From patchwork Sun Jan 14 17:18:02 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jelle van der Waa <jelle@vdwaa.nl>
X-Patchwork-Id: 331
Return-Path: <arch-projects-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id E559E1E3FB4A
	for <patchwork@archlinux.org>; Sun, 14 Jan 2018 17:14:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIM_SIGNED=0.1,
	RCVD_IN_DNSWL_MED=-2.3,T_DKIM_INVALID=1 autolearn=ham autolearn_force=no
	version=3.4.1
X-Spam-BL-Results: <dns:70.91.198.88.list.dnswl.org> [127.0.9.2]
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Sun, 14 Jan 2018 17:14:38 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 4F19282C976DA;
	Sun, 14 Jan 2018 17:14:33 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by orion.archlinux.org (Postfix) with ESMTPS;
	Sun, 14 Jan 2018 17:14:33 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 380252B16F;
	Sun, 14 Jan 2018 17:14:33 +0000 (UTC)
Authentication-Results: luna.archlinux.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=vdwaa-nl.20150623.gappssmtp.com
 header.i=@vdwaa-nl.20150623.gappssmtp.com header.b=gNlWx79i
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id C74922090D
 for <arch-projects@lists.archlinux.org>;
 Sun, 14 Jan 2018 17:14:30 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <arch-projects@lists.archlinux.org>;
 Sun, 14 Jan 2018 17:14:30 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 6930982C976D3
 for <arch-projects@archlinux.org>; Sun, 14 Jan 2018 17:14:25 +0000 (UTC)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com
 [IPv6:2a00:1450:400c:c09::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by orion.archlinux.org (Postfix) with ESMTPS
 for <arch-projects@archlinux.org>; Sun, 14 Jan 2018 17:14:25 +0000 (UTC)
Received: by mail-wm0-x22a.google.com with SMTP id 143so20659838wma.5
 for <arch-projects@archlinux.org>; Sun, 14 Jan 2018 09:14:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=vdwaa-nl.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id;
 bh=U0x6MgnJ5OI2wfiaYEsggL3q1YUK90UZFVu68Zpy/RQ=;
 b=gNlWx79inSjEuallunNwIGZPA6lwozTlA8OqLUuASsYNCslyXIBzqmksWB76br+qVG
 uGYO7g2Tt3jibRC0qk6geBxHBtdTM9vZVpQyJBraczw8vLm7/CfX1Gd1YN1S94uwrnQc
 m5YTO/2r/rTGpBnqEyxLxaKM0AFrJkAFC9cNoaY70OLYTSBjVWCQuruIK2ftFvrYPIMK
 NIkoXwDl/tpqtmArwnWmbTOQ/6b/txoVl231hq+DprhRSMsmh6DG8twl9NlNpRejYGcm
 4zt+lcLsA/bpSmoQMj7oC/GE8KbNkATrhrYalo72jdSrSBpQBCGd3KhHiX4FdssMI7o7
 qcjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=U0x6MgnJ5OI2wfiaYEsggL3q1YUK90UZFVu68Zpy/RQ=;
 b=DbGHEtMmFXHHloeGQgGPHh4hnoAh6cQekHiQsgiXVA07Gu6uy6DBZWjot8T2yhY9V3
 5sRP2W7s3Y63JLUPPIpDLT07XJ7SFAAuu5Q6E+wovrZGb+oN2seltQa/q7QgtidnpUc9
 wjnv36DyozDwC447ID+6XacDGTAyU6i2QuGkwcSADG3HBIqSZv06T99ZwWXmLWBIiTsX
 +XQy3p7ek+zxKQnKlt9pnhDiB/Gbk8P/XjpQAgXhXqNIUx/uhPWXcQ38hCLXn4rqfZTF
 aB7KKm5SC9LecKdL6AJqoINn0ppFBIc/x1HMGmvagZEuPsimZKG6er0yLRQWBHt9t9Ed
 BRdg==
X-Gm-Message-State: AKwxytdvptZLmD3CyNxgazASnA2nMMJET7JEei3OPX3e/WUDtGnbH/Fh
 qqTSq1f5b7AQ644ZNB1iKCsNdcRMWwY=
X-Google-Smtp-Source: 
 ACJfBotlaheo/S6nfXBrGhBYFjfN8yIGq96i1E4r/eGw3JH4iftMdsflwZ6x6paOg0SOkGoc7xN/WQ==
X-Received: by 10.80.165.21 with SMTP id y21mr21417876edb.148.1515950064850;
 Sun, 14 Jan 2018 09:14:24 -0800 (PST)
Received: from helium.space.revspace.nl
 ([2001:470:7a95:4242:c166:a4da:4f77:965a])
 by smtp.gmail.com with ESMTPSA id c7sm7425810edc.37.2018.01.14.09.14.23
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 14 Jan 2018 09:14:23 -0800 (PST)
From: Jelle van der Waa <jelle@vdwaa.nl>
To: arch-projects@archlinux.org
Date: Sun, 14 Jan 2018 18:18:02 +0100
Message-Id: <20180114171802.15901-1-jelle@vdwaa.nl>
X-Mailer: git-send-email 2.15.1
Subject: [arch-projects] [namcap] elffiles: Check for FULL RELRO
X-BeenThere: arch-projects@archlinux.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Arch Linux projects development discussion
 <arch-projects.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/arch-projects>,
 <mailto:arch-projects-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/arch-projects/>
List-Post: <mailto:arch-projects@archlinux.org>
List-Help: <mailto:arch-projects-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/arch-projects>,
 <mailto:arch-projects-request@archlinux.org?subject=subscribe>
Reply-To: Arch Linux projects development discussion
 <arch-projects@archlinux.org>
Errors-To: arch-projects-bounces@archlinux.org
Sender: "arch-projects" <arch-projects-bounces@archlinux.org>

Instead of checking for RELRO, check for FULL RELRO which is the default
now.
---
 Namcap/rules/elffiles.py | 15 ++++++++++++---
 namcap-tags              |  2 +-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
index e2dd7f5..a336d18 100644
--- a/Namcap/rules/elffiles.py
+++ b/Namcap/rules/elffiles.py
@@ -137,10 +137,17 @@ class ELFGnuRelroRule(TarballRule):
 
 	Introduced by FS#26435. Uses pyelftools to check for GNU_RELRO.
 	"""
-	# not smart enough for full/partial RELRO (DT_BIND_NOW?)
 
 	name = "elfgnurelro"
-	description = "Check for RELRO in ELF files."
+	description = "Check for FULL RELRO in ELF files."
+
+	def has_bind_now(self, elffile):
+		for section in elffile.iter_sections():
+			if not isinstance(section, DynamicSection):
+				continue
+			if any(tag.entry.d_tag == 'DT_BIND_NOW' for tag in section.iter_tags()):
+				return True
+		return False
 
 	def analyze(self, pkginfo, tar):
 		missing_relro = []
@@ -153,7 +160,9 @@ class ELFGnuRelroRule(TarballRule):
 				continue
 			elffile = ELFFile(fp)
 			if any(seg['p_type'] == 'PT_GNU_RELRO' for seg in elffile.iter_segments()):
-				continue
+				if self.has_bind_now(elffile):
+					continue
+
 			missing_relro.append(entry.name)
 
 		if missing_relro:
diff --git a/namcap-tags b/namcap-tags
index f967724..f464b9c 100644
--- a/namcap-tags
+++ b/namcap-tags
@@ -19,7 +19,7 @@ elffile-not-in-allowed-dirs %s :: ELF file ('%s') outside of a valid path.
 elffile-in-questionable-dirs %s :: ELF files outside of a valid path ('%s').
 elffile-with-textrel %s :: ELF file ('%s') has text relocations.
 elffile-with-execstack %s :: ELF file ('%s') has executable stack.
-elffile-without-relro %s :: ELF file ('%s') lacks RELRO, check LDFLAGS.
+elffile-without-relro %s :: ELF file ('%s') lacks FULL RELRO, check LDFLAGS.
 elffile-unstripped %s :: ELF file ('%s') is unstripped.
 empty-directory %s :: Directory (%s) is empty
 error-running-rule %s :: Error running rule '%s'