Instead of checking for RELRO, check for FULL RELRO which is the default
now.
---
Namcap/rules/elffiles.py | 15 ++++++++++++---
namcap-tags | 2 +-
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
index e2dd7f5..a336d18 100644
--- a/Namcap/rules/elffiles.py
+++ b/Namcap/rules/elffiles.py
@@ -137,10 +137,17 @@ class ELFGnuRelroRule(TarballRule):
Introduced by FS#26435. Uses pyelftools to check for GNU_RELRO.
"""
- # not smart enough for full/partial RELRO (DT_BIND_NOW?)
name = "elfgnurelro"
- description = "Check for RELRO in ELF files."
+ description = "Check for FULL RELRO in ELF files."
+
+ def has_bind_now(self, elffile):
+ for section in elffile.iter_sections():
+ if not isinstance(section, DynamicSection):
+ continue
+ if any(tag.entry.d_tag == 'DT_BIND_NOW' for tag in
section.iter_tags()):
+ return True
+ return False
def analyze(self, pkginfo, tar):
missing_relro = []
@@ -153,7 +160,9 @@ class ELFGnuRelroRule(TarballRule):
continue
elffile = ELFFile(fp)
if any(seg['p_type'] == 'PT_GNU_RELRO' for seg in
elffile.iter_segments()):
- continue
+ if self.has_bind_now(elffile):
+ continue
+
missing_relro.append(entry.name)
if missing_relro:
diff --git a/namcap-tags b/namcap-tags
index f967724..f464b9c 100644
--- a/namcap-tags
+++ b/namcap-tags
@@ -19,7 +19,7 @@ elffile-not-in-allowed-dirs %s :: ELF file ('%s') outside of
a valid path.
elffile-in-questionable-dirs %s :: ELF files outside of a valid path ('%s').
elffile-with-textrel %s :: ELF file ('%s') has text relocations.
elffile-with-execstack %s :: ELF file ('%s') has executable stack.
-elffile-without-relro %s :: ELF file ('%s') lacks RELRO, check LDFLAGS.
+elffile-without-relro %s :: ELF file ('%s') lacks FULL RELRO, check LDFLAGS.
elffile-unstripped %s :: ELF file ('%s') is unstripped.
empty-directory %s :: Directory (%s) is empty
error-running-rule %s :: Error running rule '%s'
--
2.15.1
