PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY);
}
+/*
+ Hardening
+*/
+
static int __pakfire_build_post_check_stack_smashing_protection(
struct pakfire* pakfire, struct pakfire_file* file, void* data) {
struct pakfire_filelist* broken = (struct pakfire_filelist*)data;
PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY);
}
+static int __pakfire_build_post_check_shared_object_type(
+ struct pakfire* pakfire, struct pakfire_file* file, void* data) {
+ struct pakfire_filelist* broken = (struct pakfire_filelist*)data;
+ int r;
+
+ // Skip anything that isn't an ELF file
+ if (!pakfire_file_matches_class(file, PAKFIRE_FILE_ELF))
+ return 0;
+
+ if (!pakfire_file_is_position_independent(file)) {
+ r = pakfire_filelist_add(broken, file);
+ if (r)
+ return r;
+ }
+
+ return 0;
+}
+
+static int pakfire_build_post_check_shared_object_type(
+ struct pakfire_build* build, struct pakfire_filelist* filelist) {
+ return pakfire_build_post_process_files(build, filelist,
+ "These files have not been built with -fPIC:",
+ __pakfire_build_post_check_shared_object_type,
+ PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY);
+}
+
static int pakfire_build_post_check_hardening(
struct pakfire_build* build, struct pakfire_filelist* filelist) {
int r;
if (r)
return r;
+ // Check shared object type
+ r = pakfire_build_post_check_shared_object_type(build, filelist);
+ if (r)
+ return r;
+
return 0;
}
int pakfire_file_has_stack_smashing_protection(struct pakfire_file* file) {
return pakfire_file_open_elf(file, __pakfire_file_has_stack_smashing_protection, NULL);
}
+
+static int __pakfire_file_is_position_independent(
+ struct pakfire_file* file, Elf* elf, void* data) {
+ GElf_Ehdr eheader;
+
+ // Fetch the ELF header
+ if (!gelf_getehdr(elf, &eheader)) {
+ ERROR(file->pakfire, "Could not parse ELF header: %s\n", elf_errmsg(-1));
+ return -1;
+ }
+
+ // Check for the correct header type
+ switch (eheader.e_type) {
+ case ET_DYN:
+ return 1;
+
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+int pakfire_file_is_position_independent(struct pakfire_file* file) {
+ return pakfire_file_open_elf(file, __pakfire_file_is_position_independent, NULL);
+}
return 1
fi
- local no_pie=()
local exec_stack=()
local not_relro=()
local partly_relro=()
continue
fi
- # Is this file built with -fPIC?
- if readelf -h "${file}" 2>/dev/null | grep -qE "Type:[[:space:]]*EXEC"; then
- no_pie+=( "${file}" )
- fi
-
# Does this file have an executable stack?
if readelf -l "${file}" 2>/dev/null | grep -A1 "GNU_STACK" | grep -q "RWE"; then
exec_stack+=( "${file}" )
local r=0
- # Log files without PIE
- if [ "${#no_pie[@]}" -gt 0 ]; then
- error "The following files have not been compiled as place-independent executables:"
- for file in ${no_pie[@]}; do
- error " ${file/${buildroot}/}"
- done
-
- r=1
- fi
-
# Log files with an executable stack
if [ "${#exec_stack[@]}" -gt 0 ]; then
error "The following files have an executable stack:"
projects / pakfire.git / commitdiff
