diff -rup annobin.orig/annocheck/hardened.c annobin-10.21/annocheck/hardened.c --- annobin.orig/annocheck/hardened.c 2021-10-26 16:27:58.353141848 +0100 +++ annobin-10.21/annocheck/hardened.c 2021-10-26 16:28:24.527040025 +0100 @@ -1479,7 +1479,7 @@ skip_fortify_checks_for_function (annoch { /* NB. KEEP THIS ARRAY ALPHA-SORTED */ "_GLOBAL__sub_I_main", - "_Unwind_Resume", /* In /sbin/ldconfig. */ + "_Unwind_Resume", "__b64_ntop", /* Found in ppc64le, RHEL-9, /lib64/libresolv.so.2. */ "__b64_pton", /* Found in ppc64le, RHEL-9, /lib64/libresolv.so.2. */ "__ctype_get_mb_cur_max", @@ -1490,17 +1490,13 @@ skip_fortify_checks_for_function (annoch "__td_ta_rtld_global", /* Found in ppc64le, RHEL-9, /lib64/libthread_db.so.1. */ "_dl_start_user", /* Found in ppc64le, RHEL-9, /lib64/ld64.so.2. */ "_dl_tunable_set_arena_max", /* Found in ppc64le, RHEL-9, /lib64/libc_malloc_debug.so.0. */ - "_nl_archive_subfreeres", /* Found in x86_64, RHEL-8.6 /sbin/ldconfig. */ "_start", "blacklist_store_name", "dlmopen_doit", /* Found in ppc64le, RHEL-9, /lib64/ld64.so.2. */ - "free_category", /* Found in x86_64, RHEL-8.6 /sbin/ldconfig. */ "free_derivation", "free_mem", - "insert_to_aux_cache.cold.6", /* Found in x86_64, RHEL-8.6 /sbin/ldconfig. */ "install_handler", "internal_setgrent", - "print_entry", /* In /sbin/ldconfig. */ "td_init", /* Found in ppc64le, RHEL-9, /lib64/libthread_db.so.1. */ "unlink_blk" /* Found in ppc64le, RHEL-9, /lib64/libc_malloc_debug.so.0. */ }; @@ -1524,11 +1520,9 @@ skip_pic_checks_for_function (annocheck_ { /* NB. KEEP THIS ARRAY ALPHA-SORTED */ "_GLOBAL__sub_I_main", - "_Unwind_Resume", /* In /sbin/ldconfig. */ - "_nl_archive_subfreeres", /* In /sbin/ldconfig. */ + "_Unwind_Resume", "_start", - "atexit", /* The atexit function in libiberty is only compiled with -fPIC not -fPIE. */ - "print_entry" /* In /sbin/ldconfig. */ + "atexit" /* The atexit function in libiberty is only compiled with -fPIC not -fPIE. */ }; if (skip_this_func (non_pie_funcs, ARRAY_SIZE (non_pie_funcs), component_name)) @@ -1566,15 +1560,12 @@ skip_stack_checks_for_function (annochec "_dl_start", "_dl_start_user", /* Found in ppc64le, RHEL-9 /lib64/ld64.so.2. */ "_dl_sysinfo_int80", /* In /lib/ld-linux.so.2. */ - "_dl_tls_static_surplus_init", /* In /sbin/ldconfig. */ "_fini", "_init", "_start", - "allocate_dtv", /* Found in AArch64, RHEL-8, /sbin/ldconfig. */ "check_match", /* Found in AArch64, RHEL-8, /lib64/ld-2.28.so. */ "check_one_fd", "dlmopen_doit", - "generic_start_main", /* Found in PPC64LE, RHEL-8, /sbin/ldconfig. */ "get_common_indices.constprop.0", "is_dst", "notify_audit_modules_of_loaded_object", @@ -1665,6 +1656,10 @@ function %s is part of the C library's s return true; } + /* The ldconfig binary is known to be compiled with most security features. */ + if (streq (data->full_filename, "/sbin/ldconfig")) + return true; + switch (check) { case TEST_STACK_PROT: @@ -4790,7 +4785,11 @@ process_arg (const char * arg, const cha } } - return false; + /* Do not fail if we do not recognise the test name. It may be from a + future version of annocheck, and it just so happens that a test is + running this version by mistake. */ + einfo (INFO, "ignoring unrecognized test name in --skip option: %s", arg); + return true; } if (const_strneq (arg, "test-")) diff -rup annobin.orig/annocheck/hardened.c annobin-10.21/annocheck/hardened.c --- annobin.orig/annocheck/hardened.c 2021-10-27 11:23:27.161942804 +0100 +++ annobin-10.21/annocheck/hardened.c 2021-10-27 11:23:59.692741676 +0100 @@ -1658,7 +1658,13 @@ function %s is part of the C library's s /* The ldconfig binary is known to be compiled with most security features. */ if (streq (data->full_filename, "/sbin/ldconfig")) - return true; + { + sprintf (reason, "\ +function %s is part of the C library's startup code, which executes before stack protection is established", + component_name); + skip (data, check, SOURCE_SKIP_CHECKS, reason); + return true; + } switch (check) {