projects / platform / core / security / security-config.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f10948a)
Retrieve execution permission from ASLR not applied files.
authorjin-gyu.kim <jin-gyu.kim@samsung.com>
Tue, 17 Oct 2017 05:58:50 +0000 (14:58 +0900)
committerjin-gyu.kim <jin-gyu.kim@samsung.com>
Fri, 30 Mar 2018 02:16:30 +0000 (11:16 +0900)
Change-Id: I98f8636c00cd1e82f31b2f90dea4fc87f7fec985

test/aslr_test/scripts/aslr_exception.list [new file with mode: 0644] patch | blob
test/aslr_test/scripts/run_aslr_test_all_files.sh patch | blob | history

diff --git a/test/aslr_test/scripts/aslr_exception.list b/test/aslr_test/scripts/aslr_exception.list
new file mode 100644 (file)
index 0000000..82c76f6
--- /dev/null
+++ b/test/aslr_test/scripts/aslr_exception.list
@@ -0,0 +1,6 @@
+/usr/sbin/ldconfig
+/usr/sbin/glibc_post_upgrade
+# submission is ongoing
+/usr/bin/setfattr
+/usr/bin/getfattr
+/usr/bin/attr
diff --git a/test/aslr_test/scripts/run_aslr_test_all_files.sh b/test/aslr_test/scripts/run_aslr_test_all_files.sh
index 7c9b4a632e31a39a6545c7fbad8aae3a35613c52..031a4c9d645bea83c4c6b9f838dc45ecbb9b562a 100644 (file)
--- a/test/aslr_test/scripts/run_aslr_test_all_files.sh
+++ b/test/aslr_test/scripts/run_aslr_test_all_files.sh
@@ -3,6 +3,20 @@
 PATH="/usr/bin:/bin:/usr/sbin:/sbin"
 utl_path="/opt/share/security-config/test/utils"
 log_file="/opt/share/security-config/log/aslr_not_applied_files"
+exception_path="/opt/share/security-config/test/aslr_test/scripts/aslr_exception.list"
+
+# Check whether this file is one of exception lists.
+# args : $1 = file path
+function CHECK_EXCEPTION
+{
+       temp=$(cat $exception_path | grep $1)
+       if [ -n "$temp" ]
+       then
+               echo "find exception" "$1"
+               return 1
+       fi
+       return 0
+}
 
 # Rename file util
 file_cmd=`find $utl_path -name file.*`
@@ -18,12 +32,19 @@ fi
 
 /usr/bin/echo "Start aslr check test"
 
-/usr/bin/find / -type f -executable 2>/dev/null | /usr/bin/xargs $utl_path/file | /usr/bin/grep "executable" | /usr/bin/grep -v "script" | /usr/bin/cut -d ":" -f1 >> $log_file
+/usr/bin/find / -type f -executable 2>/dev/null | /usr/bin/xargs $utl_path/file | /usr/bin/grep "executable" | /usr/bin/grep -v "shell script" | /usr/bin/cut -d ":" -f1 >> $log_file
 
-# Below will take time. But if you want to know rpm package name lists also, use below commands.
-#while read script_file_line
-#do
-#      echo "$script_file_line, $(/usr/bin/rpm -qf $script_file_line)"
-#done < <(cat $log_file)
+# Retrieve exec permission (chmod & cat need to be considered separately to finish below lines)
+while read log_file_line
+do
+       if [ -e "/etc/smack/onlycap" ] && [ $log_file_line != "/usr/bin/chmod" ] && [ $log_file_line != "/usr/bin/cat" ] && [ $log_file_line != "/usr/bin/qemu-arm" ]
+       then
+               CHECK_EXCEPTION $log_file_line
+               if [ "$?" == 0 ]
+               then
+                       chmod a-x $log_file_line                
+               fi
+       fi
+done < <(cat $log_file)
 
 /usr/bin/echo "Finish aslr check test"
Domain: Security / Access Control;