From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 28 May 2021 14:32:54 +0000 (+0000)
Subject: scripts: Add check for hardening
X-Git-Tag: 0.9.28~1285^2~55
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dd86416022834abcdeafaecac2353d52af5e8aaa;p=pakfire.git

scripts: Add check for hardening

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/Makefile.am b/Makefile.am
index 35acddc96..cbaa5161c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -555,6 +555,7 @@ libpakfire_preload_la_LIBADD = \
 
 dist_scripts_SCRIPTS = \
 	src/scripts/check-buildroot \
+	src/scripts/check-hardening \
 	src/scripts/check-include \
 	src/scripts/check-symlinks \
 	src/scripts/check-unsafe-files \
diff --git a/src/libpakfire/build.c b/src/libpakfire/build.c
index f4ce32e17..b5f1b2e4b 100644
--- a/src/libpakfire/build.c
+++ b/src/libpakfire/build.c
@@ -343,6 +343,7 @@ static const char* post_build_scripts[] = {
 	"check-unsafe-files",
 	"check-buildroot",
 	"check-include",
+	"check-hardening",
 	"compress-man-pages",
 	"strip",
 	NULL,
diff --git a/src/scripts/check-hardening b/src/scripts/check-hardening
new file mode 100644
index 000000000..da1ba3f47
--- /dev/null
+++ b/src/scripts/check-hardening
@@ -0,0 +1,146 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# Pakfire - The IPFire package management system                              #
+# Copyright (C) 2021 Pakfire development team                                 #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+error() {
+	echo "${0#/}: $@" >&2
+}
+
+main() {
+	local buildroot="${1}"
+	shift
+
+	# Check if BUILDROOT exists
+	if [ ! -d "${buildroot}" ]; then
+		error "BUILDROOT does not exist"
+		return 1
+	fi
+
+	local missing_ssp=()
+	local no_pie=()
+	local exec_stack=()
+	local not_relro=()
+	local partly_relro=()
+
+	local file
+	for file in $(find "${buildroot}" -type f | sort); do
+		case "${file}" in
+			# Filter out startfiles
+			*/crt[1in].o)
+				continue
+				;;
+
+			# Filter out kernel modules
+			*.ko)
+				continue
+				;;
+		esac
+
+		# Skip anything that isn't an ELF file
+		if ! file "${file}" | grep -q "ELF"; then
+			continue
+		fi
+
+		# Does this file have stack smashing protection enabled?
+		if ! readelf -s "${file}" 2>/dev/null | grep -q "__stack_chk_fail"; then
+			missing_ssp+=( "${file}" )
+		fi
+
+		# Is this file built with -fPIC?
+		if ! readelf -h "${file}" 2>/dev/null | grep -qE "Type:[[:space:]]*EXEC"; then
+			no_pie+=( "${file}" )
+		fi
+
+		# Does this file have an executable stack?
+		if ! readelf -l "${file}" 2>/dev/null | grep -A1 "GNU_STACK" | grep -q "RWE"; then
+			exec_stack+=( "${file}" )
+		fi
+
+		# Perform more checks for shared objects (i.e. libraries)
+		if file "${file}" | grep -q "shared object"; then
+			# Is this file partly RELRO?
+			if ! readelf -l "${file}" 2>/dev/null | grep -q "GNU_RELRO"; then
+				not_relro+=( "${file}" )
+				continue
+			fi
+
+			# Is this file fully RELRO?
+			if ! readelf -d "${file}" 2>/dev/null | grep -q "BIND_NOW"; then
+				partly_relro+=( "${file}" )
+			fi
+		fi
+	done
+
+	local r=0
+
+	# Log files without SSP
+	if [ "${#missing_ssp[@]}" -gt 0 ]; then
+		error "The following files do not have stack-smashing protection enabled:"
+		for file in ${missing_ssp[@]}; do
+			error "  ${file/${buildroot}/}"
+		done
+
+		r=1
+	fi
+
+	# Log files without PIE
+	if [ "${#no_pie[@]}" -gt 0 ]; then
+		error "The following files have not been compiled as place-independent executables:"
+		for file in ${no_pie[@]}; do
+			error "  ${file/${buildroot}/}"
+		done
+
+		r=1
+	fi
+
+	# Log files with an executable stack
+	if [ "${#exec_stack[@]}" -gt 0 ]; then
+		error "The following files have an executable stack:"
+		for file in ${exec_stack[@]}; do
+			error "  ${file/${buildroot}/}"
+		done
+
+		r=1
+	fi
+
+	# Log files which are not RELRO
+	if [ "${#not_relro[@]}" -gt 0 ]; then
+		error "The following files are not fully RELRO:"
+		for file in ${not_relro[@]}; do
+			error "  ${file/${buildroot}/}"
+		done
+
+		r=1
+	fi
+
+	# Log files which are only partially RELRO
+	if [ "${#partly_relro[@]}" -gt 0 ]; then
+		error "The following files are only partially RELRO:"
+		for file in ${partly_relro[@]}; do
+			error "  ${file/${buildroot}/}"
+		done
+
+		r=1
+	fi
+
+	return "${r}"
+}
+
+main "$@" || exit $?