From patchwork Sun Jan 14 16:59:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jelle van der Waa X-Patchwork-Id: 330 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id F18121E3F5FB for ; Sun, 14 Jan 2018 16:56:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on apollo.archlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3,T_DKIM_INVALID=1 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-BL-Results: [127.0.9.2] Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Sun, 14 Jan 2018 16:56:19 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 4778382C64332; Sun, 14 Jan 2018 16:56:11 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [IPv6:2a01:4f8:160:3033::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by orion.archlinux.org (Postfix) with ESMTPS; Sun, 14 Jan 2018 16:56:11 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 1E58F2B042; Sun, 14 Jan 2018 16:56:05 +0000 (UTC) Authentication-Results: luna.archlinux.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=vdwaa-nl.20150623.gappssmtp.com header.i=@vdwaa-nl.20150623.gappssmtp.com header.b=yrW5Y4cE Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id E62AD2B03E for ; Sun, 14 Jan 2018 16:56:02 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by luna.archlinux.org (Postfix) with ESMTPS for ; Sun, 14 Jan 2018 16:56:02 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 2734782C64317 for ; Sun, 14 Jan 2018 16:55:44 +0000 (UTC) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by orion.archlinux.org (Postfix) with ESMTPS for ; Sun, 14 Jan 2018 16:55:44 +0000 (UTC) Received: by mail-wm0-x22b.google.com with SMTP id i11so20220461wmf.4 for ; Sun, 14 Jan 2018 08:55:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vdwaa-nl.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=rAgOBQvRXQp9SvcwQ0YLZrsZ3PMQyZH/wPl5vZ2jz08=; b=yrW5Y4cE6fqpDU/zvS64aZ7ijvOoV0dSbTH/OGeubAz2ii+ChUrTM3pwoYyOv6Bth4 xjSz043Xro/TJL1M4U6xQAgg66J1bk7tycCzKlufX/kbzw3RVGP4Szl+oyoNA7EVtKVv WmWAwnl1fdrbFdzhKFuQ4rX29Eed16WxfHqRKDQkh5RFNTSAo1uKCe7Ka8Hkj5vvrUta AAwALQy0kk6MXe/o2M4ov2N0rADWypXVTL7OtsP2p8Hu0wpg/aCP1sp5g4nSLfE+VKvp FwmJzqET0FhPCSQJvqHQL+AT8b4U4Br/T+2SK1w+Lm4Dwoe3N1jMl25begIWliTTZz2H uF/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=rAgOBQvRXQp9SvcwQ0YLZrsZ3PMQyZH/wPl5vZ2jz08=; b=tWhXhRAZvgQ+3UfHinYzPBs7FQqg8D9ewZCyfoL6s/L7LDXhzZjuSbnaoNCGoxIp/U rdSUd4Q5T60mFbB7T3VA3NBLPvLzIO1y5wbzzmlE5JBnaXjBP+EoBwmYYtpsxq6avzK4 reFhJVREl/LXfWyRy9Hq6b16jqTGWxrI7HfP/Snh62X61oZIQwPMZCmmYZRdcv2FUQ/l JSalAXmA2j3eye5k1sbiSS3+pcTWLGdL9a6KdkcVrhTx7LfO5h4oFRrXxD3wKQcLj7hC K2XHIjXF7SGJqXlMcnIyBQbLXbo9u410y9L5GuES+MSYTawMoLbR13HypD6OnJGli0Gb QYCw== X-Gm-Message-State: AKGB3mK9rEW+GT+yi9dEuR2e7rp/6AsPAfmlWXp2K0O65BMDrxxRW6Oi 0YtX5ZrY5bCnpV+xo0Zy+zCMqiK696U= X-Google-Smtp-Source: ACJfBouMOsT6+R5mZVysfUW0Mv08d66pnbDrxUAppfTE6ObSzgiL9C7jO1RDby3FcbGLrqOthBgt1A== X-Received: by 10.80.214.17 with SMTP id x17mr45852726edi.187.1515948943510; Sun, 14 Jan 2018 08:55:43 -0800 (PST) Received: from helium.space.revspace.nl ([2001:470:7a95:4242:c166:a4da:4f77:965a]) by smtp.gmail.com with ESMTPSA id x28sm19255656edd.0.2018.01.14.08.55.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 14 Jan 2018 08:55:42 -0800 (PST) From: Jelle van der Waa To: arch-projects@archlinux.org Date: Sun, 14 Jan 2018 17:59:19 +0100 Message-Id: <20180114165919.15474-1-jelle@vdwaa.nl> X-Mailer: git-send-email 2.15.1 Subject: [arch-projects] [namcap] elffiles: Add rule for no PIE binaries X-BeenThere: arch-projects@archlinux.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Arch Linux projects development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Arch Linux projects development discussion Errors-To: arch-projects-bounces@archlinux.org Sender: "arch-projects" Verify if packages where build with PIE enabled by checking if it's an EY_DYN file with a DT_DEBUG entry. --- Namcap/rules/elffiles.py | 33 ++++++++++++++++++++++++++++++ Namcap/tests/package/test_elffiles.py | 38 ++++++++++++++++++++++++++++++++++- namcap-tags | 1 + 3 files changed, 71 insertions(+), 1 deletion(-) diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py index e2dd7f5..a87c0db 100644 --- a/Namcap/rules/elffiles.py +++ b/Namcap/rules/elffiles.py @@ -194,4 +194,37 @@ class ELFUnstrippedRule(TarballRule): self.warnings = [("elffile-unstripped %s", i) for i in unstripped_binaries] +class NoPIERule(TarballRule): + """ + Checks for no PIE ELF files. + """ + + name = "elfnopie" + description = "Check for no PIE ELF files." + + def has_dt_debug(self, elffile): + for section in elffile.iter_sections(): + if not isinstance(section, DynamicSection): + continue + if any(tag.entry.d_tag == 'DT_DEBUG' for tag in section.iter_tags()): + return True + return False + + def analyze(self, pkginfo, tar): + nopie_binaries = [] + + for entry in tar: + if not entry.isfile(): + continue + fp = tar.extractfile(entry) + if not is_elf(fp): + continue + elffile = ELFFile(fp) + if elffile.header['e_type'] != 'ET_DYN' or not self.has_dt_debug(elffile): + nopie_binaries.append(entry.name) + + if nopie_binaries: + self.warnings = [("elffile-nopie %s", i) for i in nopie_binaries] + + # vim: set ts=4 sw=4 noet: diff --git a/Namcap/tests/package/test_elffiles.py b/Namcap/tests/package/test_elffiles.py index 6362a58..b11fa13 100644 --- a/Namcap/tests/package/test_elffiles.py +++ b/Namcap/tests/package/test_elffiles.py @@ -95,5 +95,41 @@ package() { ]) self.assertEqual(r.infos, []) -# vim: set ts=4 sw=4 noet: +class TestNoPieStack(MakepkgTest): + pkgbuild = """ +pkgname=__namcap_test_nopie +pkgver=1.0 +pkgrel=1 +pkgdesc="A package" +arch=('i686' 'x86_64') +url="http://www.example.com/" +license=('GPL') +depends=('glibc') +source=() +options=(!purge !zipman) +build() { + cd "${srcdir}" + echo "int main() { return 0; }" > main.c + /usr/bin/gcc -o main main.c -no-pie +} +package() { + install -D -m 644 "${srcdir}/main" "${pkgdir}/usr/bin/nopie" +} +""" + def test_nopie(self): + pkgfile = "__namcap_test_nopie-1.0-1-%(arch)s.pkg.tar" % { "arch": self.arch } + with open(os.path.join(self.tmpdir, "PKGBUILD"), "w") as f: + f.write(self.pkgbuild) + self.run_makepkg() + pkg, r = self.run_rule_on_tarball( + os.path.join(self.tmpdir, pkgfile), + Namcap.rules.elffiles.NoPIERule + ) + self.assertEqual(r.errors, []) + self.assertEqual(r.warnings, [ + ("elffile-nopie %s", + "usr/bin/nopie") + ]) + self.assertEqual(r.infos, []) +# vim: set ts=4 sw=4 noet: diff --git a/namcap-tags b/namcap-tags index f967724..420ad5c 100644 --- a/namcap-tags +++ b/namcap-tags @@ -17,6 +17,7 @@ directory-not-world-executable %s :: Directory (%s) does not have the world exec elffile-in-any-package %s :: ELF file ('%s') found in an 'any' package. elffile-not-in-allowed-dirs %s :: ELF file ('%s') outside of a valid path. elffile-in-questionable-dirs %s :: ELF files outside of a valid path ('%s'). +elffile-nopie %s :: ELF file ('%s') lacks PIE. elffile-with-textrel %s :: ELF file ('%s') has text relocations. elffile-with-execstack %s :: ELF file ('%s') has executable stack. elffile-without-relro %s :: ELF file ('%s') lacks RELRO, check LDFLAGS.