From ef8f066d5a6790a65452e345ae70b8e29af5381e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jeremy=20Lain=C3=A9?= <jeremy.laine@m4x.org>
Date: Mon, 5 Mar 2018 22:47:44 +0100
Subject: Check all .so's are noexecstack (#3994) (#4130)

The ouput of execstack -q is one line per file, either:

- starting with a '-' (dash) if the file does not require an executable stack
- start with an 'X' if the file *does* require an executable stack

We check there are no files which require an executable stack.
---
 .jenkins/Jenkinsfile-cryptography-wheel-builder | 3 +++
 1 file changed, 3 insertions(+)

(limited to '.jenkins')

diff --git a/.jenkins/Jenkinsfile-cryptography-wheel-builder b/.jenkins/Jenkinsfile-cryptography-wheel-builder
index a8f0980e..0f66bfb0 100644
--- a/.jenkins/Jenkinsfile-cryptography-wheel-builder
+++ b/.jenkins/Jenkinsfile-cryptography-wheel-builder
@@ -134,6 +134,9 @@ def build(version, label, imageName) {
                         CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
                         $linux32 /opt/python/$version/bin/pip wheel cryptography==$BUILD_VERSION -w tmpwheelhouse/ --no-binary cryptography --no-deps
                     $linux32 auditwheel repair tmpwheelhouse/cryptography*.whl -w wheelhouse/
+                    unzip wheelhouse/*.whl -d execstack.check
+                    chmod -R 777 execstack.check
+                    (execstack execstack.check/cryptography/hazmat/bindings/*.so | grep '^X') && exit 1
                     $linux32 /opt/python/$version/bin/pip install cryptography==$BUILD_VERSION --no-index -f wheelhouse/
                     $linux32 /opt/python/$version/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
                 """
-- 
cgit v1.2.3