[arch-projects] [namcap] elffiles: Add rule for no PIE binaries

Sun Jan 14 16:59:19 UTC 2018

Verify if packages where build with PIE enabled by checking if it's
an EY_DYN file with a DT_DEBUG entry.
---
 Namcap/rules/elffiles.py              | 33 ++++++++++++++++++++++++++++++
 Namcap/tests/package/test_elffiles.py | 38 ++++++++++++++++++++++++++++++++++-
 namcap-tags                           |  1 +
 3 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
index e2dd7f5..a87c0db 100644
--- a/Namcap/rules/elffiles.py
+++ b/Namcap/rules/elffiles.py
@@ -194,4 +194,37 @@ class ELFUnstrippedRule(TarballRule):
 			self.warnings = [("elffile-unstripped %s", i)
 					for i in unstripped_binaries]
 
+class NoPIERule(TarballRule):
+	"""
+	Checks for no PIE ELF files.
+	"""
+
+	name = "elfnopie"
+	description = "Check for no PIE ELF files."
+
+	def has_dt_debug(self, elffile):
+		for section in elffile.iter_sections():
+			if not isinstance(section, DynamicSection):
+				continue
+			if any(tag.entry.d_tag == 'DT_DEBUG' for tag in section.iter_tags()):
+				return True
+		return False
+
+	def analyze(self, pkginfo, tar):
+		nopie_binaries = []
+
+		for entry in tar:
+			if not entry.isfile():
+				continue
+			fp = tar.extractfile(entry)
+			if not is_elf(fp):
+				continue
+			elffile = ELFFile(fp)
+			if elffile.header['e_type'] != 'ET_DYN' or not self.has_dt_debug(elffile):
+				nopie_binaries.append(entry.name)
+
+		if nopie_binaries:
+			self.warnings = [("elffile-nopie %s", i) for i in nopie_binaries]
+
+
 # vim: set ts=4 sw=4 noet:
diff --git a/Namcap/tests/package/test_elffiles.py b/Namcap/tests/package/test_elffiles.py
index 6362a58..b11fa13 100644
--- a/Namcap/tests/package/test_elffiles.py
+++ b/Namcap/tests/package/test_elffiles.py
@@ -95,5 +95,41 @@ package() {
 		])
 		self.assertEqual(r.infos, [])
 
-# vim: set ts=4 sw=4 noet:
+class TestNoPieStack(MakepkgTest):
+	pkgbuild = """
+pkgname=__namcap_test_nopie
+pkgver=1.0
+pkgrel=1
+pkgdesc="A package"
+arch=('i686' 'x86_64')
+url="http://www.example.com/"
+license=('GPL')
+depends=('glibc')
+source=()
+options=(!purge !zipman)
+build() {
+  cd "${srcdir}"
+  echo "int main() { return 0; }" > main.c
+  /usr/bin/gcc -o main main.c -no-pie
+}
+package() {
+  install -D -m 644 "${srcdir}/main" "${pkgdir}/usr/bin/nopie"
+}
+"""
+	def test_nopie(self):
+		pkgfile = "__namcap_test_nopie-1.0-1-%(arch)s.pkg.tar" % { "arch": self.arch }
+		with open(os.path.join(self.tmpdir, "PKGBUILD"), "w") as f:
+			f.write(self.pkgbuild)
+		self.run_makepkg()
+		pkg, r = self.run_rule_on_tarball(
+				os.path.join(self.tmpdir, pkgfile),
+				Namcap.rules.elffiles.NoPIERule
+				)
+		self.assertEqual(r.errors, [])
+		self.assertEqual(r.warnings, [
+			("elffile-nopie %s",
+				"usr/bin/nopie")
+		])
+		self.assertEqual(r.infos, [])
 
+# vim: set ts=4 sw=4 noet:
diff --git a/namcap-tags b/namcap-tags
index f967724..420ad5c 100644
--- a/namcap-tags
+++ b/namcap-tags
@@ -17,6 +17,7 @@ directory-not-world-executable %s :: Directory (%s) does not have the world exec
 elffile-in-any-package %s :: ELF file ('%s') found in an 'any' package.
 elffile-not-in-allowed-dirs %s :: ELF file ('%s') outside of a valid path.
 elffile-in-questionable-dirs %s :: ELF files outside of a valid path ('%s').
+elffile-nopie %s :: ELF file ('%s') lacks PIE.
 elffile-with-textrel %s :: ELF file ('%s') has text relocations.
 elffile-with-execstack %s :: ELF file ('%s') has executable stack.
 elffile-without-relro %s :: ELF file ('%s') lacks RELRO, check LDFLAGS.
-- 
2.15.1
