Commit f71634d8 authored by Loic's avatar Loic
Browse files

HBSD: removing options --fortify-file and --fortify-proc

See: https://wiki.freebsd.org/SummerOfCode2015/FreeBSDLibcSecurityExtensions

Signed-off-by: Loic's avatarLoic <loic.f@hardenedbsd.org>
parent 003e6188
...@@ -29,8 +29,6 @@ Options: ...@@ -29,8 +29,6 @@ Options:
--proc-all --proc-all
--proc-libs={process ID} --proc-libs={process ID}
--kernel --kernel
--fortify-file={executable-file}
--fortify-proc={process ID}
--version --version
--help --help
......
...@@ -144,8 +144,6 @@ help() { ...@@ -144,8 +144,6 @@ help() {
echo " --proc-all" echo " --proc-all"
echo " --proc-libs={process ID}" echo " --proc-libs={process ID}"
echo " --kernel" echo " --kernel"
echo " --fortify-file={executable-file}"
echo " --fortify-proc={process ID}"
echo " --version" echo " --version"
echo " --help" echo " --help"
echo echo
...@@ -1010,87 +1008,6 @@ chk_proc_libs () { ...@@ -1010,87 +1008,6 @@ chk_proc_libs () {
fi fi
} }
chk_fortify_file () {
# if first char of pathname is '~' replace it with '${HOME}'
if [ "${CHK_FORTIFY_FILE:0:1}" = '~' ] ; then
CHK_FORTIFY_FILE=${HOME}/${CHK_FORTIFY_FILE:1}
fi
if [ -z "${CHK_FORTIFY_FILE}" ] ; then
printf "\033[31mError: Please provide a valid file.\033[m\n\n"
exit 1
fi
# does the file exist?
if [ ! -f "${CHK_FORTIFY_FILE}" ] ; then
printf "\033[31mError: The file '%s' does not exist.\033[m\n\n" "${CHK_FORTIFY_FILE}"
exit 1
fi
# read permissions?
if [ ! -r "${CHK_FORTIFY_FILE}" ] ; then
printf "\033[31mError: No read permissions for '%s' (run as root).\033[m\n\n" "${CHK_FORTIFY_FILE}"
exit 1
fi
# ELF executable?
out=$(file "$(readlink -f "${CHK_FORTIFY_FILE}")")
if [ ! ${out} =~ ELF ] ; then
printf "\033[31mError: Not an ELF file: "
file "${CHK_FORTIFY_FILE}"
printf "\033[m\n"
exit 1
fi
FS_chk_func_libc=()
FS_functions=()
while IFS='' read -r line; do FS_chk_func_libc+=("$line"); done < <(${readelf} -s ${FS_libc} 2>/dev/null | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//')
while IFS='' read -r line; do FS_functions+=("$line"); done < <(${readelf} -s "${CHK_FORTIFY_FILE}" 2>/dev/null | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//')
echo_message "" "" "<fortify-test name='${CHK_FORTIFY_FILE}' " "{ \"fortify-test\": { \"name\":\"${CHK_FORTIFY_FILE}\" "
FS_libc_check
FS_binary_check
FS_comparison
FS_summary
echo_message "" "" "</fortify-test>\n" "} }"
}
chk_fortify_proc () {
if [ -z "${CHK_FORTIFY_PROC}" ] ; then
printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
exit 1
fi
if ! (isNumeric "${CHK_FORTIFY_PROC}") ; then
printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
exit 1
fi
cd /proc || exit
N=${CHK_FORTIFY_PROC}
if [ -d "${N}" ] ; then
# read permissions?
if [ ! -r "${N}/file" ] ; then
if ! (root_privs) ; then
printf "\033[31mNo read permissions for '/proc/%s/file' (run as root).\033[m\n\n" "${N}"
exit 1
fi
if [ ! "$(readlink "${N}/file")" ] ; then
printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n"
exit 1
fi
exit 1
fi
name=$(head -1 "${N}/status" | awk '{print $1}')
echo_message "* Process name (PID) : ${name} (${N})\n" "" "" ""
FS_chk_func_libc=()
FS_functions=()
while IFS='' read -r line; do FS_chk_func_libc+=("$line"); done < <(${readelf} -s $FS_libc 2>/dev/null | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//')
while IFS='' read -r line; do FS_functions+=("$line"); done < <(${readelf} -s "${CHK_FORTIFY_PROC}/file" 2>/dev/null | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//')
echo_message "" "" "<fortify-test name='${name}' pid='${N}' " "{ \"fortify-test\": { \"name\":\"${name}\", \"pid\":\"${N}\" "
FS_libc_check
FS_binary_check
FS_comparison
FS_summary
echo_message "" "" "</fortify-test>\n" "} }"
fi
}
chk_kernel () { chk_kernel () {
if [ ${CHK_KERNEL} == "kernel" ]; then if [ ${CHK_KERNEL} == "kernel" ]; then
CHK_KERNEL="" CHK_KERNEL=""
...@@ -1177,16 +1094,6 @@ while getopts "${optspec}" optchar; do ...@@ -1177,16 +1094,6 @@ while getopts "${optspec}" optchar; do
OPT=$((OPT + 1)) OPT=$((OPT + 1))
CHK_FUNCTION="chk_proc_libs" CHK_FUNCTION="chk_proc_libs"
;; ;;
fortify-file=*|fortify-file)
CHK_FORTIFY_FILE=${OPTARG#*=};
OPT=$((OPT + 1))
CHK_FUNCTION="chk_fortify_file"
;;
fortify-proc=*|fortify-proc)
CHK_FORTIFY_PROC=${OPTARG#*=};
OPT=$((OPT + 1))
CHK_FUNCTION="chk_fortify_proc"
;;
kernel=*|kernel) kernel=*|kernel)
CHK_KERNEL=${OPTARG#*=}; CHK_KERNEL=${OPTARG#*=};
OPT=$((OPT + 1)) OPT=$((OPT + 1))
...@@ -1212,7 +1119,7 @@ elif [ "${OPT}" != 1 ]; then ...@@ -1212,7 +1119,7 @@ elif [ "${OPT}" != 1 ]; then
exit 1 exit 1
fi fi
for variable in CHK_DIR CHK_FILE CHK_FORTIFY_FILE CHK_FORTIFY_PROC CHK_PROC CHK_PROC_LIBS; do for variable in CHK_DIR CHK_FILE CHK_PROC CHK_PROC_LIBS; do
if [[ -n ${!variable+x} ]]; then if [[ -n ${!variable+x} ]]; then
if [ -z "${!variable}" ]; then if [ -z "${!variable}" ]; then
printf "\033[31mError: Option Required.\033[m\n\n" printf "\033[31mError: Option Required.\033[m\n\n"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment