init

hc

2024-03-22 a0752693d998599af469473b8dc239ef973a012f

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
import os
import json
 
import infra.basetest
 
 
class TestHardeningBase(infra.basetest.BRTest):
    config = \
        """
        BR2_powerpc64=y
        BR2_powerpc_e5500=y
        BR2_TOOLCHAIN_EXTERNAL=y
        BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
        BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
        BR2_TOOLCHAIN_EXTERNAL_URL="https://toolchains.bootlin.com/downloads/releases/toolchains/powerpc64-e5500/tarballs/powerpc64-e5500--glibc--stable-2018.02-2.tar.bz2"
        BR2_TOOLCHAIN_EXTERNAL_GCC_6=y
        BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_1=y
        BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y
        BR2_TOOLCHAIN_EXTERNAL_CXX=y
        BR2_PACKAGE_LIGHTTPD=y
        BR2_PACKAGE_HOST_CHECKSEC=y
        # BR2_TARGET_ROOTFS_TAR is not set
        """
 
    checksec_files = ["usr/sbin/lighttpd", "bin/busybox"]
 
    def checksec_run(self, target_file):
        filepath = os.path.join(self.builddir, "target", target_file)
        cmd = ["host/bin/checksec", "--format=json",
               "--file={}".format(filepath)]
        # Checksec is being used for elf file analysis only.  There are no
        # assumptions of target/run-time checks as part of this testing.
        ret = infra.run_cmd_on_host(self.builddir, cmd)
        return json.loads(ret)
 
 
class TestRelro(TestHardeningBase):
    config = TestHardeningBase.config + \
        """
        BR2_RELRO_FULL=y
        """
 
    def test_run(self):
        for f in self.checksec_files:
            out = self.checksec_run(f)
            filepath = os.path.join(self.builddir, "target", f)
            self.assertEqual(out[filepath]["relro"], "full")
            self.assertEqual(out[filepath]["pie"], "yes")
 
 
class TestRelroPartial(TestHardeningBase):
    config = TestHardeningBase.config + \
        """
        BR2_RELRO_PARTIAL=y
        # BR2_PIC_PIE is not set
        """
 
    def test_run(self):
        for f in self.checksec_files:
            out = self.checksec_run(f)
            filepath = os.path.join(self.builddir, "target", f)
            self.assertEqual(out[filepath]["relro"], "partial")
            self.assertEqual(out[filepath]["pie"], "no")
 
 
class TestSspNone(TestHardeningBase):
    config = TestHardeningBase.config + \
        """
        BR2_SSP_NONE=y
        """
 
    def test_run(self):
        for f in self.checksec_files:
            out = self.checksec_run(f)
            filepath = os.path.join(self.builddir, "target", f)
            self.assertEqual(out[filepath]["canary"], "no")
 
 
class TestSspStrong(TestHardeningBase):
    config = TestHardeningBase.config + \
        """
        BR2_SSP_STRONG=y
        """
 
    def test_run(self):
        for f in self.checksec_files:
            out = self.checksec_run(f)
            filepath = os.path.join(self.builddir, "target", f)
            self.assertEqual(out[filepath]["canary"], "yes")
 
 
class TestFortifyNone(TestHardeningBase):
    config = TestHardeningBase.config + \
        """
        BR2_FORTIFY_SOURCE_NONE=y
        """
 
    def test_run(self):
        for f in self.checksec_files:
            out = self.checksec_run(f)
            filepath = os.path.join(self.builddir, "target", f)
            self.assertEqual(out[filepath]["fortified"], "0")
 
 
class TestFortifyConserv(TestHardeningBase):
    config = TestHardeningBase.config + \
        """
        BR2_FORTIFY_SOURCE_1=y
        """
 
    def test_run(self):
        for f in self.checksec_files:
            out = self.checksec_run(f)
            filepath = os.path.join(self.builddir, "target", f)
            self.assertNotEqual(out[filepath]["fortified"], "0")