Page MenuHomePhabricator
Differential D9165 Diff 27546 contrib/devtools/security-check.py

Changeset View

Standalone View

View Options

contrib/devtools/security-check.py

Show First 20 LinesShow All 87 Lines▼ Show 20 Linesdef check_ELF_RELRO(executable):
Dynamic section must have BIND_NOW flag Dynamic section must have BIND_NOW flag
''' '''
have_gnu_relro = False have_gnu_relro = False
for (typ, flags) in get_ELF_program_headers(executable): for (typ, flags) in get_ELF_program_headers(executable):
# Note: not checking flags == 'R': here as linkers set the permission differently # Note: not checking flags == 'R': here as linkers set the permission differently
# This does not affect security: the permission flags of the GNU_RELRO program header are ignored, the PT_LOAD header determines the effective permissions. # This does not affect security: the permission flags of the GNU_RELRO program header are ignored, the PT_LOAD header determines the effective permissions.
# However, the dynamic linker need to write to this area so these are RW. # However, the dynamic linker need to write to this area so these are RW.
# Glibc itself takes care of mprotecting this area R after relocations are finished. # Glibc itself takes care of mprotecting this area R after relocations are finished.
# See also http://permalink.gmane.org/gmane.comp.gnu.binutils/71347 # See also https://marc.info/?l=binutils&m=1498883354122353
if typ == 'GNU_RELRO': if typ == 'GNU_RELRO':
have_gnu_relro = True have_gnu_relro = True
have_bindnow = False have_bindnow = False
p = subprocess.Popen([READELF_CMD, '-d', '-W', executable], stdout=subprocess.PIPE, p = subprocess.Popen([READELF_CMD, '-d', '-W', executable], stdout=subprocess.PIPE,
stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True) stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
(stdout, stderr) = p.communicate() (stdout, stderr) = p.communicate()
if p.returncode: if p.returncode:
▲ Show 20 LinesShow All 132 LinesShow Last 20 Lines