Add repo_sec_checker tool

jelly commented 5 years ago

repo_sec_checker scans all repository's for missing hardening bits. The tool currently supports relro, stack canary, nx, pie, rpath, runpath and fortify. The output is currently limited to a table view , which can later be expanded to JSON output.

jelly commented 5 years ago

Example output:

cdrdao-1.2.4-1-x86_64.pkg.tar.xz                                 Enabled       Enabled   Enabled   Disabled  False    False      Partial: getcwd,strncpy,memset,memcpy,strcpy,read,fread,memmove,strcat
dfu-programmer-0.7.2-2-x86_64.pkg.tar.xz                         Enabled       Enabled   Enabled   Disabled  False    False      Partial: memset,fgets
libgfshare-2.0.0-2-x86_64.pkg.tar.xz                             Enabled       Disabled  Enabled   Disabled  False    False      Partial: memcpy
editorconfig-core-c-0.12.3-1-x86_64.pkg.tar.xz                   Enabled       Enabled   Enabled   Disabled  False    False      Partial: strncpy,strcpy,strncat,fgets,memcpy,memmove,strcat
squashfuse-0.1.103-2-x86_64.pkg.tar.xz                           Enabled       Enabled   Enabled   Disabled  False    False      Partial: memset,memcpy,pread
libsmbios-2.4.2-1-x86_64.pkg.tar.xz                              Enabled       Enabled   Enabled   Disabled  False    False      Partial: strncpy,strcpy,fread,memset,memcpy
libusbmuxd-1.0.10+29+g9db5747-1-x86_64.pkg.tar.xz                Enabled       Enabled   Enabled   Disabled  False    False      Partial: recv,strncpy,memset,read,stpncpy,memmove

TODO:

[x] check if some performance can be improved
[x] add a verbose flag? And hide the missing fortify functions by default
[x] make the intermediate format (class) easier to generic json data
[x] add a flag to filter on repository such as core, multilib
[x] enhance RUNPATH and RPATH output. Maybe show the actual PATH? Especially an issue if RPATH starts relative https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754278

SantiagoTorres commented 5 years ago

I love this!

Foxboron commented 5 years ago

Should we standardize on underscore or dashes?

jelly commented 5 years ago

Of yeha let's make it -

Foxboron commented 5 years ago

[x] Fix filename s/_/-
[x] Probably wants an Author field
[x] Missing SPDX license header

jelly commented 5 years ago

I've fixed @Foxboron's comments, added RUNPATH/RPATH but they are a bit big. For haskell:

In [51]: getattr(tag, 'runpath')                                                                                                                                         
Out[51]: '/usr/lib/ghc-8.6.5/array-0.5.3.0:/usr/lib/ghc-8.6.5/base-4.12.0.0:/usr/lib/ghc-8.6.5/binary-0.8.6.0:/usr/lib/ghc-8.6.5/bytestring-0.10.8.2:/usr/lib/ghc-8.6.5/containers-0.6.0.1:/usr/lib/ghc-8.6.5/deepseq-1.4.4.0:/usr/lib/ghc-8.6.5/directory-1.3.3.0:/usr/lib/ghc-8.6.5/filepath-1.4.2.1:/usr/lib/ghc-8.6.5/ghc-boot-th-8.6.5:/usr/lib/ghc-8.6.5/ghc-prim-0.5.3:/usr/lib/ghc-8.6.5/integer-gmp-1.0.2.0:/usr/lib/ghc-8.6.5/mtl-2.2.2:/usr/lib/ghc-8.6.5/parsec-3.1.13.0:/usr/lib/ghc-8.6.5/pretty-1.1.3.6:/usr/lib/ghc-8.6.5/process-1.6.5.0:/usr/lib/ghc-8.6.5/rts:/usr/lib/ghc-8.6.5/template-haskell-2.14.0.0:/usr/lib/ghc-8.6.5/text-1.2.3.1:/usr/lib/ghc-8.6.5/time-1.8.0.2:/usr/lib/ghc-8.6.5/transformers-0.5.6.2:/usr/lib/ghc-8.6.5/unix-2.7.2.2:/usr/lib'

svenstaro commented 4 years ago

Seems like the nits are pretty minor. Can we just merge it now and then maybe someone else can tidy it up a little if still desired?

svenstaro commented 4 years ago

Is this good to go now?

SantiagoTorres commented 4 years ago

it LGTM now!

Foxboron commented 4 years ago

Thanks<3

archlinux / contrib

Add repo_sec_checker tool #6