fix: fix generation

.github/workflows/pull_request.yml

@@ -4,12 +4,12 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: render-checksec
         run: |
           pip install pre-commit
           mkdir ${HOME}/bin
-          curl -Lo ${HOME}/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.4.0/shfmt_v3.4.0_linux_amd64
+          curl -Lo ${HOME}/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.8.0/shfmt_v3.8.0_linux_amd64
           chmod +x ${HOME}/bin/shfmt
           export PATH=${PATH}:${HOME}/bin
           pre-commit run --all-files

.pre-commit-config.yaml

@@ -12,7 +12,7 @@ repos:
     language: system
     pass_filenames: false
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.2.0
+  rev: v4.5.0
   hooks:
   - id: end-of-file-fixer
   - id: trailing-whitespace
@@ -28,7 +28,7 @@ repos:
   - id: shellcheck
     files: ^checksec$
 - repo: https://github.com/Lucas-C/pre-commit-hooks
-  rev: v1.2.0
+  rev: v1.5.5
   hooks:
   - id: forbid-crlf
   - id: remove-crlf

Dockerfile.photon

@@ -1,12 +1,15 @@
-FROM photon:3.0
+FROM photon:5.0
 
 # Install dependencies
 RUN tdnf upgrade -y && tdnf remove toybox -y && \
     tdnf install -y build-essential git rpm-build coreutils util-linux \
-    make autoconf automake gcc ncurses-devel sed tar texinfo procps-ng grep \
-    findutils gzip file which libxml2 python3 python3-pip jq && \
+    make autoconf automake gcc ncurses-devel sed tar texinfo wget procps-ng grep \
+    findutils gzip file which libxml2 python3 python3-pip jq clang && \
     pip3 install --upgrade pip && pip3 install setuptools && \
-    pip3 install demjson3
+    pip3 install demjson3 && mkdir -p /zig && \
+    wget https://ziglang.org/builds/zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz && \
+    tar xf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz -C /zig --strip-components=1 && \
+    rm -rf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz
 
 COPY .  /root
 WORKDIR /root

Dockerfile.ubuntu

@@ -1,12 +1,16 @@
-FROM ubuntu:18.04
+FROM ubuntu:22.04
 
 # Install dependencies
 RUN apt-get update && apt-get -y -q upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y -q install \
-  bc bison flex build-essential ccache git \
+  bc bison flex build-essential ccache git file \
   libncurses-dev libssl-dev u-boot-tools wget \
-  xz-utils vim xfce4 libxml2-utils python-demjson jq \
-  gcc-multilib clang \
- && apt-get clean
+  xz-utils vim xfce4 libxml2-utils python3 python3-pip jq \
+  gcc clang gcc-multilib && apt-get clean \
+  pip3 install --upgrade pip && pip3 install setuptools && \
+  pip3 install demjson3 && mkdir -p /zig && \
+  wget https://ziglang.org/builds/zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz && \
+  tar xf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz -C /zig --strip-components=1 && \
+  rm -rf zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz
 
 COPY .  /root
 WORKDIR /root

Makefile

@@ -1,4 +1,3 @@
-# ----------------------------------------------------------------------------
 SHELL = bash
 
 .PHONY: build
@@ -9,3 +8,8 @@ build:
 .PHONY: test
 test:
 	./tests/test-checksec.sh
+
+.PHONY: compose-test
+compose-test:
+	docker-compose build
+	docker-compose run

checksec

@@ -831,7 +831,7 @@ filecheck() {
   FS_cnt_unchecked=$(grep -cFxf <(sort <<< "${FS_func_libc}") <(sort <<< "${FS_func}"))
   FS_cnt_total=$((FS_cnt_unchecked + FS_cnt_checked))
 
-  if [[ $FS_cnt_unchecked -eq $FS_cnt_checked ]]; then
+  if [[ $FS_cnt_checked -eq $FS_cnt_total ]]; then
     echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
   else
     echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'

src/functions/filecheck.sh

@@ -138,7 +138,7 @@ filecheck() {
   FS_cnt_unchecked=$(grep -cFxf <(sort <<< "${FS_func_libc}") <(sort <<< "${FS_func}"))
   FS_cnt_total=$((FS_cnt_unchecked + FS_cnt_checked))
 
-  if grep -q '_chk$' <<< "$FS_func"; then
+  if [[ $FS_cnt_checked -eq $FS_cnt_total ]]; then
     echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
   else
     echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'

tests/binaries/build_binaries.sh

@@ -1,4 +1,7 @@
 #!/bin/bash
+set -x
+
+export PATH=$PATH:/zig/
 
 # All hardening features on (except for CFI and SafeStack)
 gcc -o all test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
@@ -26,14 +29,16 @@ clang -o none_cl test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2
 clang -c test.c -o rel_cl.o
 clang -shared -fPIC -o dso_cl.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s
 
-# 32-bit (you might need 'sudo apt install gcc-multilib')
+# 32-bit use zig for cross compile
+# zig cc --target=x86-linux-gnu
 gcc -m32 -o all32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
 gcc -m32 -o partial32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
 gcc -m32 -o rpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
 gcc -m32 -o runpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
 gcc -m32 -o none32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack
 gcc -m32 -c test.c -o rel32.o
 gcc -m32 -shared -fPIC -o dso32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s
+
 clang -m32 -o cfi32 test.c -w -flto -fsanitize=cfi -fvisibility=default
 clang -m32 -o sstack32 test.c -w -fsanitize=safe-stack
 clang -m32 -o all_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s