From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 9 Mar 2023 13:14:52 +0000 (+0000)
Subject: file: Check files for being RELRO
X-Git-Tag: 0.9.29~349
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d265bed6de767008c4c5381c2a95f020b6262198;p=pakfire.git

file: Check files for being RELRO

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c
index 0d3ddb6ba..06745a428 100644
--- a/src/libpakfire/file.c
+++ b/src/libpakfire/file.c
@@ -1630,6 +1630,48 @@ static int pakfire_file_hardening_check_execstack(struct pakfire_file* file) {
 	return pakfire_file_open_elf(file, __pakfire_file_hardening_check_execstack, NULL);
 }
 
+static __pakfire_file_hardening_check_partially_relro(
+		struct pakfire_file* file, Elf* elf, void* data) {
+	GElf_Phdr phdr;
+	int r;
+
+	size_t phnum = 0;
+
+	// Fetch the total numbers of program headers
+	r = elf_getphdrnum(elf, &phnum);
+	if (r) {
+		ERROR(file->pakfire, "Could not fetch number of program headers: %s\n",
+			elf_errmsg(-1));
+		return 1;
+	}
+
+	// Walk through all program headers
+	for (unsigned int i = 0; i < phnum; i++) {
+		if (!gelf_getphdr(elf, i, &phdr)) {
+			ERROR(file->pakfire, "Could not parse program header: %s\n", elf_errmsg(-1));
+			return 1;
+		}
+
+		switch (phdr.p_type) {
+			case PT_GNU_RELRO:
+				return 0;
+
+			default:
+				break;
+		}
+	}
+
+	// This file does not seem to have PT_GNU_RELRO set
+	file->hardening_issues |= PAKFIRE_FILE_NO_PARTIALLY_RELRO;
+
+	return 0;
+}
+
+static int pakfire_file_hardening_check_relro(struct pakfire_file* file) {
+	return pakfire_file_open_elf(file, __pakfire_file_hardening_check_partially_relro, NULL);
+}
+
+
 int pakfire_file_check_hardening(struct pakfire_file* file, int* issues) {
 	int r;
 
@@ -1650,6 +1692,11 @@ int pakfire_file_check_hardening(struct pakfire_file* file, int* issues) {
 		if (r)
 			return r;
 
+		// Check for RELRO
+		r = pakfire_file_hardening_check_relro(file);
+		if (r)
+			return r;
+
 		// All checks done
 		file->hardening_check_done = 1;
 	}
diff --git a/src/libpakfire/include/pakfire/file.h b/src/libpakfire/include/pakfire/file.h
index 9b8a29402..dd69abb86 100644
--- a/src/libpakfire/include/pakfire/file.h
+++ b/src/libpakfire/include/pakfire/file.h
@@ -155,9 +155,10 @@ int pakfire_file_verify(struct pakfire_file* file, int* status);
 	Hardening Checks
 */
 enum pakfire_file_hardening_flags {
-	PAKFIRE_FILE_NO_SSP          = (1 << 0),
-	PAKFIRE_FILE_NO_PIE          = (1 << 1),
-	PAKFIRE_FILE_EXECSTACK       = (1 << 2),
+	PAKFIRE_FILE_NO_SSP             = (1 << 0),
+	PAKFIRE_FILE_NO_PIE             = (1 << 1),
+	PAKFIRE_FILE_EXECSTACK          = (1 << 2),
+	PAKFIRE_FILE_NO_PARTIALLY_RELRO = (1 << 3),
 };
 
 int pakfire_file_check_hardening(struct pakfire_file* file, int* issues);