Check static linked binaries rather than including those in the list.

- Before : Specify static linked binaries in the exception list.
- With this : Check whether binaries are staic linked.
              If so, do not check ASLR.
- Do not check "dll" and if the name is started with "qemu".
- Do not see "onlycap" file while testing, as it is not needed.
- Leave the list as an empty for the future use or security-analyzer.

Change-Id: I26dc7044a62e49c0b07ca532900732aa429e5d0e

diff --git a/test/aslr_test/scripts/aslr_exception.list b/test/aslr_test/scripts/aslr_exception.list
index bbd4aef14ae011fe249fdc7c6a06c990f1811a68..209370be4a63c0481c6352bc47bb70c21d90e7c4 100644 (file)
--- a/test/aslr_test/scripts/aslr_exception.list
+++ b/test/aslr_test/scripts/aslr_exception.list
@@ -1,16 +1,4 @@
-# ldconfig, glibc_post_upgrade : static binary
-/usr/sbin/ldconfig
-/usr/sbin/glibc_post_upgrade
-# qemu-arm-binfmt : only used for mic build
-/usr/bin/qemu-arm-binfmt
-# containerd ~ docker-proxy : golang pre-built binary
-/usr/bin/containerd
-/usr/bin/containerd-shim-runc-v2
-/usr/bin/docker
-/usr/bin/docker-init
-/usr/bin/runc
-/usr/bin/containerd-shim
-/usr/bin/ctr
-/usr/bin/dockerd
-/usr/bin/docker-proxy
-# last line
+# Static binaries, dll and qemu binaries are automatically detected and allowed during testing.
+# If cases are existed that ASLR cannot be applied except aboves, write full path here.
+# example:
+# /usr/bin/containerd

diff --git a/test/aslr_test/scripts/run_aslr_test_all_files.sh b/test/aslr_test/scripts/run_aslr_test_all_files.sh
index bb0e160fc6767fa8df6397a51a3684ee3d794020..53688a5edbe53d8dbfc419f80ba6fe26c252b9f9 100644 (file)
--- a/test/aslr_test/scripts/run_aslr_test_all_files.sh
+++ b/test/aslr_test/scripts/run_aslr_test_all_files.sh
@@ -17,19 +17,12 @@ function CHECK_EXCEPTION
                echo "find exception" "$1"
                return 1
        fi
-       filename=$(basename $1)
-       fileext=${filename##*.}
-       if [ $fileext == "dll" ]
-       then
-               echo "*.dll files are excluded : " "$1"
-               return 1
-       fi
        return 0
 }
 
 /usr/bin/echo "Start aslr check test"
 
-/usr/bin/find / -type f -executable 2>/dev/null | /usr/bin/xargs $utl_path/file | /usr/bin/grep "executable" | /usr/bin/grep -v "shared object" | /usr/bin/grep -v "pie" | /usr/bin/grep -v "script" | /usr/bin/cut -d ":" -f1 >> $tmp_file
+/usr/bin/find / -type f -executable -not -name "*.dll" -not -name "/usr/bin/qemu*" 2>/dev/null | /usr/bin/xargs $utl_path/file | /usr/bin/grep -E "executable.*dynamically linked" | /usr/bin/grep -v -e "shared object" -e "pie" -e "script" | /usr/bin/cut -d ":" -f1 >> $tmp_file
 
 #init log
 if [ -e "$log_file" ]
@@ -39,21 +32,12 @@ then
        /usr/bin/rm $log_file
 fi
 
-# Retrieve exec permission (chmod & cat need to be considered separately to finish below lines)
-# Checking "/etc/smack/onlycap" is temporary. This should be considered again later.
 while read line
 do
-       if [[ $line != "/usr/bin/chmod" ]] && [[ $line != "/usr/bin/cat" ]] && [[ $line != "/usr/bin/qemu-arm" ]] && [[ $line != "/usr/bin/qemu-aarch64" ]]
+       CHECK_EXCEPTION $line
+       if [ "$?" == 0 ]
        then
-               CHECK_EXCEPTION $line
-               if [ "$?" == 0 ]
-               then
-                       if [[ -e "/etc/smack/onlycap" ]]
-                       then
-                               chmod a-x $line
-                       fi
-                       echo "$line" >> $log_file
-               fi
+               echo "$line" >> $log_file
        fi
 done < <(cat $tmp_file)
 rm $tmp_file
@@ -63,6 +47,7 @@ then
        echo "YES" > $result_file
 else
        echo "NO" > $result_file
+       chmod a-x $(cat $log_file)
 fi
 
 /usr/bin/echo "Finish aslr check test"