summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKyle Keen <keenerd@gmail.com>2016-12-10 23:43:30 -0500
committerKyle Keen <keenerd@gmail.com>2016-12-10 23:43:30 -0500
commit5741e2f566e6959917324bb6cad230dc793f5b5c (patch)
tree551799bf5b164392535f641faa67c66428352500
parent11ace7387f2f7e3a256deab7d50055a9a664ad1b (diff)
downloadnamcap-5741e2f566e6959917324bb6cad230dc793f5b5c.tar.gz
namcap-5741e2f566e6959917324bb6cad230dc793f5b5c.zip
Check for RELRO in ELF files (FS#26435)
Signed-off-by: Kyle Keen <keenerd@gmail.com>
-rw-r--r--Namcap/rules/elffiles.py29
-rw-r--r--namcap-tags1
2 files changed, 30 insertions, 0 deletions
diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
index 947a177..1c54f24 100644
--- a/Namcap/rules/elffiles.py
+++ b/Namcap/rules/elffiles.py
@@ -130,4 +130,33 @@ class ELFExecStackRule(TarballRule):
self.warnings = [("elffile-with-execstack %s", i)
for i in exec_stacks]
+class ELFGnuRelroRule(TarballRule):
+ """
+ Check for read-only relocation in ELF files.
+
+ Introduced by FS#26435. Uses pyelftools to check for GNU_RELRO.
+ """
+ # not smart enough for full/partial RELRO (DT_BIND_NOW?)
+
+ name = "elfgnurelro"
+ description = "Check for RELRO in ELF files."
+
+ def analyze(self, pkginfo, tar):
+ missing_relro = []
+
+ for entry in tar:
+ if not entry.isfile():
+ continue
+ fp = tar.extractfile(entry)
+ if not is_elf(fp):
+ continue
+ elffile = ELFFile(fp)
+ if any(seg['p_type'] == 'PT_GNU_RELRO' for seg in elffile.iter_segments()):
+ continue
+ missing_relro.append(entry.name)
+
+ if missing_relro:
+ self.warnings = [("elffile-without-relro %s", i)
+ for i in missing_relro]
+
# vim: set ts=4 sw=4 noet:
diff --git a/namcap-tags b/namcap-tags
index c91a712..f686c14 100644
--- a/namcap-tags
+++ b/namcap-tags
@@ -19,6 +19,7 @@ elffile-not-in-allowed-dirs %s :: ELF file ('%s') outside of a valid path.
elffile-in-questionable-dirs %s :: ELF files outside of a valid path ('%s').
elffile-with-textrel %s :: ELF file ('%s') has text relocations.
elffile-with-execstack %s :: ELF file ('%s') has executable stack.
+elffile-without-relro %s :: ELF file ('%s') lacks RELRO, check LDFLAGS.
empty-directory %s :: Directory (%s) is empty
error-running-rule %s :: Error running rule '%s'
external-hooks-name %s :: .INSTALL file runs a command (%s) provided by hooks.