[arch-projects] [namcap] elffiles: Check for FULL RELRO

Jelle van der Waa jelle at vdwaa.nl
Sun Jan 14 17:18:02 UTC 2018 

Instead of checking for RELRO, check for FULL RELRO which is the default
now.
---
 Namcap/rules/elffiles.py | 15 ++++++++++++---
 namcap-tags              |  2 +-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
index e2dd7f5..a336d18 100644
--- a/Namcap/rules/elffiles.py
+++ b/Namcap/rules/elffiles.py
@@ -137,10 +137,17 @@ class ELFGnuRelroRule(TarballRule):
 
 	Introduced by FS#26435. Uses pyelftools to check for GNU_RELRO.
 	"""
-	# not smart enough for full/partial RELRO (DT_BIND_NOW?)
 
 	name = "elfgnurelro"
-	description = "Check for RELRO in ELF files."
+	description = "Check for FULL RELRO in ELF files."
+
+	def has_bind_now(self, elffile):
+		for section in elffile.iter_sections():
+			if not isinstance(section, DynamicSection):
+				continue
+			if any(tag.entry.d_tag == 'DT_BIND_NOW' for tag in section.iter_tags()):
+				return True
+		return False
 
 	def analyze(self, pkginfo, tar):
 		missing_relro = []
@@ -153,7 +160,9 @@ class ELFGnuRelroRule(TarballRule):
 				continue
 			elffile = ELFFile(fp)
 			if any(seg['p_type'] == 'PT_GNU_RELRO' for seg in elffile.iter_segments()):
-				continue
+				if self.has_bind_now(elffile):
+					continue
+
 			missing_relro.append(entry.name)
 
 		if missing_relro:
diff --git a/namcap-tags b/namcap-tags
index f967724..f464b9c 100644
--- a/namcap-tags
+++ b/namcap-tags
@@ -19,7 +19,7 @@ elffile-not-in-allowed-dirs %s :: ELF file ('%s') outside of a valid path.
 elffile-in-questionable-dirs %s :: ELF files outside of a valid path ('%s').
 elffile-with-textrel %s :: ELF file ('%s') has text relocations.
 elffile-with-execstack %s :: ELF file ('%s') has executable stack.
-elffile-without-relro %s :: ELF file ('%s') lacks RELRO, check LDFLAGS.
+elffile-without-relro %s :: ELF file ('%s') lacks FULL RELRO, check LDFLAGS.
 elffile-unstripped %s :: ELF file ('%s') is unstripped.
 empty-directory %s :: Directory (%s) is empty
 error-running-rule %s :: Error running rule '%s'
-- 
2.15.1

More information about the arch-projects mailing list