From: <mva...@re...> - 2011-07-18 18:50:04
|
From: Miroslav Vadkerti <mva...@re...> Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit/Makefile | 3 ++- audit/misc/Makefile | 20 ++++++++++++++++++++ audit/misc/run.conf | 42 ++++++++++++++++++++++++++++++++++++++++++ audit/misc/tests/Makefile | 19 +++++++++++++++++++ 4 files changed, 83 insertions(+), 1 deletions(-) create mode 100644 audit/misc/Makefile create mode 100644 audit/misc/run.conf create mode 100644 audit/misc/tests/Makefile diff --git a/audit/Makefile b/audit/Makefile index 0386d24..7fb7b84 100644 --- a/audit/Makefile +++ b/audit/Makefile @@ -31,7 +31,8 @@ RUN_DIRS += fail-safe \ ifneq ($(DISTRO), SUSE) RUN_DIRS += trustedprograms \ netfilebt \ - crypto + crypto \ + misc endif endif diff --git a/audit/misc/Makefile b/audit/misc/Makefile new file mode 100644 index 0000000..a7b8947 --- /dev/null +++ b/audit/misc/Makefile @@ -0,0 +1,20 @@ +############################################################################### +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### + +TOPDIR = .. +SUB_DIRS = tests + +include $(TOPDIR)/rules.mk diff --git a/audit/misc/run.conf b/audit/misc/run.conf new file mode 100644 index 0000000..48968ec --- /dev/null +++ b/audit/misc/run.conf @@ -0,0 +1,42 @@ +############################################################################### +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### + +function run_test { + declare status x=$1 + shift + + # Force the audit log to rotate + rotate_audit_logs || return 2 + + # Run the test + cd tests + "./test_$x.bash" "$@" + status=$? + + # Display the log items if it failed + if [[ $status == 1 ]]; then + echo + echo augrok output + echo ------------- + augrok type!=DAEMON_ROTATE + fi + + return $status +} + +if [[ $PPROFILE == capp || $PPROFILE == lspp ]]; then + + relro-pie +fi diff --git a/audit/misc/tests/Makefile b/audit/misc/tests/Makefile new file mode 100644 index 0000000..521daeb --- /dev/null +++ b/audit/misc/tests/Makefile @@ -0,0 +1,19 @@ +############################################################################### +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### + +TOPDIR = ../.. + +include $(TOPDIR)/rules.mk -- 1.7.1 |
From: <mva...@re...> - 2011-07-18 18:50:02
|
From: Miroslav Vadkerti <mva...@re...> For more information about the test see the test description Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit/misc/tests/relro.c | 36 +++++++++++++++++++ audit/misc/tests/test_relro-pie.bash | 62 ++++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+), 0 deletions(-) create mode 100644 audit/misc/tests/relro.c create mode 100755 audit/misc/tests/test_relro-pie.bash diff --git a/audit/misc/tests/relro.c b/audit/misc/tests/relro.c new file mode 100644 index 0000000..363e3b2 --- /dev/null +++ b/audit/misc/tests/relro.c @@ -0,0 +1,36 @@ +/* + * Test to exercise PIE and RELRO provided by Roland McGrath <ro...@re...>. + * + * Description: + * Simple test for RELRO, which happens to be a PIE too, but that's only + * because this kind of example has to be in PIC code to make RELRO relevant, + * and PIE makes it simpler to write a standalone one-file test than writing + * a DSO. + * + * The "const" makes "foo" .rodata material, and the init to an external symbol + * reference makes it require a data relocation. Enabling -z relro for this + * link puts that .rodata into a RELRO area. This program will crash because + * the page containing "foo" has been made read-only when "main" runs. + * Without RELRO, it would let you modify "foo" even though it's supposed to + * be const. + * + * Test with RELRO should fail: + * $ gcc -pie -fPIE -g -Wl,-z,relro -o relro relro.c + * $ ./relro + * Segmentation fault (core dumped) + * + * Test without RELRO should pass: + * $ gcc -pie -fPIE -g -o no-relro relro.c + * $ ./no-relro + * +**/ + + +#include <stdio.h> + +void *const foo = &stdout; + +int main (void) +{ + *(void **) &foo = &stderr; +} diff --git a/audit/misc/tests/test_relro-pie.bash b/audit/misc/tests/test_relro-pie.bash new file mode 100755 index 0000000..3c9c722 --- /dev/null +++ b/audit/misc/tests/test_relro-pie.bash @@ -0,0 +1,62 @@ +#!/bin/bash +############################################################################### +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +############################################################################### +# +# Test to exercise RELRO and PIE +# +# AUTHOR: Eduard Benes <eb...@re...> +# +# DESCRIPTION: +# Simple test for RELRO, which happens to be a PIE too, but that's only +# because this kind of example has to be in PIC code to make RELRO relevant, +# and PIE makes it simpler to write a standalone one-file test than writing +# a DSO. Refer to relro.c for more details. +# +# Test with RELRO should fail: +# $ gcc -pie -fPIE -g -Wl,-z,relro -o relro relro.c +# $ ./relro +# Segmentation fault (core dumped) +# +# Test without RELRO should pass: +# $ gcc -pie -fPIE -g -o no-relro relro.c +# $ ./no-relro +# + +source testcase.bash || exit 2 + +prepend_cleanup "rm -f ./relro ./no-relro" + +#### main #### + +# be verbose +set -x + +[ -r relro.c ] || exit_error "Unable to read source code file " + +# Good case +/usr/bin/gcc -pie -fPIE -g -Wl,-z,relro -o relro relro.c || \ + exit_error "Failed to build test program" +./relro +[ ! $? -eq 139 ] && exit_fail "Test is expected to crash with segmentation fault" + +# Bad case +/usr/bin/gcc -pie -fPIE -g -o no-relro relro.c || \ + exit_error "Failed to build test program" +./no-relro || exit_fail "Test is expected to pass without RELRO" + +exit_pass -- 1.7.1 |
From: Linda K. <lin...@hp...> - 2011-07-19 21:28:10
|
Thanks Miroslav, I've pushed this patch set. -- ljk > audit/Makefile | 3 +- > audit/misc/Makefile | 20 +++++++++++ > audit/misc/run.conf | 42 +++++++++++++++++++++++ > audit/misc/tests/Makefile | 19 ++++++++++ > audit/misc/tests/relro.c | 36 +++++++++++++++++++ > audit/misc/tests/test_relro-pie.bash | 62 ++++++++++++++++++++++++++++++++++ > 6 files changed, 181 insertions(+), 1 deletions(-) > create mode 100644 audit/misc/Makefile > create mode 100644 audit/misc/run.conf > create mode 100644 audit/misc/tests/Makefile > create mode 100644 audit/misc/tests/relro.c > create mode 100755 audit/misc/tests/test_relro-pie.bash |