From patchwork Wed Jul 11 14:31:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 942526 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41QhMh4mXTzB4MT for ; Thu, 12 Jul 2018 00:31:28 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 19BE3880B4; Wed, 11 Jul 2018 14:31:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mqZZjbDrdHe; Wed, 11 Jul 2018 14:31:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 38138880A6; Wed, 11 Jul 2018 14:31:20 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 7E3A81BFEBC for ; Wed, 11 Jul 2018 14:31:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7C70186689 for ; Wed, 11 Jul 2018 14:31:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l_VcRRXrFPVG for ; Wed, 11 Jul 2018 14:31:16 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from da1vs04.rockwellcollins.com (da1vs04.rockwellcollins.com [205.175.227.52]) by fraxinus.osuosl.org (Postfix) with ESMTPS id C50EC869EC for ; Wed, 11 Jul 2018 14:31:16 +0000 (UTC) Received: from ofwda1n02.rockwellcollins.com (HELO ciulimr02.rockwellcollins.com) ([205.175.227.14]) by da1vs04.rockwellcollins.com with ESMTP; 11 Jul 2018 09:31:16 -0500 X-Received: from bacon.rockwellcollins.com (unknown [192.168.6.146]) by ciulimr02.rockwellcollins.com (Postfix) with ESMTP id 89C61200A2; Wed, 11 Jul 2018 09:31:15 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 11 Jul 2018 09:31:13 -0500 Message-Id: <20180711143113.11927-7-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180711143113.11927-1-matthew.weber@rockwellcollins.com> References: <20180711143113.11927-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 6/6] support/testing/tests/core: SSP & hardening flags X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Catch the commonly used options of SSP, Relro, and fortify. Signed-off-by: Matthew Weber --- support/testing/tests/core/test_hardening.py | 104 +++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 support/testing/tests/core/test_hardening.py diff --git a/support/testing/tests/core/test_hardening.py b/support/testing/tests/core/test_hardening.py new file mode 100644 index 0000000000..2a479d89aa --- /dev/null +++ b/support/testing/tests/core/test_hardening.py @@ -0,0 +1,104 @@ +import os +import subprocess +import json + +import infra.basetest + +HARD_DEFCONFIG = \ + """ + BR2_powerpc64=y + BR2_powerpc_e5500=y + BR2_TOOLCHAIN_EXTERNAL=y + BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y + BR2_TOOLCHAIN_EXTERNAL_URL="https://toolchains.bootlin.com/downloads/releases/toolchains/powerpc64-e5500/tarballs/powerpc64-e5500--glibc--stable-2018.02-2.tar.bz2" + BR2_TOOLCHAIN_EXTERNAL_GCC_6=y + BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_1=y + BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y + BR2_TOOLCHAIN_EXTERNAL_CXX=y + BR2_PACKAGE_LIGHTTPD=y + BR2_PACKAGE_HOST_CHECKSEC=y + # BR2_TARGET_ROOTFS_TAR is not set + """ + +def checksec_run(builddir, target_file): + cmd = ["host/bin/checksec", "--output", "json", "--file", target_file] + ret = subprocess.check_output(cmd, + stderr=open(os.devnull, "w"), + cwd=builddir, + env={"LANG": "C"}) + return ret + +class TestRelro(infra.basetest.BRTest): + config = HARD_DEFCONFIG + \ + """ + BR2_RELRO_FULL=y + """ + + def test_run(self): + out = json.loads(checksec_run(self.builddir, "target/usr/sbin/lighttpd")) + self.assertEqual(out["file"]["relro"], "full") + self.assertEqual(out["file"]["pie"], "yes") + out = json.loads(checksec_run(self.builddir, "target/bin/busybox")) + self.assertEqual(out["file"]["relro"], "full") + +class TestRelroPartial(infra.basetest.BRTest): + config = HARD_DEFCONFIG + \ + """ + BR2_RELRO_PARTIAL=y + """ + + def test_run(self): + out = json.loads(checksec_run(self.builddir, "target/usr/sbin/lighttpd")) + self.assertEqual(out["file"]["relro"], "partial") + self.assertEqual(out["file"]["pie"], "no") + out = json.loads(checksec_run(self.builddir, "target/bin/busybox")) + self.assertEqual(out["file"]["relro"], "partial") + +class TestSspNone(infra.basetest.BRTest): + config = HARD_DEFCONFIG + \ + """ + BR2_SSP_NONE=y + """ + + def test_run(self): + out = json.loads(checksec_run(self.builddir, "target/usr/sbin/lighttpd")) + self.assertEqual(out["file"]["canary"], "no") + out = json.loads(checksec_run(self.builddir, "target/bin/busybox")) + self.assertEqual(out["file"]["canary"], "no") + + +class TestSspStrong(infra.basetest.BRTest): + config = HARD_DEFCONFIG + \ + """ + BR2_SSP_STRONG=y + """ + + def test_run(self): + out = json.loads(checksec_run(self.builddir, "target/usr/sbin/lighttpd")) + self.assertEqual(out["file"]["canary"], "yes") + out = json.loads(checksec_run(self.builddir, "target/bin/busybox")) + self.assertEqual(out["file"]["canary"], "yes") + +class TestFortifyNone(infra.basetest.BRTest): + config = HARD_DEFCONFIG + \ + """ + BR2_FORTIFY_SOURCE_NONE=y + """ + + def test_run(self): + out = json.loads(checksec_run(self.builddir, "target/usr/sbin/lighttpd")) + self.assertEqual(out["file"]["fortified"], "0") + out = json.loads(checksec_run(self.builddir, "target/bin/busybox")) + self.assertEqual(out["file"]["fortified"], "0") + +class TestFortifyConserv(infra.basetest.BRTest): + config = HARD_DEFCONFIG + \ + """ + BR2_FORTIFY_SOURCE_1=y + """ + + def test_run(self): + out = json.loads(checksec_run(self.builddir, "target/usr/sbin/lighttpd")) + self.assertNotEqual(out["file"]["fortified"], "0") + out = json.loads(checksec_run(self.builddir, "target/bin/busybox")) + self.assertNotEqual(out["file"]["fortified"], "0")