From: Michael Tremer Date: Sun, 5 Mar 2023 17:13:07 +0000 (+0000) Subject: build: Check if binaries have been built with -fPIC X-Git-Tag: 0.9.29~357 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a67d72c7a6585bcc20102b92bbca5491192894c;p=pakfire.git build: Check if binaries have been built with -fPIC Signed-off-by: Michael Tremer --- diff --git a/src/libpakfire/build.c b/src/libpakfire/build.c index 5a9718171..42f30bac4 100644 --- a/src/libpakfire/build.c +++ b/src/libpakfire/build.c @@ -1134,6 +1134,10 @@ static int pakfire_build_post_check_broken_symlinks( PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY); } +/* + Hardening +*/ + static int __pakfire_build_post_check_stack_smashing_protection( struct pakfire* pakfire, struct pakfire_file* file, void* data) { struct pakfire_filelist* broken = (struct pakfire_filelist*)data; @@ -1160,6 +1164,32 @@ static int pakfire_build_post_check_stack_smashing_protection( PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY); } +static int __pakfire_build_post_check_shared_object_type( + struct pakfire* pakfire, struct pakfire_file* file, void* data) { + struct pakfire_filelist* broken = (struct pakfire_filelist*)data; + int r; + + // Skip anything that isn't an ELF file + if (!pakfire_file_matches_class(file, PAKFIRE_FILE_ELF)) + return 0; + + if (!pakfire_file_is_position_independent(file)) { + r = pakfire_filelist_add(broken, file); + if (r) + return r; + } + + return 0; +} + +static int pakfire_build_post_check_shared_object_type( + struct pakfire_build* build, struct pakfire_filelist* filelist) { + return pakfire_build_post_process_files(build, filelist, + "These files have not been built with -fPIC:", + __pakfire_build_post_check_shared_object_type, + PAKFIRE_BUILD_ERROR_IF_NOT_EMPTY); +} + static int pakfire_build_post_check_hardening( struct pakfire_build* build, struct pakfire_filelist* filelist) { int r; @@ -1169,6 +1199,11 @@ static int pakfire_build_post_check_hardening( if (r) return r; + // Check shared object type + r = pakfire_build_post_check_shared_object_type(build, filelist); + if (r) + return r; + return 0; } diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c index a0ed895dd..8a91a3859 100644 --- a/src/libpakfire/file.c +++ b/src/libpakfire/file.c @@ -1490,3 +1490,29 @@ static int __pakfire_file_has_stack_smashing_protection( int pakfire_file_has_stack_smashing_protection(struct pakfire_file* file) { return pakfire_file_open_elf(file, __pakfire_file_has_stack_smashing_protection, NULL); } + +static int __pakfire_file_is_position_independent( + struct pakfire_file* file, Elf* elf, void* data) { + GElf_Ehdr eheader; + + // Fetch the ELF header + if (!gelf_getehdr(elf, &eheader)) { + ERROR(file->pakfire, "Could not parse ELF header: %s\n", elf_errmsg(-1)); + return -1; + } + + // Check for the correct header type + switch (eheader.e_type) { + case ET_DYN: + return 1; + + default: + break; + } + + return 0; +} + +int pakfire_file_is_position_independent(struct pakfire_file* file) { + return pakfire_file_open_elf(file, __pakfire_file_is_position_independent, NULL); +} diff --git a/src/scripts/check-hardening b/src/scripts/check-hardening index fe392ea8f..2db5aa7ea 100644 --- a/src/scripts/check-hardening +++ b/src/scripts/check-hardening @@ -33,7 +33,6 @@ main() { return 1 fi - local no_pie=() local exec_stack=() local not_relro=() local partly_relro=() @@ -57,11 +56,6 @@ main() { continue fi - # Is this file built with -fPIC? - if readelf -h "${file}" 2>/dev/null | grep -qE "Type:[[:space:]]*EXEC"; then - no_pie+=( "${file}" ) - fi - # Does this file have an executable stack? if readelf -l "${file}" 2>/dev/null | grep -A1 "GNU_STACK" | grep -q "RWE"; then exec_stack+=( "${file}" ) @@ -84,16 +78,6 @@ main() { local r=0 - # Log files without PIE - if [ "${#no_pie[@]}" -gt 0 ]; then - error "The following files have not been compiled as place-independent executables:" - for file in ${no_pie[@]}; do - error " ${file/${buildroot}/}" - done - - r=1 - fi - # Log files with an executable stack if [ "${#exec_stack[@]}" -gt 0 ]; then error "The following files have an executable stack:"