scripts: add PE dylib checking to symbol-check.py

2025-01-19 05:45:05 +01:00 · 2020-03-21 14:23:02 +08:00 · 2020-03-21 14:23:02 +08:00 · 1a0993ae35
commit 1a0993ae35
parent 5504703a9f
4 changed files with 53 additions and 4 deletions
--- a/contrib/devtools/README.md
+++ b/contrib/devtools/README.md
@ -109,7 +109,7 @@ certain symbols and are only linked against allowed libraries.
 For Linux this means checking for allowed gcc, glibc and libstdc++ version symbols.
 This makes sure they are still compatible with the minimum supported distribution versions.

-For macOS we check that the executables are only linked against libraries we allow.
+For macOS and Windows we check that the executables are only linked against libraries we allow.

 Example usage after a gitian build:

--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@ -3,9 +3,8 @@
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 '''
-A script to check that the (Linux) executables produced by gitian only contain
-allowed gcc and glibc version symbols. This makes sure they are still compatible
-with the minimum supported Linux distribution versions.
+A script to check that the executables produced by gitian only contain
+certain symbols and are only linked against allowed libraries.

 Example usage:

@ -53,6 +52,7 @@ IGNORE_EXPORTS = {
 }
 READELF_CMD = os.getenv('READELF', '/usr/bin/readelf')
 CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt')
+OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
 OTOOL_CMD = os.getenv('OTOOL', '/usr/bin/otool')

 # Allowed NEEDED libraries
@ -101,6 +101,26 @@ MACHO_ALLOWED_LIBRARIES = {
 'libobjc.A.dylib', # Objective-C runtime library
 }

+PE_ALLOWED_LIBRARIES = {
+'ADVAPI32.dll', # security & registry
+'IPHLPAPI.DLL', # IP helper API
+'KERNEL32.dll', # win32 base APIs
+'msvcrt.dll', # C standard library for MSVC
+'SHELL32.dll', # shell API
+'USER32.dll', # user interface
+'WS2_32.dll', # sockets
+# bitcoin-qt only
+'dwmapi.dll', # desktop window manager
+'GDI32.dll', # graphics device interface
+'IMM32.dll', # input method editor
+'ole32.dll', # component object model
+'OLEAUT32.dll', # OLE Automation API
+'SHLWAPI.dll', # light weight shell API
+'UxTheme.dll',
+'VERSION.dll', # version checking
+'WINMM.dll', # WinMM audio API
+}
+
 class CPPFilt(object):
    '''
    Demangle C++ symbol names.
@ -218,6 +238,26 @@ def check_MACHO_libraries(filename) -> bool:
            ok = False
    return ok

+def pe_read_libraries(filename) -> List[str]:
+    p = subprocess.Popen([OBJDUMP_CMD, '-x', filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
+    (stdout, stderr) = p.communicate()
+    if p.returncode:
+        raise IOError('Error opening file')
+    libraries = []
+    for line in stdout.splitlines():
+        if 'DLL Name:' in line:
+            tokens = line.split(': ')
+            libraries.append(tokens[1])
+    return libraries
+
+def check_PE_libraries(filename) -> bool:
+    ok = True
+    for dylib in pe_read_libraries(filename):
+        if dylib not in PE_ALLOWED_LIBRARIES:
+            print('{} is not in ALLOWED_LIBRARIES!'.format(dylib))
+            ok = False
+    return ok
+
 CHECKS = {
 'ELF': [
    ('IMPORTED_SYMBOLS', check_imported_symbols),
@ -226,6 +266,9 @@ CHECKS = {
 ],
 'MACHO': [
    ('DYNAMIC_LIBRARIES', check_MACHO_libraries)
+],
+'PE' : [
+    ('DYNAMIC_LIBRARIES', check_PE_libraries)
 ]
 }

--- a/contrib/gitian-descriptors/gitian-win.yml
+++ b/contrib/gitian-descriptors/gitian-win.yml
@ -145,6 +145,7 @@ script: |
    CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} CFLAGS="${HOST_CFLAGS}" CXXFLAGS="${HOST_CXXFLAGS}"
    make ${MAKEOPTS}
    make ${MAKEOPTS} -C src check-security
+    make ${MAKEOPTS} -C src check-symbols
    make deploy
    make install DESTDIR=${INSTALLPATH}
    cp -f --target-directory="${OUTDIR}" ./bitcoin-*-setup-unsigned.exe
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -703,6 +703,11 @@ if TARGET_DARWIN
 	$(AM_V_at) OTOOL=$(OTOOL) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
 endif

+if TARGET_WINDOWS
+	@echo "Checking Windows dynamic libraries..."
+	$(AM_V_at) OBJDUMP=$(OBJDUMP) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
+endif
+
 if GLIBC_BACK_COMPAT
 	@echo "Checking glibc back compat..."
 	$(AM_V_at) READELF=$(READELF) CPPFILT=$(CPPFILT) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)