diff options
author | Kyle Keen <keenerd@gmail.com> | 2016-12-10 23:43:30 -0500 |
---|---|---|
committer | Kyle Keen <keenerd@gmail.com> | 2016-12-10 23:43:30 -0500 |
commit | 5741e2f566e6959917324bb6cad230dc793f5b5c (patch) | |
tree | 551799bf5b164392535f641faa67c66428352500 | |
parent | 11ace7387f2f7e3a256deab7d50055a9a664ad1b (diff) | |
download | namcap-5741e2f566e6959917324bb6cad230dc793f5b5c.tar.gz namcap-5741e2f566e6959917324bb6cad230dc793f5b5c.zip |
Check for RELRO in ELF files (FS#26435)
Signed-off-by: Kyle Keen <keenerd@gmail.com>
-rw-r--r-- | Namcap/rules/elffiles.py | 29 | ||||
-rw-r--r-- | namcap-tags | 1 |
2 files changed, 30 insertions, 0 deletions
diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py index 947a177..1c54f24 100644 --- a/Namcap/rules/elffiles.py +++ b/Namcap/rules/elffiles.py @@ -130,4 +130,33 @@ class ELFExecStackRule(TarballRule): self.warnings = [("elffile-with-execstack %s", i) for i in exec_stacks] +class ELFGnuRelroRule(TarballRule): + """ + Check for read-only relocation in ELF files. + + Introduced by FS#26435. Uses pyelftools to check for GNU_RELRO. + """ + # not smart enough for full/partial RELRO (DT_BIND_NOW?) + + name = "elfgnurelro" + description = "Check for RELRO in ELF files." + + def analyze(self, pkginfo, tar): + missing_relro = [] + + for entry in tar: + if not entry.isfile(): + continue + fp = tar.extractfile(entry) + if not is_elf(fp): + continue + elffile = ELFFile(fp) + if any(seg['p_type'] == 'PT_GNU_RELRO' for seg in elffile.iter_segments()): + continue + missing_relro.append(entry.name) + + if missing_relro: + self.warnings = [("elffile-without-relro %s", i) + for i in missing_relro] + # vim: set ts=4 sw=4 noet: diff --git a/namcap-tags b/namcap-tags index c91a712..f686c14 100644 --- a/namcap-tags +++ b/namcap-tags @@ -19,6 +19,7 @@ elffile-not-in-allowed-dirs %s :: ELF file ('%s') outside of a valid path. elffile-in-questionable-dirs %s :: ELF files outside of a valid path ('%s'). elffile-with-textrel %s :: ELF file ('%s') has text relocations. elffile-with-execstack %s :: ELF file ('%s') has executable stack. +elffile-without-relro %s :: ELF file ('%s') lacks RELRO, check LDFLAGS. empty-directory %s :: Directory (%s) is empty error-running-rule %s :: Error running rule '%s' external-hooks-name %s :: .INSTALL file runs a command (%s) provided by hooks. |