From 6b7a6fafa5df4411e23d7236c46ddee0edd5a8f5 Mon Sep 17 00:00:00 2001
From: Niraj Kumar Goit <niraj.g@samsung.com>
Date: Fri, 20 Apr 2018 20:16:44 +0530
Subject: [PATCH] [armoring feature] apply the system hardening options.

Change-Id: I63ab68c57a304e686b6468cedc0d2b6be0978ef2
Signed-off-by: Niraj Kumar Goit <niraj.g@samsung.com>
---
 Makefile                |  4 ++--
 misc/ifstat.c           | 10 ++++++++--
 misc/lnstat_util.c      | 16 ++++++++++------
 misc/nstat.c            | 10 ++++++++--
 misc/ss.c               | 30 +++++++++++++++++++++---------
 packaging/iproute2.spec |  2 ++
 6 files changed, 51 insertions(+), 21 deletions(-)

diff --git a/Makefile b/Makefile
index 680a5c8..557e973 100644
--- a/Makefile
+++ b/Makefile
@@ -36,8 +36,8 @@ WFLAGS += -Wmissing-declarations -Wold-style-definition
 CFLAGS = $(WFLAGS) $(CCOPTS) -I../include $(DEFINES)
 YACCFLAGS = -d -t -v
 
-CFLAGS += -fPIE
-LDFLAGS += -pie
+CFLAGS += -fstack-protector-strong -Wl,-z,relro -D_FORTIFY_SOURCE=2 -fPIE -pie
+LDFLAGS += -pie -Wl,-z,relro,-z,now
 
 SUBDIRS=lib ip tc bridge misc netem genl man
 
diff --git a/misc/ifstat.c b/misc/ifstat.c
index 6d0ad8c..94db58b 100644
--- a/misc/ifstat.c
+++ b/misc/ifstat.c
@@ -718,7 +718,10 @@ int main(int argc, char *argv[])
 			}
 			if (uptime >= 0 && time(NULL) >= stb.st_mtime+uptime) {
 				fprintf(stderr, "ifstat: history is aged out, resetting\n");
-				ftruncate(fileno(hist_fp), 0);
+				if (ftruncate(fileno(hist_fp), 0) != 0) {
+					perror("ifstat: ftruncate history file");
+					exit(-1);
+				}
 			}
 		}
 
@@ -760,7 +763,10 @@ int main(int argc, char *argv[])
 			dump_incr_db(stdout);
 	}
 	if (!no_update) {
-		ftruncate(fileno(hist_fp), 0);
+		if (ftruncate(fileno(hist_fp), 0) != 0) {
+			perror("ifstat: ftruncate history file");
+			exit(-1);
+		}
 		rewind(hist_fp);
 		dump_raw_db(hist_fp, 1);
 		fflush(hist_fp);
diff --git a/misc/lnstat_util.c b/misc/lnstat_util.c
index 9492baf..96c96bc 100644
--- a/misc/lnstat_util.c
+++ b/misc/lnstat_util.c
@@ -49,7 +49,8 @@ static int scan_lines(struct lnstat_file *lf, int i)
 
 		num_lines++;
 
-		fgets(buf, sizeof(buf)-1, lf->fp);
+		if (fgets(buf, sizeof(buf)-1, lf->fp) == NULL)
+			fprintf(stderr, "Error: failed to read from input file stream.\n");
 		gettimeofday(&lf->last_read, NULL);
 
 		for (j = 0; j < lf->num_fields; j++) {
@@ -94,21 +95,23 @@ int lnstat_update(struct lnstat_file *lnstat_files)
 			rewind(lf->fp);
 			if (!lf->compat) {
 				/* skip first line */
-				fgets(buf, sizeof(buf)-1, lf->fp);
+				if (fgets(buf, sizeof(buf)-1, lf->fp) == NULL)
+					fprintf(stderr, "Error: failed to read from input file stream.\n");
 			}
 			scan_lines(lf, 1);
 
 			for (i = 0, lfi = &lf->fields[i];
-			     i < lf->num_fields; i++, lfi = &lf->fields[i]) {
+					i < lf->num_fields; i++, lfi = &lf->fields[i]) {
 				if (i == 0)
 					lfi->result = lfi->values[1];
 				else
 					lfi->result = (lfi->values[1]-lfi->values[0])
-				    			/ lf->interval.tv_sec;
+						/ lf->interval.tv_sec;
 			}
 
 			rewind(lf->fp);
-			fgets(buf, sizeof(buf)-1, lf->fp);
+			if (fgets(buf, sizeof(buf)-1, lf->fp) == NULL)
+				fprintf(stderr, "Error: failed to read from input file stream.\n");
 			scan_lines(lf, 0);
 		}
 	}
@@ -142,7 +145,8 @@ static int lnstat_scan_fields(struct lnstat_file *lf)
 	char buf[FGETS_BUF_SIZE];
 
 	rewind(lf->fp);
-	fgets(buf, sizeof(buf)-1, lf->fp);
+	if (fgets(buf, sizeof(buf)-1, lf->fp) == NULL)
+		fprintf(stderr, "Error: failed to read from input file stream.\n");
 
 	return __lnstat_scan_fields(lf, buf);
 }
diff --git a/misc/nstat.c b/misc/nstat.c
index b685978..0c2f4c3 100644
--- a/misc/nstat.c
+++ b/misc/nstat.c
@@ -568,7 +568,10 @@ int main(int argc, char *argv[])
 			}
 			if (uptime >= 0 && time(NULL) >= stb.st_mtime+uptime) {
 				fprintf(stderr, "nstat: history is aged out, resetting\n");
-				ftruncate(fileno(hist_fp), 0);
+				if (ftruncate(fileno(hist_fp), 0) != 0) {
+					perror("nstat: ftruncate history file");
+					exit(-1);
+				}
 			}
 		}
 
@@ -612,7 +615,10 @@ int main(int argc, char *argv[])
 			dump_incr_db(stdout);
 	}
 	if (!no_update) {
-		ftruncate(fileno(hist_fp), 0);
+		if (ftruncate(fileno(hist_fp), 0) != 0) {
+			perror("nstat: ftruncate history file");
+			exit(-1);
+		}
 		rewind(hist_fp);
 		dump_kern_db(hist_fp, 1);
 		fflush(hist_fp);
diff --git a/misc/ss.c b/misc/ss.c
index da9d32c..984bb27 100644
--- a/misc/ss.c
+++ b/misc/ss.c
@@ -297,7 +297,9 @@ static void user_ent_hash_build(void)
 
 				snprintf(tmp, sizeof(tmp), "%s/%d/stat", root, pid);
 				if ((fp = fopen(tmp, "r")) != NULL) {
-					fscanf(fp, "%*d (%[^)])", process);
+					int ret = fscanf(fp, "%*d (%[^)])", process);
+					if (ret < 0)
+						fprintf(stderr, "Error: failed to read from input file stream.\n");
 					fclose(fp);
 				}
 			}
@@ -379,7 +381,8 @@ static int get_slabstat(struct slabstat *s)
 
 	cnt = sizeof(*s)/sizeof(int);
 
-	fgets(buf, sizeof(buf), fp);
+	if (fgets(buf, sizeof(buf), fp) == NULL)
+		goto out;
 	while(fgets(buf, sizeof(buf), fp) != NULL) {
 		int i;
 		for (i=0; i<sizeof(slabstat_ids)/sizeof(slabstat_ids[0]); i++) {
@@ -393,6 +396,7 @@ static int get_slabstat(struct slabstat *s)
 			break;
 	}
 
+out:
 	fclose(fp);
 	return 0;
 }
@@ -503,7 +507,8 @@ static void init_service_resolver(void)
 	char buf[128];
 	FILE *fp = popen("/usr/sbin/rpcinfo -p 2>/dev/null", "r");
 	if (fp) {
-		fgets(buf, sizeof(buf), fp);
+		if (fgets(buf, sizeof(buf), fp) == NULL)
+			fprintf(stderr, "Error: failed to read from input file stream.\n");
 		while (fgets(buf, sizeof(buf), fp) != NULL) {
 			unsigned int progn, port;
 			char proto[128], prog[128];
@@ -542,8 +547,10 @@ static int is_ephemeral(int port)
 	if (!ip_local_port_min) {
 		FILE *f = ephemeral_ports_open();
 		if (f) {
-			fscanf(f, "%d %d",
-			       &ip_local_port_min, &ip_local_port_max);
+			int ret = fscanf(f, "%d %d",
+					&ip_local_port_min, &ip_local_port_max);
+			if (ret < 0)
+				fprintf(stderr, "Error: failed to read from input file stream.\n");
 			fclose(f);
 		} else {
 			ip_local_port_min = 1024;
@@ -720,7 +727,9 @@ static int run_ssfilter(struct ssfilter *f, struct tcpstat *s)
                 if (!low) {
 			FILE *fp = ephemeral_ports_open();
 			if (fp) {
-				fscanf(fp, "%d%d", &low, &high);
+				int ret = fscanf(fp, "%d%d", &low, &high);
+				if (ret < 0)
+					fprintf(stderr, "Error: failed to read from input file stream.\n");
 				fclose(fp);
 			}
 		}
@@ -2318,7 +2327,8 @@ static int unix_show(struct filter *f)
 
 	if ((fp = net_unix_open()) == NULL)
 		return -1;
-	fgets(buf, sizeof(buf)-1, fp);
+	if (fgets(buf, sizeof(buf)-1, fp) == NULL)
+		return -1;
 
 	if (memcmp(buf, "Peer", 4) == 0)
 		newformat = 1;
@@ -2406,7 +2416,8 @@ static int packet_show(struct filter *f)
 
 	if ((fp = net_packet_open()) == NULL)
 		return -1;
-	fgets(buf, sizeof(buf)-1, fp);
+	if (fgets(buf, sizeof(buf)-1, fp) == NULL)
+		fprintf(stderr, "Error: failed to read from input file stream.\n");
 
 	while (fgets(buf, sizeof(buf)-1, fp)) {
 		sscanf(buf, "%llx %*d %d %x %d %d %u %u %u",
@@ -2479,7 +2490,8 @@ static int netlink_show(struct filter *f)
 
 	if ((fp = net_netlink_open()) == NULL)
 		return -1;
-	fgets(buf, sizeof(buf)-1, fp);
+	if (fgets(buf, sizeof(buf)-1, fp) == NULL)
+		fprintf(stderr, "Error: failed to read from input file stream.\n");
 
 	while (fgets(buf, sizeof(buf)-1, fp)) {
 		sscanf(buf, "%llx %d %d %x %d %d %llx %d",
diff --git a/packaging/iproute2.spec b/packaging/iproute2.spec
index 7a7dfaa..9d8a9aa 100644
--- a/packaging/iproute2.spec
+++ b/packaging/iproute2.spec
@@ -52,6 +52,8 @@ table changes.
 %patch2 -p1
 
 %build
+CFLAGS="-fPIE -Wl,-z,relro,-z,now -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2"
+LDFLAGS="-pie"
 %if "%{asan}" == "1"
 %restore_fcommon
 %endif
-- 
2.7.4