Pull in upstream's make check-security, based on upstream PR #6854 and #7424.

qa/zcash/check-security-hardening.sh

@@ -4,12 +4,12 @@ set -e
 
 REPOROOT="$(readlink -f "$(dirname "$0")"/../../)"
 
-function test_basic_hardening {
-    if "${REPOROOT}/qa/zcash/checksec.sh" --file "$1" | grep -q "Full RELRO.*Canary found.*NX enabled.*No RPATH.*No RUNPATH"; then
-        echo PASS: "$1" has basic hardening features enabled.
+function test_rpath_runpath {
+    if "${REPOROOT}/qa/zcash/checksec.sh" --file "$1" | grep -q "No RPATH.*No RUNPATH"; then
+        echo PASS: "$1" has no RPATH or RUNPATH.
         return 0
     else
-        echo FAIL: "$1" is missing basic hardening features.
+        echo FAIL: "$1" has an RPATH or a RUNPATH.
         "${REPOROOT}/qa/zcash/checksec.sh" --file "$1"
         return 1
     fi
@@ -26,10 +26,15 @@ function test_fortify_source {
     fi
 }
 
-test_basic_hardening "${REPOROOT}/src/zcashd"
-test_basic_hardening "${REPOROOT}/src/zcash-cli"
-test_basic_hardening "${REPOROOT}/src/zcash-gtest"
-test_basic_hardening "${REPOROOT}/src/bitcoin-tx"
+# PIE, RELRO, Canary, and NX are tested by make check-security.
+make -C "$REPOROOT/src" check-security
+
+test_rpath_runpath "${REPOROOT}/src/zcashd"
+test_rpath_runpath "${REPOROOT}/src/zcash-cli"
+test_rpath_runpath "${REPOROOT}/src/zcash-gtest"
+test_rpath_runpath "${REPOROOT}/src/bitcoin-tx"
+test_rpath_runpath "${REPOROOT}/src/test/test_bitcoin"
+test_rpath_runpath "${REPOROOT}/src/zcash/GenerateParams"
 
 # NOTE: checksec.sh does not reliably determine whether FORTIFY_SOURCE is
 # enabled for the entire binary. See issue #915.
@@ -37,3 +42,5 @@ test_fortify_source "${REPOROOT}/src/zcashd"
 test_fortify_source "${REPOROOT}/src/zcash-cli"
 test_fortify_source "${REPOROOT}/src/zcash-gtest"
 test_fortify_source "${REPOROOT}/src/bitcoin-tx"
+test_fortify_source "${REPOROOT}/src/test/test_bitcoin"
+test_fortify_source "${REPOROOT}/src/zcash/GenerateParams"