Check all .so's are noexecstack (#3994) (#4130)
The ouput of execstack -q is one line per file, either:
- starting with a '-' (dash) if the file does not require an executable stack
- start with an 'X' if the file *does* require an executable stack
We check there are no files which require an executable stack.
diff --git a/.jenkins/Jenkinsfile-cryptography-wheel-builder b/.jenkins/Jenkinsfile-cryptography-wheel-builder
index a8f0980..0f66bfb 100644
--- a/.jenkins/Jenkinsfile-cryptography-wheel-builder
+++ b/.jenkins/Jenkinsfile-cryptography-wheel-builder
@@ -134,6 +134,9 @@
CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
$linux32 /opt/python/$version/bin/pip wheel cryptography==$BUILD_VERSION -w tmpwheelhouse/ --no-binary cryptography --no-deps
$linux32 auditwheel repair tmpwheelhouse/cryptography*.whl -w wheelhouse/
+ unzip wheelhouse/*.whl -d execstack.check
+ chmod -R 777 execstack.check
+ (execstack execstack.check/cryptography/hazmat/bindings/*.so | grep '^X') && exit 1
$linux32 /opt/python/$version/bin/pip install cryptography==$BUILD_VERSION --no-index -f wheelhouse/
$linux32 /opt/python/$version/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
"""