Check all .so's are noexecstack (#3994) (#4130)

The ouput of execstack -q is one line per file, either:

- starting with a '-' (dash) if the file does not require an executable stack
- start with an 'X' if the file *does* require an executable stack

We check there are no files which require an executable stack.

1 files changed, 3 insertions, 0 deletions

diff --git a/.jenkins/Jenkinsfile-cryptography-wheel-builder b/.jenkins/Jenkinsfile-cryptography-wheel-builder
index a8f0980e..0f66bfb0 100644
--- a/.jenkins/Jenkinsfile-cryptography-wheel-builder
+++ b/.jenkins/Jenkinsfile-cryptography-wheel-builder
@@ -134,6 +134,9 @@ def build(version, label, imageName) {
                         CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
                         $linux32 /opt/python/$version/bin/pip wheel cryptography==$BUILD_VERSION -w tmpwheelhouse/ --no-binary cryptography --no-deps
                     $linux32 auditwheel repair tmpwheelhouse/cryptography*.whl -w wheelhouse/
+                    unzip wheelhouse/*.whl -d execstack.check
+                    chmod -R 777 execstack.check
+                    (execstack execstack.check/cryptography/hazmat/bindings/*.so | grep '^X') && exit 1
                     $linux32 /opt/python/$version/bin/pip install cryptography==$BUILD_VERSION --no-index -f wheelhouse/
                     $linux32 /opt/python/$version/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
                 """