Lint for shadow stack support is not helpful

The lint for shadow stack support added in !45 (closed) is not helpful, as the message gives no specific indication on how to circumvent this or what to do to change it.

Only mentioning lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK is not necessarily enough to figure out what this is even about.

Would the expected fix for this be to mention "check that CFLAGS and/or CXXFLAGS are being used by the build", kind of like elffile-without-relro does? Per #63 (closed) it seems like that should cover most cases.

mentioned in merge request !56 (merged)

Searching the webs I found some references on this topic, but to be honest I'm not sure whether the package I'm building needs shadow stack (even though namcap reported it), whether I should report this to upstream.. Some info or useful link with more info would be very useful.

I get this for all my packages, I think this lint should be off until packages built according to the package guidelines for Go and Rust produce binaries without this warning.

mentioned in merge request !58 (merged)

mentioned in merge request !59

This lint is not disabled by default. I kept this issue open to track getting it enabled again when the message is useful and/or we have heuristics for when to run it such that it is actually useful more of the time than not.

Do you mean "now disabled" instead of "not disabled"? !56 (merged) is now merged.

I'm here as I got warnings about GNU_PROPERTY_X86_FEATURE_1_SHSTK with lib32-pcsclite. Following tips in https://bbs.archlinux.org/viewtopic.php?id=292194, I noticed lib32-glibc also has those warnings. I wonder if it's supported with 32-bit toolchain.

Does the following change limit the warning to being produced for X86_64?

diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
index 69a32d6..69e6c46 100644
--- a/Namcap/rules/elffiles.py
+++ b/Namcap/rules/elffiles.py
@@ -238,7 +238,7 @@ class ELFSHSTKRule(TarballRule):
         noshstk_binaries = []
 
         for elffile, entry_name in elf_files_from_tar(tar):
-            if ".debug" in entry_name:
+            if ".debug" in entry_name or elffile.'e_machine' != 'EM_X86_64':
                 continue
             for prop in _note_props(
                 elffile,

Cool, it almost works, just needs a small typo fix :)

Here is updated patch:

diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
index 69a32d6..dbfd1ee 100644
--- a/Namcap/rules/elffiles.py
+++ b/Namcap/rules/elffiles.py
@@ -238,7 +238,7 @@ class ELFSHSTKRule(TarballRule):
         noshstk_binaries = []
 
         for elffile, entry_name in elf_files_from_tar(tar):
-            if ".debug" in entry_name:
+            if ".debug" in entry_name or elffile['e_machine'] != 'EM_X86_64':
                 continue
             for prop in _note_props(
                 elffile,

Now, the warning is reported only for 64-bit packages, not multilib ones

$ ./namcap-devel -r elfnoshstk /var/cache/pacman/pkg/lib32-glibc-2.39-1-x86_64.pkg.tar.zst

$ ./namcap-devel -r elfnoshstk /var/cache/pacman/pkg/qtermwidget-1.4.0-1-x86_64.pkg.tar.zst
qtermwidget W: ELF file ('usr/lib/python3.11/site-packages/QTermWidget.abi3.so') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK, check CFLAGS/CXXFLAGS.
qtermwidget W: Dependency included, but may not be needed ('qt5-base')

Please take a look at !70 (merged).

• cmd/asm,cmd/compile: add support for shadow stack for adding Shadow Stack support to go.
• Tracking Issue for control-flow enforcement technology (CET) for adding CET support to rust.

Another language(s): Add support for Intel CET and -fcf-protection for adding CET support to dotnet.