--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# Pakfire - The IPFire package management system #
+# Copyright (C) 2021 Pakfire development team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+error() {
+ echo "${0#/}: $@" >&2
+}
+
+main() {
+ local buildroot="${1}"
+ shift
+
+ # Check if BUILDROOT exists
+ if [ ! -d "${buildroot}" ]; then
+ error "BUILDROOT does not exist"
+ return 1
+ fi
+
+ local missing_ssp=()
+ local no_pie=()
+ local exec_stack=()
+ local not_relro=()
+ local partly_relro=()
+
+ local file
+ for file in $(find "${buildroot}" -type f | sort); do
+ case "${file}" in
+ # Filter out startfiles
+ */crt[1in].o)
+ continue
+ ;;
+
+ # Filter out kernel modules
+ *.ko)
+ continue
+ ;;
+ esac
+
+ # Skip anything that isn't an ELF file
+ if ! file "${file}" | grep -q "ELF"; then
+ continue
+ fi
+
+ # Does this file have stack smashing protection enabled?
+ if ! readelf -s "${file}" 2>/dev/null | grep -q "__stack_chk_fail"; then
+ missing_ssp+=( "${file}" )
+ fi
+
+ # Is this file built with -fPIC?
+ if ! readelf -h "${file}" 2>/dev/null | grep -qE "Type:[[:space:]]*EXEC"; then
+ no_pie+=( "${file}" )
+ fi
+
+ # Does this file have an executable stack?
+ if ! readelf -l "${file}" 2>/dev/null | grep -A1 "GNU_STACK" | grep -q "RWE"; then
+ exec_stack+=( "${file}" )
+ fi
+
+ # Perform more checks for shared objects (i.e. libraries)
+ if file "${file}" | grep -q "shared object"; then
+ # Is this file partly RELRO?
+ if ! readelf -l "${file}" 2>/dev/null | grep -q "GNU_RELRO"; then
+ not_relro+=( "${file}" )
+ continue
+ fi
+
+ # Is this file fully RELRO?
+ if ! readelf -d "${file}" 2>/dev/null | grep -q "BIND_NOW"; then
+ partly_relro+=( "${file}" )
+ fi
+ fi
+ done
+
+ local r=0
+
+ # Log files without SSP
+ if [ "${#missing_ssp[@]}" -gt 0 ]; then
+ error "The following files do not have stack-smashing protection enabled:"
+ for file in ${missing_ssp[@]}; do
+ error " ${file/${buildroot}/}"
+ done
+
+ r=1
+ fi
+
+ # Log files without PIE
+ if [ "${#no_pie[@]}" -gt 0 ]; then
+ error "The following files have not been compiled as place-independent executables:"
+ for file in ${no_pie[@]}; do
+ error " ${file/${buildroot}/}"
+ done
+
+ r=1
+ fi
+
+ # Log files with an executable stack
+ if [ "${#exec_stack[@]}" -gt 0 ]; then
+ error "The following files have an executable stack:"
+ for file in ${exec_stack[@]}; do
+ error " ${file/${buildroot}/}"
+ done
+
+ r=1
+ fi
+
+ # Log files which are not RELRO
+ if [ "${#not_relro[@]}" -gt 0 ]; then
+ error "The following files are not fully RELRO:"
+ for file in ${not_relro[@]}; do
+ error " ${file/${buildroot}/}"
+ done
+
+ r=1
+ fi
+
+ # Log files which are only partially RELRO
+ if [ "${#partly_relro[@]}" -gt 0 ]; then
+ error "The following files are only partially RELRO:"
+ for file in ${partly_relro[@]}; do
+ error " ${file/${buildroot}/}"
+ done
+
+ r=1
+ fi
+
+ return "${r}"
+}
+
+main "$@" || exit $?