-
Notifications
You must be signed in to change notification settings - Fork 77
/
check_sec.sh
executable file
·91 lines (75 loc) · 1.59 KB
/
check_sec.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/bin/bash
FILEPATH=$1
ORIG_FILENAME=$2
ORIG_UID=$3
ORIG_GID=$4
ORIG_MODE=$5
ORIG_LABEL=$6
CONFIG=$8
RESULT=$(checksec --output=json --file="$1")
export RESULT
export FILEPATH
export CONFIG
export ORIG_FILENAME
# Config format is JSON
# array for values allows multiple acceptable values
# {"cfg":
# {
# "pie": ["yes"],
# "relro": ["full", "partial"]
# },
# "skip": ["/usr/bin/bla"]
# }
#
# usable cfg fields, omitted fields are not checked:
# {
# "canary": "no",
# "fortify_source": "no",
# "nx": "yes",
# "pie": "no",
# "relro": "partial",
# "rpath": "no",
# "runpath": "no",
# "symbols": "no"
# }
python -c 'import json
import sys
import os
cfg = os.getenv("CONFIG")
res = os.getenv("RESULT")
fp = os.getenv("FILEPATH")
orig_name = os.getenv("ORIG_FILENAME")
expected = {}
try:
expected = json.loads(cfg.rstrip())
except Exception:
print("bad config: {}".format(cfg.rstrip()))
sys.exit(1)
try:
result = json.loads(res.rstrip())
if "skip" in expected:
if orig_name in expected["skip"]:
sys.exit(0)
if not fp in result:
fp = "file"
bad_keys = []
for k in expected["cfg"]:
if k in result[fp]:
passed = False
for expected_value in expected["cfg"][k]:
if expected_value == result[fp][k]:
passed = True
break
if not passed:
print(json.dumps(result[fp]).rstrip())
sys.exit(0)
else:
bad_keys.append(k)
if bad_keys:
print("results were missing expected keys: {}".format(", ".join(bad_keys)))
sys.exit(0)
except Exception as e:
if not "Not an ELF file:" in res:
print(e)
sys.exit(0)
'