a25ee06cc1
7c9e821c4e6cb186208ead9c8df616d1f393a49a scripts: add MACHO NOUNDEFS check to security-check.py (fanquake)
4ca92dc6d3f3e487d63286d8871d1829b3d279ff scripts: add MACHO PIE check to security-check.py (fanquake)
Pull request description:
This uses `otool -vh` to print the mach header and look for the `PIE` flag:
```bash
otool -vh src/bitcoind
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC_64 X86_64 ALL LIB64 EXECUTE 24 2544 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
```
From [`mach-o/loader.h`](https://opensource.apple.com/source/cctools/cctools-927.0.2/include/mach-o/loader.h.auto.html):
```c
#define MH_PIE 0x200000 /* When this bit is set, the OS will
load the main executable at a
random address. Only used in
MH_EXECUTE filetypes. */
```
ACKs for top commit:
laanwj:
code review ACK 7c9e821c4e6cb186208ead9c8df616d1f393a49a
Tree-SHA512: 5ba2f60440d0e31c70371a355c91ca4f723d80f7287d04e2098bf5b11892cc74216ff8f1454603c4db9675d4f7983614843b992b8dcfca0309aadf2aa7ab2e4b
|
||
|---|---|---|
| .. | ||
| assign_DISTNAME | ||
| gitian-linux.yml | ||
| gitian-osx-signer.yml | ||
| gitian-osx.yml | ||
| gitian-win-signer.yml | ||
| gitian-win.yml | ||
| README.md | ||
Gavin's notes on getting Gitian builds up and running using KVM
These instructions distilled from https://help.ubuntu.com/community/KVM/Installation.
You need the right hardware: you need a 64-bit-capable CPU with hardware virtualization support (Intel VT-x or AMD-V). Not all modern CPUs support hardware virtualization.
You probably need to enable hardware virtualization in your machine's BIOS.
You need to be running a recent version of 64-bit-Ubuntu, and you need to install several prerequisites:
sudo apt-get install ruby apache2 git apt-cacher-ng python-vm-builder qemu-kvm
Sanity checks:
sudo service apt-cacher-ng status # Should return apt-cacher-ng is running
ls -l /dev/kvm # Should show a /dev/kvm device
Once you've got the right hardware and software:
git clone git://github.com/dashpay/dash.git
git clone git://github.com/devrandom/gitian-builder.git
mkdir gitian-builder/inputs
cd gitian-builder/inputs
# Create base images
cd gitian-builder
bin/make-base-vm --suite bionic --arch amd64
cd ..
# Get inputs (see doc/release-process.md for exact inputs needed and where to get them)
...
# For further build instructions see doc/release-process.md
...
gitian-builder now also supports building using LXC. See
help.ubuntu.com
for how to get LXC up and running under Ubuntu.
If your main machine is a 64-bit Mac or PC with a few gigabytes of memory
and at least 10 gigabytes of free disk space, you can gitian-build using
LXC running inside a virtual machine.
Here's a description of Gavin's setup on OSX 10.6:
-
Download and install VirtualBox from https://www.virtualbox.org/
-
Download the 64-bit Ubuntu Desktop 12.04 LTS .iso CD image from http://www.ubuntu.com/
-
Run VirtualBox and create a new virtual machine, using the Ubuntu .iso (see the VirtualBox documentation for details). Create it with at least 2 gigabytes of memory and a disk that is at least 20 gigabytes big.
-
Inside the running Ubuntu desktop, install:
sudo apt-get install debootstrap lxc ruby apache2 git apt-cacher-ng python-vm-builder -
Still inside Ubuntu, tell gitian-builder to use LXC, then follow the "Once you've got the right hardware and software" instructions above:
export USE_LXC=1 git clone git://github.com/dashpay/dash.git ... etc