From: Michael Tremer Date: Sat, 14 Mar 2009 17:04:21 +0000 (+0100) Subject: Introduced quality agent. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a37006ccde99865b9fdbda432c3ae520fe2b872a;p=ipfire-3.x.git Introduced quality agent. --- diff --git a/make.sh b/make.sh index 76dfbae26..5f3a7f353 100755 --- a/make.sh +++ b/make.sh @@ -454,6 +454,7 @@ packages_build() { build_spy stage ${STAGE} toolchain_make strip + ipfire_make quality-agent # Generate ChangeLog git_log diff --git a/src/quality-agent/quality-agent b/src/quality-agent/quality-agent new file mode 100755 index 000000000..6eba1db27 --- /dev/null +++ b/src/quality-agent/quality-agent @@ -0,0 +1,148 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +CHECK_PATHS=${@-"/bin /lib /opt /root /sbin /var /usr/bin /usr/lib /usr/sbin"} + +CHECK_PATHS=$(find ${CHECK_PATHS} -not -type d) + +echo "Searching for all world writable files..." +f=$(find ${CHECK_PATHS} -not -path "/proc*" -type f -perm -2 2>/dev/null) +if [ -n "$f" ]; then + echo + echo "QA Security Notice:" + echo " - The folloing files will be world writable." + echo " - This may or may not be a security problem, most of the time it is one." + echo " - Please double check that these files really need a world writeable bit and file bugs accordingly." + echo + echo "$f" + exit 1 +fi + +echo "Searching for unsafe files..." +f=$(find ${CHECK_PATHS} -type f '(' -perm -2002 -o -perm -4002 ')') +if [ -n "$f" ]; then + echo + echo "QA Notice: Unsafe files detected (set*id and world writable)" + echo "${f}" + exit 1 +fi + +# this should help to ensure that all (most?) shared libraries are executable +# and that all libtool scripts / static libraries are not executable +echo "Searching for not executeable libs..." +for i in $(find ${CHECK_PATHS} -name *.so*); do + [ ! -e ${i} ] && continue + if [ -L ${i} ]; then + linkdest=$(readlink "${i}") + if [[ ${linkdest} == /* ]] ; then + echo + echo "QA Notice: Found an absolute symlink in a library directory:" + echo " ${i} -> ${linkdest}" + echo " It should be a relative symlink if in the same directory" + echo " or a linker script if it crosses the /usr boundary." + exit 1 + fi + continue + fi + [ -x ${i} ] && continue + echo "making executable: ${i}" + chmod +x "${i}" +done +for i in $(find ${CHECK_PATHS} -name *.a -o -name *.la); do + [ ! -e ${i} ] && continue + [ -L ${i} ] && continue + [ ! -x ${i} ] && continue + echo "removing executable bit: ${i}" + chmod -x "${i}" +done + +# Make sure people don't store libtool files or static libs in /lib +echo "Searching for bad files in /lib..." +f=$(find /lib -name *.{a,la} 2>/dev/null) +if [ -n "$f" ]; then + echo "QA Notice: Excessive files found in the / partition" + echo "${f}" + exit 1 +fi + +if [ -n "$(which scanelf 2>/dev/null)" ]; then + # Make sure we disallow insecure RUNPATH/RPATH's + # Don't want paths that point to the tree where the package was built + # (older, broken libtools would do this). Also check for null paths + # because the loader will search $PWD when it finds null paths. + echo "Searching for files that have unsecure RUNPATH/RPATH..." + f=$(scanelf -qyRF '%r %p' ${CHECK_PATHS} 2>/dev/null | awk '{ print $NF }' | grep -v -f whitelist-rpaths) + if [ -n "$f" ]; then + echo + echo "QA Notice: The following files contain insecure RUNPATH's" + echo "${f}" + echo + exit 1 + fi + + # TEXTREL's are baaaaaaaad + echo "Searching for files that have baaaaaaad TEXTRELs..." + f=$(scanelf -qyRF '%t %p' ${CHECK_PATHS} 2>/dev/null | awk '{ print $NF }' | grep -v -f whitelist-textrels) + if [ -n "$f" ]; then + echo + echo "QA Notice: The following files contain runtime text relocations" + echo " Text relocations force the dynamic linker to perform extra" + echo " work at startup, waste system resources, and may pose a security" + echo " risk. On some architectures, the code may not even function" + echo " properly, if at all." + echo "${f}" + exit 1 + fi + + # Also, executable stacks only matter on linux... + echo "Searching for files that have executeable stacks..." + f=$(scanelf -qyRF '%e %p' ${CHECK_PATHS} | awk '{ print $NF }' | grep -v -f whitelist-exec-stacks) + if [ -n "$f" ]; then + echo + echo "QA Notice: The following files contain executable stacks" + echo " Files with executable stacks will not work properly (or at all!)" + echo " on some architectures/operating systems." + echo "${f}" + exit 1 + fi + + # Libary checks + check_files=$(find ${CHECK_PATHS} -name lib*.so*) + + echo "Searching bad libs that lack a SONAME..." + f=$(scanelf -ByF '%S %p' $check_files | awk '$2 == "" { print }' | grep -v -f whitelist-soname) + if [ -n "$f" ]; then + echo + echo "QA Notice: The following shared libraries lack a SONAME" + echo "${f}" + exit 1 + fi + f=$(scanelf -ByF '%n %p' $check_files | awk '$2 == "" { print }') + if [ -n "$f" ]; then + echo + echo "QA Notice: The following shared libraries lack NEEDED entries" + echo "${f}" + exit 1 + fi + +else + echo "scanelf is not available. Can't check." +fi diff --git a/src/quality-agent/whitelist-exec-stacks b/src/quality-agent/whitelist-exec-stacks new file mode 100644 index 000000000..a7474d500 --- /dev/null +++ b/src/quality-agent/whitelist-exec-stacks @@ -0,0 +1,2 @@ +/usr/lib/paxtest/* +/usr/sbin/grub diff --git a/src/quality-agent/whitelist-rpaths b/src/quality-agent/whitelist-rpaths new file mode 100644 index 000000000..22a27345c --- /dev/null +++ b/src/quality-agent/whitelist-rpaths @@ -0,0 +1,22 @@ +/lib/libhistory.so.6.0 +/lib/libreadline.so.6.0 +/sbin/splashy +/usr/bin/cjpeg +/usr/bin/lzmadec +/usr/bin/djpeg +/usr/bin/jpegtran +/usr/bin/xzdec +/usr/bin/openssl +/usr/bin/slsh +/usr/bin/xz +/usr/bin/sensors +/usr/lib/gconv/* +/usr/lib/slang/* +/usr/lib/python2.6/site-packages/* +/usr/lib/python2.6/lib-dynload/* +/usr/lib/perl5/site_perl/5.10.0/i686-linux/auto/XML/Parser/Expat/Expat.so +/usr/lib/perl5/5.10.0/i686-linux/auto/DB_File/DB_File.so +/usr/lib/perl5/5.10.0/i686-linux/auto/Time/HiRes/HiRes.so +/usr/lib/perl5/5.10.0/i686-linux/auto/Compress/Raw/Zlib/Zlib.so +/usr/sbin/isadump +/usr/sbin/isaset diff --git a/src/quality-agent/whitelist-soname b/src/quality-agent/whitelist-soname new file mode 100644 index 000000000..38d20320e --- /dev/null +++ b/src/quality-agent/whitelist-soname @@ -0,0 +1,2 @@ +/lib/libnss_ldap-* +/lib/xtables/* diff --git a/src/quality-agent/whitelist-textrels b/src/quality-agent/whitelist-textrels new file mode 100644 index 000000000..db9dc583f --- /dev/null +++ b/src/quality-agent/whitelist-textrels @@ -0,0 +1,3 @@ +/bin/gzip +/usr/bin/cdda2wav +/usr/lib/paxtest/*