scripts: add MACHO NX check to security-check.py

fanquake · fanquake · commit edaca2dd123c · 2020-03-26T11:39:34.000+08:00
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
@@ -197,6 +197,15 @@ def check_MACHO_NOUNDEFS(executable) -> bool:
         return True
     return False
 
+def check_MACHO_NX(executable) -> bool:
+    '''
+    Check for no stack execution
+    '''
+    flags = get_MACHO_executable_flags(executable)
+    if 'ALLOW_STACK_EXECUTION' in flags:
+        return False
+    return True
+
 CHECKS = {
 'ELF': [
     ('PIE', check_ELF_PIE),
@@ -212,6 +221,7 @@ def check_MACHO_NOUNDEFS(executable) -> bool:
 'MACHO': [
     ('PIE', check_MACHO_PIE),
     ('NOUNDEFS', check_MACHO_NOUNDEFS),
+    ('NX', check_MACHO_NX)
 ]
 }
 
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
@@ -60,6 +60,8 @@ def test_MACHO(self):
         cc = 'clang'
         write_testcode(source)
 
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace', '-Wl,-allow_stack_execute']),
+            (1, executable+': failed PIE NOUNDEFS NX'))
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace']),
             (1, executable+': failed PIE NOUNDEFS'))
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie']),
