[namcap] elffiles: Check for FULL RELRO
diff mbox

Message ID 20180114171802.15901-1-jelle@vdwaa.nl
State Accepted
Headers show

Commit Message

Jelle van der Waa Jan. 14, 2018, 5:18 p.m. UTC
Instead of checking for RELRO, check for FULL RELRO which is the default
now.
---
 Namcap/rules/elffiles.py | 15 ++++++++++++---
 namcap-tags              |  2 +-
 2 files changed, 13 insertions(+), 4 deletions(-)

Patch
diff mbox

diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
index e2dd7f5..a336d18 100644
--- a/Namcap/rules/elffiles.py
+++ b/Namcap/rules/elffiles.py
@@ -137,10 +137,17 @@  class ELFGnuRelroRule(TarballRule):
 
 	Introduced by FS#26435. Uses pyelftools to check for GNU_RELRO.
 	"""
-	# not smart enough for full/partial RELRO (DT_BIND_NOW?)
 
 	name = "elfgnurelro"
-	description = "Check for RELRO in ELF files."
+	description = "Check for FULL RELRO in ELF files."
+
+	def has_bind_now(self, elffile):
+		for section in elffile.iter_sections():
+			if not isinstance(section, DynamicSection):
+				continue
+			if any(tag.entry.d_tag == 'DT_BIND_NOW' for tag in section.iter_tags()):
+				return True
+		return False
 
 	def analyze(self, pkginfo, tar):
 		missing_relro = []
@@ -153,7 +160,9 @@  class ELFGnuRelroRule(TarballRule):
 				continue
 			elffile = ELFFile(fp)
 			if any(seg['p_type'] == 'PT_GNU_RELRO' for seg in elffile.iter_segments()):
-				continue
+				if self.has_bind_now(elffile):
+					continue
+
 			missing_relro.append(entry.name)
 
 		if missing_relro:
diff --git a/namcap-tags b/namcap-tags
index f967724..f464b9c 100644
--- a/namcap-tags
+++ b/namcap-tags
@@ -19,7 +19,7 @@  elffile-not-in-allowed-dirs %s :: ELF file ('%s') outside of a valid path.
 elffile-in-questionable-dirs %s :: ELF files outside of a valid path ('%s').
 elffile-with-textrel %s :: ELF file ('%s') has text relocations.
 elffile-with-execstack %s :: ELF file ('%s') has executable stack.
-elffile-without-relro %s :: ELF file ('%s') lacks RELRO, check LDFLAGS.
+elffile-without-relro %s :: ELF file ('%s') lacks FULL RELRO, check LDFLAGS.
 elffile-unstripped %s :: ELF file ('%s') is unstripped.
 empty-directory %s :: Directory (%s) is empty
 error-running-rule %s :: Error running rule '%s'