#include <pakfire/cgroup.h>
#include <pakfire/dependencies.h>
#include <pakfire/dist.h>
-#include <pakfire/fhs.h>
#include <pakfire/file.h>
#include <pakfire/i18n.h>
#include <pakfire/jail.h>
PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY);
}
-/*
- Filesystem Layout Check
-*/
-static int __pakfire_build_post_check_filesystem(
- struct pakfire* pakfire, struct pakfire_file* file, void* data) {
- struct pakfire_filelist* illegal = (struct pakfire_filelist*)data;
- int r;
-
- // Perform FHS check
- r = pakfire_fhs_check_file(pakfire, file);
- if (r) {
- r = pakfire_filelist_add(illegal, file);
- if (r)
- return r;
- }
-
- return 0;
-}
-
-static int pakfire_build_post_check_filesystem(
- struct pakfire_build* build, struct pakfire_filelist* filelist) {
- return pakfire_build_post_process_files(
- build,
- filelist,
- "Illegal files:",
- __pakfire_build_post_check_filesystem,
- PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY);
-}
-
/*
BUILDROOT Check
*/
int issues = 0;
int r;
- // Skip anything that isn't an ELF file
- if (!pakfire_file_matches_class(file, PAKFIRE_FILE_ELF))
- return 0;
-
// Check hardening
r = pakfire_file_check_hardening(file, &issues);
if (r) {
if (r)
goto ERROR;
- // Check filesystem layout
- r = pakfire_build_post_check_filesystem(build, filelist);
- if (r)
- goto ERROR;
-
// Check for BUILDROOT
r = pakfire_build_post_check_buildroot(build, filelist);
if (r)
#include <pakfire/constants.h>
#include <pakfire/digest.h>
+#include <pakfire/fhs.h>
#include <pakfire/file.h>
#include <pakfire/logging.h>
#include <pakfire/pakfire.h>
// Hardning Status
if (flags & PAKFIRE_FILE_DUMP_HARDENING) {
+ if (file->hardening_issues & PAKFIRE_FILE_FHS_ERROR) {
+ r = asprintf(&buffer, "%s [FHS-ERROR]", buffer);
+ if (r < 0)
+ goto ERROR;
+ }
+
if (pakfire_file_matches_class(file, PAKFIRE_FILE_ELF)) {
// Stack-smashing Protection
if (file->hardening_issues & PAKFIRE_FILE_NO_SSP) {
int pakfire_file_check_hardening(struct pakfire_file* file, int* issues) {
int r;
- // Do not perform this check on firmware
- if (pakfire_file_matches_class(file, PAKFIRE_FILE_FIRMWARE))
- return 0;
-
// Return previous result if this has been run before
if (!file->hardening_check_done) {
- switch (pakfire_file_get_elf_type(file)) {
- // Do not check Relocatable Objects
- case ET_REL:
- goto DONE;
+ // Perform FHS check
+ r = pakfire_fhs_check_file(file->pakfire, file);
+ if (r)
+ file->hardening_issues |= PAKFIRE_FILE_FHS_ERROR;
- // Check everything else
- default:
- break;
- }
+ // Do not perform the following checks on firmware
+ if (pakfire_file_matches_class(file, PAKFIRE_FILE_FIRMWARE))
+ goto DONE;
- // Check for SSP
- r = pakfire_file_hardening_check_ssp(file);
- if (r)
- return r;
+ // Run these checks only for ELF files
+ if (pakfire_file_matches_class(file, PAKFIRE_FILE_ELF)) {
+ switch (pakfire_file_get_elf_type(file)) {
+ // Do not check Relocatable Objects
+ case ET_REL:
+ goto DONE;
+
+ // Check everything else
+ default:
+ break;
+ }
- // Check for PIE
- r = pakfire_file_hardening_check_pie(file);
- if (r)
- return r;
+ // Check for SSP
+ r = pakfire_file_hardening_check_ssp(file);
+ if (r)
+ return r;
- // Check for executable stacks
- r = pakfire_file_hardening_check_execstack(file);
- if (r)
- return r;
+ // Check for PIE
+ r = pakfire_file_hardening_check_pie(file);
+ if (r)
+ return r;
- // Check for RELRO
- r = pakfire_file_hardening_check_relro(file);
- if (r)
- return r;
+ // Check for executable stacks
+ r = pakfire_file_hardening_check_execstack(file);
+ if (r)
+ return r;
+
+ // Check for RELRO
+ r = pakfire_file_hardening_check_relro(file);
+ if (r)
+ return r;
+ }
DONE:
// All checks done
Hardening Checks
*/
enum pakfire_file_hardening_flags {
- PAKFIRE_FILE_NO_SSP = (1 << 0),
- PAKFIRE_FILE_NO_PIE = (1 << 1),
- PAKFIRE_FILE_EXECSTACK = (1 << 2),
- PAKFIRE_FILE_NO_PARTIALLY_RELRO = (1 << 3),
+ PAKFIRE_FILE_FHS_ERROR = (1 << 0),
+ PAKFIRE_FILE_NO_SSP = (1 << 1),
+ PAKFIRE_FILE_NO_PIE = (1 << 2),
+ PAKFIRE_FILE_EXECSTACK = (1 << 3),
+ PAKFIRE_FILE_NO_PARTIALLY_RELRO = (1 << 4),
};
int pakfire_file_is_stripped(struct pakfire_file* file);