From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DE7EC138CD1 for ; Tue, 26 May 2015 03:46:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 50A8FE081A; Tue, 26 May 2015 03:46:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DF8C2E081A for ; Tue, 26 May 2015 03:46:46 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B4CE13409A4 for ; Tue, 26 May 2015 03:46:45 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E6AB49F3 for ; Tue, 26 May 2015 03:46:43 +0000 (UTC) From: "Mike Frysinger" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" Message-ID: <1432611991.efa5c5e7b7a5ef7b4533dfe3bd6befc767b7b34a.vapier@gentoo> Subject: [gentoo-commits] proj/portage:master commit in: bin/install-qa-check.d/ X-VCS-Repository: proj/portage X-VCS-Files: bin/install-qa-check.d/10executable-issues bin/install-qa-check.d/80libraries X-VCS-Directories: bin/install-qa-check.d/ X-VCS-Committer: vapier X-VCS-Committer-Name: Mike Frysinger X-VCS-Revision: efa5c5e7b7a5ef7b4533dfe3bd6befc767b7b34a X-VCS-Branch: master Date: Tue, 26 May 2015 03:46:43 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 243a4f49-d00b-40d3-8cec-a0f924e47fa4 X-Archives-Hash: ab44deea6c7c3217cad282b33e93f381 commit: efa5c5e7b7a5ef7b4533dfe3bd6befc767b7b34a Author: Mike Frysinger chromium org> AuthorDate: Tue May 26 03:42:27 2015 +0000 Commit: Mike Frysinger gentoo org> CommitDate: Tue May 26 03:46:31 2015 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=efa5c5e7 install-qa-check.d: tweak scanelf checks Rather than have a function whose entire body is indented by a scanelf existence check, do the check at the top and return early. This keeps the indentation from getting too out of hand. (Use `git log -p -1 -w` to see actual changed lines.) bin/install-qa-check.d/10executable-issues | 248 +++++++++++++++-------------- bin/install-qa-check.d/80libraries | 130 +++++++-------- 2 files changed, 193 insertions(+), 185 deletions(-) diff --git a/bin/install-qa-check.d/10executable-issues b/bin/install-qa-check.d/10executable-issues index 5c80660..10d3c71 100644 --- a/bin/install-qa-check.d/10executable-issues +++ b/bin/install-qa-check.d/10executable-issues @@ -2,141 +2,143 @@ # text relocations, executable stacks elf_check() { - if type -P scanelf > /dev/null && ! has binchecks ${RESTRICT}; then - local insecure_rpath=0 tmp_quiet=${PORTAGE_QUIET} - local f x + if ! type -P scanelf >/dev/null || has binchecks ${RESTRICT}; then + return + fi - # display warnings when using stricter because we die afterwards - if has stricter ${FEATURES} ; then - local PORTAGE_QUIET - fi + local insecure_rpath=0 tmp_quiet=${PORTAGE_QUIET} + local f x - # Make sure we disallow insecure RUNPATH/RPATHs. - # 1) References to PORTAGE_BUILDDIR are banned because it's a - # security risk. We don't want to load files from a - # temporary directory. - # 2) If ROOT != "/", references to ROOT are banned because - # that directory won't exist on the target system. - # 3) Null paths are banned because the loader will search $PWD when - # it finds null paths. - local forbidden_dirs="${PORTAGE_BUILDDIR}" - if [[ -n "${ROOT}" && "${ROOT}" != "/" ]]; then - forbidden_dirs+=" ${ROOT}" - fi - local dir l rpath_files=$(scanelf -F '%F:%r' -qBR "${ED}") - f="" - for dir in ${forbidden_dirs}; do - for l in $(echo "${rpath_files}" | grep -E ":${dir}|::|: "); do - f+=" ${l%%:*}\n" - if ! has stricter ${FEATURES}; then - __vecho "Auto fixing rpaths for ${l%%:*}" - TMPDIR="${dir}" scanelf -BXr "${l%%:*}" -o /dev/null - fi - done + # display warnings when using stricter because we die afterwards + if has stricter ${FEATURES} ; then + local PORTAGE_QUIET + fi + + # Make sure we disallow insecure RUNPATH/RPATHs. + # 1) References to PORTAGE_BUILDDIR are banned because it's a + # security risk. We don't want to load files from a + # temporary directory. + # 2) If ROOT != "/", references to ROOT are banned because + # that directory won't exist on the target system. + # 3) Null paths are banned because the loader will search $PWD when + # it finds null paths. + local forbidden_dirs="${PORTAGE_BUILDDIR}" + if [[ -n "${ROOT}" && "${ROOT}" != "/" ]]; then + forbidden_dirs+=" ${ROOT}" + fi + local dir l rpath_files=$(scanelf -F '%F:%r' -qBR "${ED}") + f="" + for dir in ${forbidden_dirs}; do + for l in $(echo "${rpath_files}" | grep -E ":${dir}|::|: "); do + f+=" ${l%%:*}\n" + if ! has stricter ${FEATURES}; then + __vecho "Auto fixing rpaths for ${l%%:*}" + TMPDIR="${dir}" scanelf -BXr "${l%%:*}" -o /dev/null + fi done + done - # Reject set*id binaries with $ORIGIN in RPATH #260331 - x=$( - find "${ED}" -type f \( -perm -u+s -o -perm -g+s \) -print0 | \ - xargs -0 scanelf -qyRF '%r %p' | grep '$ORIGIN' - ) + # Reject set*id binaries with $ORIGIN in RPATH #260331 + x=$( + find "${ED}" -type f \( -perm -u+s -o -perm -g+s \) -print0 | \ + xargs -0 scanelf -qyRF '%r %p' | grep '$ORIGIN' + ) - # Print QA notice. - if [[ -n ${f}${x} ]] ; then - __vecho -ne '\n' - eqawarn "QA Notice: The following files contain insecure RUNPATHs" - eqawarn " Please file a bug about this at http://bugs.gentoo.org/" - eqawarn " with the maintaining herd of the package." - eqawarn "${f}${f:+${x:+\n}}${x}" - __vecho -ne '\n' - if [[ -n ${x} ]] || has stricter ${FEATURES} ; then - insecure_rpath=1 - fi + # Print QA notice. + if [[ -n ${f}${x} ]] ; then + __vecho -ne '\n' + eqawarn "QA Notice: The following files contain insecure RUNPATHs" + eqawarn " Please file a bug about this at http://bugs.gentoo.org/" + eqawarn " with the maintaining herd of the package." + eqawarn "${f}${f:+${x:+\n}}${x}" + __vecho -ne '\n' + if [[ -n ${x} ]] || has stricter ${FEATURES} ; then + insecure_rpath=1 fi + fi - # TEXTRELs are baaaaaaaad - # Allow devs to mark things as ignorable ... e.g. things that are - # binary-only and upstream isn't cooperating (nvidia-glx) ... we - # allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ... - # the former overrides the latter ... regexes allowed ! :) - local qa_var="QA_TEXTRELS_${ARCH/-/_}" - [[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var} - [[ -n ${QA_STRICT_TEXTRELS} ]] && QA_TEXTRELS="" - export QA_TEXTRELS="${QA_TEXTRELS} lib*/modules/*.ko" - f=$(scanelf -qyRF '%t %p' "${ED}" | grep -v 'usr/lib/debug/') - if [[ -n ${f} ]] ; then - scanelf -qyRAF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log - __vecho -ne '\n' - eqawarn "QA Notice: The following files contain runtime text relocations" - eqawarn " Text relocations force the dynamic linker to perform extra" - eqawarn " work at startup, waste system resources, and may pose a security" - eqawarn " risk. On some architectures, the code may not even function" - eqawarn " properly, if at all." - eqawarn " For more information, see:" - eqawarn - eqawarn " https://wiki.gentoo.org/wiki/Hardened/HOWTO_locate_and_fix_textrels" - eqawarn - eqawarn " Please include the following list of files in your report:" - eqawarn "${f}" - __vecho -ne '\n' - die_msg="${die_msg} textrels," - sleep 1 - fi + # TEXTRELs are baaaaaaaad + # Allow devs to mark things as ignorable ... e.g. things that are + # binary-only and upstream isn't cooperating (nvidia-glx) ... we + # allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ... + # the former overrides the latter ... regexes allowed ! :) + local qa_var="QA_TEXTRELS_${ARCH/-/_}" + [[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var} + [[ -n ${QA_STRICT_TEXTRELS} ]] && QA_TEXTRELS="" + export QA_TEXTRELS="${QA_TEXTRELS} lib*/modules/*.ko" + f=$(scanelf -qyRF '%t %p' "${ED}" | grep -v 'usr/lib/debug/') + if [[ -n ${f} ]] ; then + scanelf -qyRAF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log + __vecho -ne '\n' + eqawarn "QA Notice: The following files contain runtime text relocations" + eqawarn " Text relocations force the dynamic linker to perform extra" + eqawarn " work at startup, waste system resources, and may pose a security" + eqawarn " risk. On some architectures, the code may not even function" + eqawarn " properly, if at all." + eqawarn " For more information, see:" + eqawarn + eqawarn " https://wiki.gentoo.org/wiki/Hardened/HOWTO_locate_and_fix_textrels" + eqawarn + eqawarn " Please include the following list of files in your report:" + eqawarn "${f}" + __vecho -ne '\n' + die_msg="${die_msg} textrels," + sleep 1 + fi - # Also, executable stacks only matter on linux (and just glibc atm ...) - f="" + # Also, executable stacks only matter on linux (and just glibc atm ...) + f="" + case ${CTARGET:-${CHOST}} in + *-linux-gnu*) + # Check for files with executable stacks, but only on arches which + # are supported at the moment. Keep this list in sync with + # https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart#Arch_Status case ${CTARGET:-${CHOST}} in - *-linux-gnu*) - # Check for files with executable stacks, but only on arches which - # are supported at the moment. Keep this list in sync with - # https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart#Arch_Status - case ${CTARGET:-${CHOST}} in - arm*|i?86*|ia64*|m68k*|s390*|sh*|x86_64*) - # Allow devs to mark things as ignorable ... e.g. things - # that are binary-only and upstream isn't cooperating ... - # we allow ebuild authors to set QA_EXECSTACK_arch and - # QA_EXECSTACK ... the former overrides the latter ... - # regexes allowed ! :) + arm*|i?86*|ia64*|m68k*|s390*|sh*|x86_64*) + # Allow devs to mark things as ignorable ... e.g. things + # that are binary-only and upstream isn't cooperating ... + # we allow ebuild authors to set QA_EXECSTACK_arch and + # QA_EXECSTACK ... the former overrides the latter ... + # regexes allowed ! :) - qa_var="QA_EXECSTACK_${ARCH/-/_}" - [[ -n ${!qa_var} ]] && QA_EXECSTACK=${!qa_var} - [[ -n ${QA_STRICT_EXECSTACK} ]] && QA_EXECSTACK="" - qa_var="QA_WX_LOAD_${ARCH/-/_}" - [[ -n ${!qa_var} ]] && QA_WX_LOAD=${!qa_var} - [[ -n ${QA_STRICT_WX_LOAD} ]] && QA_WX_LOAD="" - export QA_EXECSTACK="${QA_EXECSTACK} lib*/modules/*.ko" - export QA_WX_LOAD="${QA_WX_LOAD} lib*/modules/*.ko" - f=$(scanelf -qyRAF '%e %p' "${ED}" | grep -v 'usr/lib/debug/') - ;; - esac - ;; + qa_var="QA_EXECSTACK_${ARCH/-/_}" + [[ -n ${!qa_var} ]] && QA_EXECSTACK=${!qa_var} + [[ -n ${QA_STRICT_EXECSTACK} ]] && QA_EXECSTACK="" + qa_var="QA_WX_LOAD_${ARCH/-/_}" + [[ -n ${!qa_var} ]] && QA_WX_LOAD=${!qa_var} + [[ -n ${QA_STRICT_WX_LOAD} ]] && QA_WX_LOAD="" + export QA_EXECSTACK="${QA_EXECSTACK} lib*/modules/*.ko" + export QA_WX_LOAD="${QA_WX_LOAD} lib*/modules/*.ko" + f=$(scanelf -qyRAF '%e %p' "${ED}" | grep -v 'usr/lib/debug/') + ;; esac - if [[ -n ${f} ]] ; then - # One more pass to help devs track down the source - scanelf -qyRAF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log - __vecho -ne '\n' - eqawarn "QA Notice: The following files contain writable and executable sections" - eqawarn " Files with such sections will not work properly (or at all!) on some" - eqawarn " architectures/operating systems. A bug should be filed at" - eqawarn " http://bugs.gentoo.org/ to make sure the issue is fixed." - eqawarn " For more information, see:" - eqawarn - eqawarn " https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart" - eqawarn - eqawarn " Please include the following list of files in your report:" - eqawarn " Note: Bugs should be filed for the respective maintainers" - eqawarn " of the package in question and not hardened@g.o." - eqawarn "${f}" - __vecho -ne '\n' - die_msg="${die_msg} execstacks" - sleep 1 - fi + ;; + esac + if [[ -n ${f} ]] ; then + # One more pass to help devs track down the source + scanelf -qyRAF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log + __vecho -ne '\n' + eqawarn "QA Notice: The following files contain writable and executable sections" + eqawarn " Files with such sections will not work properly (or at all!) on some" + eqawarn " architectures/operating systems. A bug should be filed at" + eqawarn " http://bugs.gentoo.org/ to make sure the issue is fixed." + eqawarn " For more information, see:" + eqawarn + eqawarn " https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart" + eqawarn + eqawarn " Please include the following list of files in your report:" + eqawarn " Note: Bugs should be filed for the respective maintainers" + eqawarn " of the package in question and not hardened@g.o." + eqawarn "${f}" + __vecho -ne '\n' + die_msg="${die_msg} execstacks" + sleep 1 + fi - if [[ ${insecure_rpath} -eq 1 ]] ; then - die "Aborting due to serious QA concerns with RUNPATH/RPATH" - elif [[ -n ${die_msg} ]] && has stricter ${FEATURES} ; then - die "Aborting due to QA concerns: ${die_msg}" - fi + if [[ ${insecure_rpath} -eq 1 ]] ; then + die "Aborting due to serious QA concerns with RUNPATH/RPATH" + elif [[ -n ${die_msg} ]] && has stricter ${FEATURES} ; then + die "Aborting due to QA concerns: ${die_msg}" fi } diff --git a/bin/install-qa-check.d/80libraries b/bin/install-qa-check.d/80libraries index 3977bae..8257e5b 100644 --- a/bin/install-qa-check.d/80libraries +++ b/bin/install-qa-check.d/80libraries @@ -1,76 +1,82 @@ # Check for issues with installed libraries -lib_check() { +scanelf_lib_check() { local f x i j - if type -P scanelf > /dev/null && ! has binchecks ${RESTRICT}; then - # Check for shared libraries lacking SONAMEs - local qa_var="QA_SONAME_${ARCH/-/_}" - eval "[[ -n \${!qa_var} ]] && QA_SONAME=(\"\${${qa_var}[@]}\")" - f=$(scanelf -ByF '%S %p' "${ED}"{,usr/}lib*/lib*.so* | awk '$2 == "" { print }' | sed -e "s:^[[:space:]]${ED}:/:") - if [[ -n ${f} ]] ; then - echo "${f}" > "${T}"/scanelf-missing-SONAME.log - if [[ "${QA_STRICT_SONAME-unset}" == unset ]] ; then - if [[ ${#QA_SONAME[@]} -gt 1 ]] ; then - for x in "${QA_SONAME[@]}" ; do - sed -e "s#^/${x#/}\$##" -i "${T}"/scanelf-missing-SONAME.log - done - else - local shopts=$- - set -o noglob - for x in ${QA_SONAME} ; do - sed -e "s#^/${x#/}\$##" -i "${T}"/scanelf-missing-SONAME.log - done - set +o noglob - set -${shopts} - fi - fi - sed -e "/^\$/d" -i "${T}"/scanelf-missing-SONAME.log - f=$(<"${T}"/scanelf-missing-SONAME.log) - if [[ -n ${f} ]] ; then - __vecho -ne '\n' - eqawarn "QA Notice: The following shared libraries lack a SONAME" - eqawarn "${f}" - __vecho -ne '\n' - sleep 1 + # Check for shared libraries lacking SONAMEs + local qa_var="QA_SONAME_${ARCH/-/_}" + eval "[[ -n \${!qa_var} ]] && QA_SONAME=(\"\${${qa_var}[@]}\")" + f=$(scanelf -ByF '%S %p' "${ED}"{,usr/}lib*/lib*.so* | awk '$2 == "" { print }' | sed -e "s:^[[:space:]]${ED}:/:") + if [[ -n ${f} ]] ; then + echo "${f}" > "${T}"/scanelf-missing-SONAME.log + if [[ "${QA_STRICT_SONAME-unset}" == unset ]] ; then + if [[ ${#QA_SONAME[@]} -gt 1 ]] ; then + for x in "${QA_SONAME[@]}" ; do + sed -e "s#^/${x#/}\$##" -i "${T}"/scanelf-missing-SONAME.log + done else - rm -f "${T}"/scanelf-missing-SONAME.log + local shopts=$- + set -o noglob + for x in ${QA_SONAME} ; do + sed -e "s#^/${x#/}\$##" -i "${T}"/scanelf-missing-SONAME.log + done + set +o noglob + set -${shopts} fi fi - - # Check for shared libraries lacking NEEDED entries - qa_var="QA_DT_NEEDED_${ARCH/-/_}" - eval "[[ -n \${!qa_var} ]] && QA_DT_NEEDED=(\"\${${qa_var}[@]}\")" - f=$(scanelf -ByF '%n %p' "${ED}"{,usr/}lib*/lib*.so* | awk '$2 == "" { print }' | sed -e "s:^[[:space:]]${ED}:/:") + sed -e "/^\$/d" -i "${T}"/scanelf-missing-SONAME.log + f=$(<"${T}"/scanelf-missing-SONAME.log) if [[ -n ${f} ]] ; then - echo "${f}" > "${T}"/scanelf-missing-NEEDED.log - if [[ "${QA_STRICT_DT_NEEDED-unset}" == unset ]] ; then - if [[ ${#QA_DT_NEEDED[@]} -gt 1 ]] ; then - for x in "${QA_DT_NEEDED[@]}" ; do - sed -e "s#^/${x#/}\$##" -i "${T}"/scanelf-missing-NEEDED.log - done - else - local shopts=$- - set -o noglob - for x in ${QA_DT_NEEDED} ; do - sed -e "s#^/${x#/}\$##" -i "${T}"/scanelf-missing-NEEDED.log - done - set +o noglob - set -${shopts} - fi - fi - sed -e "/^\$/d" -i "${T}"/scanelf-missing-NEEDED.log - f=$(<"${T}"/scanelf-missing-NEEDED.log) - if [[ -n ${f} ]] ; then - __vecho -ne '\n' - eqawarn "QA Notice: The following shared libraries lack NEEDED entries" - eqawarn "${f}" - __vecho -ne '\n' - sleep 1 + __vecho -ne '\n' + eqawarn "QA Notice: The following shared libraries lack a SONAME" + eqawarn "${f}" + __vecho -ne '\n' + sleep 1 + else + rm -f "${T}"/scanelf-missing-SONAME.log + fi + fi + + # Check for shared libraries lacking NEEDED entries + qa_var="QA_DT_NEEDED_${ARCH/-/_}" + eval "[[ -n \${!qa_var} ]] && QA_DT_NEEDED=(\"\${${qa_var}[@]}\")" + f=$(scanelf -ByF '%n %p' "${ED}"{,usr/}lib*/lib*.so* | awk '$2 == "" { print }' | sed -e "s:^[[:space:]]${ED}:/:") + if [[ -n ${f} ]] ; then + echo "${f}" > "${T}"/scanelf-missing-NEEDED.log + if [[ "${QA_STRICT_DT_NEEDED-unset}" == unset ]] ; then + if [[ ${#QA_DT_NEEDED[@]} -gt 1 ]] ; then + for x in "${QA_DT_NEEDED[@]}" ; do + sed -e "s#^/${x#/}\$##" -i "${T}"/scanelf-missing-NEEDED.log + done else - rm -f "${T}"/scanelf-missing-NEEDED.log + local shopts=$- + set -o noglob + for x in ${QA_DT_NEEDED} ; do + sed -e "s#^/${x#/}\$##" -i "${T}"/scanelf-missing-NEEDED.log + done + set +o noglob + set -${shopts} fi fi + sed -e "/^\$/d" -i "${T}"/scanelf-missing-NEEDED.log + f=$(<"${T}"/scanelf-missing-NEEDED.log) + if [[ -n ${f} ]] ; then + __vecho -ne '\n' + eqawarn "QA Notice: The following shared libraries lack NEEDED entries" + eqawarn "${f}" + __vecho -ne '\n' + sleep 1 + else + rm -f "${T}"/scanelf-missing-NEEDED.log + fi + fi +} + +lib_check() { + local f x i j + + if type -P scanelf >/dev/null && ! has binchecks ${RESTRICT}; then + scanelf_lib_check fi # this should help to ensure that all (most?) shared libraries are executable