红帽全球峰会5.4. The Annobin project
Use the Annobin project to add markers to Executable and Linkable Format (ELF) objects. With the Annobin project, you can track build properties and perform security hardening checks on your binaries by using the annobin plugin and the annocheck programs.
The annobin plugin scans the GNU Compiler Collection (GCC) command line, the compilation state, and the compilation process, and generates the ELF notes. The ELF notes record how the binary was built and provide information for the annocheck program to perform security hardening checks.
The security hardening checker is part of the annocheck program and is enabled by default. It checks the binary files to determine whether the program was built with necessary security hardening options and compiled correctly. annocheck is able to recursively scan directories, archives, and RPM packages for ELF object files.
The files must be in ELF format. annocheck does not handle any other binary file types.
You can perform following tasks:
-
Use the
annobinplugin -
Use the
annocheckprogram -
Remove redundant
annobinnotes
5.4.1. Using the annobin plugin
You can use the annobin plugin to annotate binary files. You can enable the annobin plugin and pass options to it.
5.4.1.1. Enabling the annobin plug-in
To add build security notes to binaries, enable the annobin plug-in by using command-line options with gcc or clang utilities.
Procedure
To enable the
annobinplug-in withgcc, use:$ gcc -fplugin=annobinIf
gccdoes not find theannobinplug-in, use:$ gcc -iplugindir=/path/to/directory/containing/annobin/Replace /path/to/directory/containing/annobin/ with the absolute path to the directory that contains
annobin.To find the directory containing the
annobinplug-in, use:$ gcc --print-file-name=plugin
To enable the
annobinplug-in withclang, use:$ clang -fplugin=/path/to/directory/containing/annobin/Replace /path/to/directory/containing/annobin/ with the absolute path to the directory that contains
annobin.Optional: To remove the redundant
annobinnotes, use theobjcopyutility:$ objcopy --merge-notes file-name
5.4.1.2. Passing options to the annobin plug-in
To pass options to the annobin plug-in, use the appropriate command-line arguments with gcc or clang.
Procedure
To pass options to the
annobinplug-in withgcc, use:$ gcc -fplugin=annobin -fplugin-arg-annobin-option file-nameReplace option with the
annobincommand line arguments and replace file-name with the name of the file.For example, to display additional details about what
annobinit is doing, use:$ gcc -fplugin=annobin -fplugin-arg-annobin-verbose file-nameReplace file-name with the name of the file.
To pass options to the
annobinplug-in withclang, use:$ clang -fplugin=/path/to/directory/containing/annobin/ -Xclang -plugin-arg-annobin -Xclang option file-nameReplace option with the
annobincommand line arguments and replace /path/to/directory/containing/annobin/ with the absolute path to the directory containingannobin.For example, to display additional details about what
annobinit is doing, use:$ clang -fplugin=/usr/lib64/clang/10/lib/annobin.so -Xclang -plugin-arg-annobin -Xclang verbose file-nameReplace file-name with the name of the file.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}