diff --git a/Makefile.am b/Makefile.am index 26f684d592..0137407e4f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -55,13 +55,18 @@ shellcheck: done; \ fi -lint: cppcheck +lint: cppcheck paxcheck cppcheck: @if type cppcheck > /dev/null 2>&1; then \ cppcheck --quiet --force --error-exitcode=2 ${top_srcdir}; \ fi +paxcheck: + @if type scanelf > /dev/null 2>&1; then \ + scripts/paxcheck.sh ${top_srcdir}; \ + fi + flake8: @if type flake8 > /dev/null 2>&1; then \ flake8 ${top_srcdir}; \ diff --git a/scripts/paxcheck.sh b/scripts/paxcheck.sh new file mode 100755 index 0000000000..1d85f9d01e --- /dev/null +++ b/scripts/paxcheck.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +if ! type scanelf > /dev/null 2>&1; then + echo "scanelf (from pax-utils) is required for these checks." >&2 + exit 3 +fi + +RET=0 + +# check for exec stacks +OUT="$(scanelf -qyRAF '%e %p' $1)" + +if [ x"${OUT}" != x ]; then + RET=2 + echo "The following files contain writable and executable sections" + echo " Files with such sections will not work properly (or at all!) on some" + echo " architectures/operating systems." + echo " For more information, see:" + echo " https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart" + echo + echo "${OUT}" + echo +fi + + +# check for TEXTRELS +OUT="$(scanelf -qyRAF '%T %p' $1)" + +if [ x"${OUT}" != x ]; then + RET=2 + echo "The following files contain runtime text relocations" + echo " Text relocations force the dynamic linker to perform extra" + echo " work at startup, waste system resources, and may pose a security" + echo " risk. On some architectures, the code may not even function" + echo " properly, if at all." + echo " For more information, see:" + echo " https://wiki.gentoo.org/wiki/Hardened/HOWTO_locate_and_fix_textrels" + echo + echo "${OUT}" + echo +fi + +exit $RET