wl,macos', '-Wl,11.0', '-Wl,11.4']), (1, f'{executable}: failed SDK')) def test_PE(self): diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index ce000ae28e..bc9d6c9afa 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -609,7 +609,7 @@ inspecting signatures in Mach-O binaries.") (list ;; Native GCC 11 toolchain gcc-toolchain-11 binutils - clang-toolchain-10 + clang-toolchain-11 python-signapple xorriso)) (else '()))))) diff --git a/depends/hosts/darwin.mk b/depends/hosts/darwin.mk index bfc4d1c4ca..52b8329f11 100644 --- a/depends/hosts/darwin.mk +++ b/depends/hosts/darwin.mk @@ -1,4 +1,4 @@ -OSX_MIN_VERSION=10.15 +OSX_MIN_VERSION=11.0 OSX_SDK_VERSION=11.0 XCODE_VERSION=12.2 XCODE_BUILD_ID=12B45b diff --git a/depends/packages/native_clang.mk b/depends/packages/native_clang.mk index b11037b83e..109796c0e6 100644 --- a/depends/packages/native_clang.mk +++ b/depends/packages/native_clang.mk @@ -1,12 +1,12 @@ package=native_clang -$(package)_version=10.0.1 +$(package)_version=11.1.0 $(package)_download_path=https://github.com/llvm/llvm-project/releases/download/llvmorg-$($(package)_version) ifneq (,$(findstring aarch64,$(BUILD))) $(package)_file_name=clang+llvm-$($(package)_version)-aarch64-linux-gnu.tar.xz -$(package)_sha256_hash=90dc69a4758ca15cd0ffa45d07fbf5bf4309d47d2c7745a9f0735ecffde9c31f +$(package)_sha256_hash=18df38247af3fba0e0e2991fb00d7e3cf3560b4d3509233a14af699ef0039e1c else $(package)_file_name=clang+llvm-$($(package)_version)-x86_64-linux-gnu-ubuntu-16.04.tar.xz -$(package)_sha256_hash=48b83ef827ac2c213d5b64f5ad7ed082c8bcb712b46644e0dc5045c6f462c231 +$(package)_sha256_hash=c691a558967fb7709fb81e0ed80d1f775f4502810236aa968b4406526b43bee1 endif define $(package)_stage_cmds diff --git a/share/qt/Info.plist.in b/share/qt/Info.plist.in index 2ea3204cd2..81638b6798 100644 --- a/share/qt/Info.plist.in +++ b/share/qt/Info.plist.in @@ -3,7 +3,7 @@ LSMinimumSystemVersion - 10.15.0 + 11 LSArchitecturePriority