Chapter 7. Annobin
The Annobin project consists of the annobin
plugin and the annockeck
program.
The annobin
plugin scans the GNU Compiler Collection (GCC) command line, the compilation state, and the compilation process, and generates the ELF notes. The ELF notes record how the binary was built and provide information for the annocheck
program to perform security hardening checks.
The security hardening checker is part of the annocheck
program and is enabled by default. It checks the binary files to determine whether the program was built with necessary security hardening options and compiled correctly. annocheck
is able to recursively scan directories, archives, and RPM packages for ELF object files.
The files must be in ELF format. annocheck
does not handle any other binary file types.
7.1. Installing Annobin
In Red Hat Developer Toolset, the annobin
plugin and the annockeck
program are provided by the devtoolset-10-gcc package and are installed as described in Section 1.5.3, “Installing Optional Packages”.
7.2. Using Annobin Plugin
To pass options to the annobin
plugin with gcc
, use:
$ scl enable devtoolset-10 'gcc -fplugin=annobin -fplugin-arg-annobin-option file-name'
Note that you can execute any command using the scl
utility, causing it to be run with the Red Hat Developer Toolset binaries used in preference to the Red Hat Enterprise Linux system equivalent. This allows you to run a shell session with Red Hat Developer Toolset as
as default:
$ scl enable devtoolset-10 'bash'
To verify the version of annobin
you are using at any point:
$ which annobin
Red Hat Developer Toolset’s annobin
executable path will begin with /opt
.
7.3. Using Annocheck
To scan files, directories or RPM packages with the annocheck
program:
$ scl enable devtoolset-10 'annocheck file-name'
annocheck
only looks for the ELF files. Other file types are ignored.
Note that you can execute any command using the scl
utility, causing it to be run with the Red Hat Developer Toolset binaries used in preference to the Red Hat Enterprise Linux system equivalent. This allows you to run a shell session with Red Hat Developer Toolset as
as default:
$ scl enable devtoolset-10 'bash'
To verify the version of annocheck
you are using at any point:
$ which annocheck
Red Hat Developer Toolset’s annocheck
executable path will begin with /opt
. Alternatively, you can use the following command to confirm that the version number matches that for Red Hat Developer Toolset annocheck
:
$ annocheck --version
7.4. Additional Resources
For more information about annocheck, annobin and its features, see the resources listed below.
Installed Documentation
annocheck(1) — The manual page for the
annocheck
utility provides detailed information on its usage. To display the manual page for the version included in Red Hat Developer Toolset:$ scl enable devtoolset-10 'man annocheck'
annobin(1) — The manual page for the
annobin
utility provides detailed information on its usage. To display the manual page for the version included in Red Hat Developer Toolset:$ scl enable devtoolset-10 'man annobin'