From: Michael Tremer Date: Fri, 17 Mar 2023 13:46:50 +0000 (+0000) Subject: build: Rename hardening check to just check X-Git-Tag: 0.9.29~272 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28886e21ce373c412960eb02fda0dbf17293b3c7;p=pakfire.git build: Rename hardening check to just check That way, we can include some checks that are not too closely related to any hardening issues. Signed-off-by: Michael Tremer --- diff --git a/src/libpakfire/build.c b/src/libpakfire/build.c index e40c4ab2d..5ea9e7650 100644 --- a/src/libpakfire/build.c +++ b/src/libpakfire/build.c @@ -1049,7 +1049,7 @@ static int pakfire_build_post_process_files(struct pakfire_build* build, INFO(build->pakfire, "%s\n", description); // Show all files which will be removed - pakfire_filelist_dump(removees, PAKFIRE_FILE_DUMP_FULL|PAKFIRE_FILE_DUMP_HARDENING); + pakfire_filelist_dump(removees, PAKFIRE_FILE_DUMP_FULL|PAKFIRE_FILE_DUMP_ISSUES); // Remove all files on the removee list if (flags & PAKFIRE_BUILD_CLEANUP_FILES) { @@ -1217,20 +1217,19 @@ static int pakfire_build_post_check_buildroot( } /* - Hardening + File Issues */ -static int __pakfire_build_post_check_hardening( +static int __pakfire_build_post_check_files( struct pakfire* pakfire, struct pakfire_file* file, void* data) { struct pakfire_filelist* broken = (struct pakfire_filelist*)data; int issues = 0; int r; - // Check hardening - r = pakfire_file_check_hardening(file, &issues); + // Check file for issues + r = pakfire_file_check(file, &issues); if (r) { - ERROR(pakfire, "%s: Hardening Check failed: %m\n", - pakfire_file_get_path(file)); + ERROR(pakfire, "%s: File Check failed: %m\n", pakfire_file_get_path(file)); return r; } @@ -1244,13 +1243,13 @@ static int __pakfire_build_post_check_hardening( return 0; } -static int pakfire_build_post_check_hardening( +static int pakfire_build_post_check_files( struct pakfire_build* build, struct pakfire_filelist* filelist) { return pakfire_build_post_process_files( build, filelist, - "Hardening Issues:", - __pakfire_build_post_check_hardening, + "File Issues:", + __pakfire_build_post_check_files, PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY); } @@ -1302,8 +1301,8 @@ static int pakfire_build_run_post_build_checks(struct pakfire_build* build) { if (r) goto ERROR; - // Check hardening - r = pakfire_build_post_check_hardening(build, filelist); + // Check files + r = pakfire_build_post_check_files(build, filelist); if (r) goto ERROR; diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c index 126be6164..b4b599a7b 100644 --- a/src/libpakfire/file.c +++ b/src/libpakfire/file.c @@ -92,9 +92,9 @@ struct pakfire_file { // Verification Status int verify_status; - // Hardening Issues - int hardening_issues; - int hardening_check_done:1; + // File Issues + int issues; + int check_done:1; #warning TODO capabilities, data // capabilities @@ -615,9 +615,9 @@ char* pakfire_file_dump(struct pakfire_file* file, int flags) { } } - // Hardning Status - if (flags & PAKFIRE_FILE_DUMP_HARDENING) { - if (file->hardening_issues & PAKFIRE_FILE_FHS_ERROR) { + // Dump Issues + if (flags & PAKFIRE_FILE_DUMP_ISSUES) { + if (file->issues & PAKFIRE_FILE_FHS_ERROR) { r = asprintf(&buffer, "%s [FHS-ERROR]", buffer); if (r < 0) goto ERROR; @@ -625,28 +625,28 @@ char* pakfire_file_dump(struct pakfire_file* file, int flags) { if (pakfire_file_matches_class(file, PAKFIRE_FILE_ELF)) { // Stack-smashing Protection - if (file->hardening_issues & PAKFIRE_FILE_NO_SSP) { + if (file->issues & PAKFIRE_FILE_NO_SSP) { r = asprintf(&buffer, "%s [NO-SSP]", buffer); if (r < 0) goto ERROR; } // Position-independent Executable - if (file->hardening_issues & PAKFIRE_FILE_NO_PIE) { + if (file->issues & PAKFIRE_FILE_NO_PIE) { r = asprintf(&buffer, "%s [NO-PIE]", buffer); if (r < 0) goto ERROR; } // Executable Stack - if (file->hardening_issues & PAKFIRE_FILE_EXECSTACK) { + if (file->issues & PAKFIRE_FILE_EXECSTACK) { r = asprintf(&buffer, "%s [EXECSTACK]", buffer); if (r < 0) goto ERROR; } // Not Partially RELRO - if (file->hardening_issues & PAKFIRE_FILE_NO_PARTIALLY_RELRO) { + if (file->issues & PAKFIRE_FILE_NO_PARTIALLY_RELRO) { r = asprintf(&buffer, "%s [NO-PART-RELRO]", buffer); if (r < 0) goto ERROR; @@ -1742,7 +1742,7 @@ int pakfire_file_is_stripped(struct pakfire_file* file) { return pakfire_file_open_elf(file, __pakfire_file_is_stripped, NULL); } -static int __pakfire_file_hardening_check_ssp( +static int __pakfire_file_check_ssp( struct pakfire_file* file, Elf* elf, void* data) { Elf_Scn* section = NULL; GElf_Shdr section_header; @@ -1801,20 +1801,20 @@ static int __pakfire_file_hardening_check_ssp( } // The file does not seem to have SSP enabled - file->hardening_issues |= PAKFIRE_FILE_NO_SSP; + file->issues |= PAKFIRE_FILE_NO_SSP; return 0; } -static int pakfire_file_hardening_check_ssp(struct pakfire_file* file) { +static int pakfire_file_check_ssp(struct pakfire_file* file) { // Do not perform this check for runtime linkers if (pakfire_file_matches_class(file, PAKFIRE_FILE_RUNTIME_LINKER)) return 0; - return pakfire_file_open_elf(file, __pakfire_file_hardening_check_ssp, NULL); + return pakfire_file_open_elf(file, __pakfire_file_check_ssp, NULL); } -static int pakfire_file_hardening_check_pie(struct pakfire_file* file) { +static int pakfire_file_check_pie(struct pakfire_file* file) { switch (pakfire_file_get_elf_type(file)) { // Shared Object files are good case ET_DYN: @@ -1822,14 +1822,14 @@ static int pakfire_file_hardening_check_pie(struct pakfire_file* file) { // Everything else is bad default: - file->hardening_issues |= PAKFIRE_FILE_NO_PIE; + file->issues |= PAKFIRE_FILE_NO_PIE; break; } return 0; } -static int __pakfire_file_hardening_check_execstack( +static int __pakfire_file_check_execstack( struct pakfire_file* file, Elf* elf, void* data) { GElf_Phdr phdr; int r; @@ -1863,7 +1863,7 @@ static int __pakfire_file_hardening_check_execstack( // The stack cannot be writable and executable if ((phdr.p_flags & PF_W) && (phdr.p_flags & PF_X)) - file->hardening_issues |= PAKFIRE_FILE_EXECSTACK; + file->issues |= PAKFIRE_FILE_EXECSTACK; // Done return 0; @@ -1876,11 +1876,11 @@ static int __pakfire_file_hardening_check_execstack( return 0; } -static int pakfire_file_hardening_check_execstack(struct pakfire_file* file) { - return pakfire_file_open_elf(file, __pakfire_file_hardening_check_execstack, NULL); +static int pakfire_file_check_execstack(struct pakfire_file* file) { + return pakfire_file_open_elf(file, __pakfire_file_check_execstack, NULL); } -static int __pakfire_file_hardening_check_partially_relro( +static int __pakfire_file_check_partially_relro( struct pakfire_file* file, Elf* elf, void* data) { GElf_Phdr phdr; int r; @@ -1912,25 +1912,25 @@ static int __pakfire_file_hardening_check_partially_relro( } // This file does not seem to have PT_GNU_RELRO set - file->hardening_issues |= PAKFIRE_FILE_NO_PARTIALLY_RELRO; + file->issues |= PAKFIRE_FILE_NO_PARTIALLY_RELRO; return 0; } -static int pakfire_file_hardening_check_relro(struct pakfire_file* file) { - return pakfire_file_open_elf(file, __pakfire_file_hardening_check_partially_relro, NULL); +static int pakfire_file_check_relro(struct pakfire_file* file) { + return pakfire_file_open_elf(file, __pakfire_file_check_partially_relro, NULL); } -int pakfire_file_check_hardening(struct pakfire_file* file, int* issues) { +int pakfire_file_check(struct pakfire_file* file, int* issues) { int r; // Return previous result if this has been run before - if (!file->hardening_check_done) { + if (!file->check_done) { // Perform FHS check r = pakfire_fhs_check_file(file->pakfire, file); if (r) - file->hardening_issues |= PAKFIRE_FILE_FHS_ERROR; + file->issues |= PAKFIRE_FILE_FHS_ERROR; // Do not perform the following checks on firmware if (pakfire_file_matches_class(file, PAKFIRE_FILE_FIRMWARE)) @@ -1949,34 +1949,34 @@ int pakfire_file_check_hardening(struct pakfire_file* file, int* issues) { } // Check for SSP - r = pakfire_file_hardening_check_ssp(file); + r = pakfire_file_check_ssp(file); if (r) return r; // Check for PIE - r = pakfire_file_hardening_check_pie(file); + r = pakfire_file_check_pie(file); if (r) return r; // Check for executable stacks - r = pakfire_file_hardening_check_execstack(file); + r = pakfire_file_check_execstack(file); if (r) return r; // Check for RELRO - r = pakfire_file_hardening_check_relro(file); + r = pakfire_file_check_relro(file); if (r) return r; } DONE: // All checks done - file->hardening_check_done = 1; + file->check_done = 1; } // Return any issues if (issues) - *issues = file->hardening_issues; + *issues = file->issues; return 0; } diff --git a/src/libpakfire/include/pakfire/file.h b/src/libpakfire/include/pakfire/file.h index 6282b3945..253619101 100644 --- a/src/libpakfire/include/pakfire/file.h +++ b/src/libpakfire/include/pakfire/file.h @@ -137,7 +137,7 @@ enum pakfire_file_dump_flags { PAKFIRE_FILE_DUMP_TIME = (1 << 2), PAKFIRE_FILE_DUMP_OWNERSHIP = (1 << 3), PAKFIRE_FILE_DUMP_LINK_TARGETS = (1 << 4), - PAKFIRE_FILE_DUMP_HARDENING = (1 << 5), + PAKFIRE_FILE_DUMP_ISSUES = (1 << 5), PAKFIRE_FILE_DUMP_FULL = \ PAKFIRE_FILE_DUMP_MODE | \ @@ -173,9 +173,9 @@ int pakfire_file_matches_class(struct pakfire_file* file, const int class); int pakfire_file_verify(struct pakfire_file* file, int* status); /* - Hardening Checks + Checks */ -enum pakfire_file_hardening_flags { +enum pakfire_file_check_issues { PAKFIRE_FILE_FHS_ERROR = (1 << 0), PAKFIRE_FILE_NO_SSP = (1 << 1), PAKFIRE_FILE_NO_PIE = (1 << 2), @@ -184,7 +184,7 @@ enum pakfire_file_hardening_flags { }; int pakfire_file_is_stripped(struct pakfire_file* file); -int pakfire_file_check_hardening(struct pakfire_file* file, int* issues); +int pakfire_file_check(struct pakfire_file* file, int* issues); #endif