From b9159b770bf7ad93f1038aeb79bc0e58e5986b27 Mon Sep 17 00:00:00 2001 From: Bjoern Tropf Date: Wed, 30 Dec 2009 13:22:13 +0100 Subject: Add additional configuration checks Add overlays to get_genpatch() --- pym/kernelcheck/kernelcheck.py | 12 +++-- pym/kernelcheck/lib/kernellib.py | 96 ++++++++++++++++++++++++++++------------ 2 files changed, 77 insertions(+), 31 deletions(-) diff --git a/pym/kernelcheck/kernelcheck.py b/pym/kernelcheck/kernelcheck.py index f097a39..3f066cb 100755 --- a/pym/kernelcheck/kernelcheck.py +++ b/pym/kernelcheck/kernelcheck.py @@ -79,11 +79,15 @@ def main(argv): arch = portage.settings['ARCH'] if not arch: - kernel.arch = '?' + kernel.arch = '' else: kernel.arch = arch - genpatch = lib.get_genpatch(lib.PORTDIR, kernel) + nx_bit = lib.check_nx_bit() + if nx_bit: + kernel.arch += ' (nx-bit supported)' + + genpatch = lib.get_genpatch(kernel) if not genpatch: kernel.genpatch = None else: @@ -97,8 +101,10 @@ def main(argv): 'Architecture' : kernel.arch } + configuration = lib.gather_configuration() + print_items(information, 'Information') - print_items(lib.gather_configuration(), 'Configuration') + print_items(configuration, 'Configuration') print('\nDetermining vulnerabilities... '), diff --git a/pym/kernelcheck/lib/kernellib.py b/pym/kernelcheck/lib/kernellib.py index 264428b..7affbde 100644 --- a/pym/kernelcheck/lib/kernellib.py +++ b/pym/kernelcheck/lib/kernellib.py @@ -44,8 +44,7 @@ KERNEL_TYPES = [ VERSION = '0.3.16' DEBUG = False -PORTDIR = portage.settings['PORTDIR'] -KERNELDIR = os.path.join(PORTDIR, 'metadata', 'kernel') +KERNELDIR = os.path.join(portage.settings['PORTDIR'], 'metadata', 'kernel') def BUG_ON(msg, e): if DEBUG: @@ -346,21 +345,29 @@ def is_in_interval(interval, kernel, bugid=None): return True -def get_genpatch(directory, kernel): +def get_genpatch(kernel): 'Returns a list containing all genpatches from portage' patches = list() - directory = os.path.join(directory, 'sys-kernel') - for sources in os.listdir(directory): - if '-sources' in sources: - for ebuild in os.listdir(os.path.join(directory, sources)): - if '.ebuild' in ebuild: - genpatch = extract_genpatch(ebuild, directory, sources) + directories = portage.settings['PORTDIR_OVERLAY'].split(' ') + directories.insert(0, portage.settings['PORTDIR']) - if genpatch is not None: - if genpatch.kernel == kernel: - return genpatch + for tree in directories: + tree = os.path.join(tree, 'sys-kernel') + + if not os.path.isdir(tree): + continue + + for sources in os.listdir(tree): + if '-sources' in sources: + for ebuild in os.listdir(os.path.join(tree, sources)): + if '.ebuild' in ebuild: + genpatch = extract_genpatch(ebuild, tree, sources) + + if genpatch is not None: + if genpatch.kernel == kernel: + return genpatch return None @@ -437,7 +444,7 @@ def eval_cve_files(directory, kernel, spinner=None): spinner.update() evaluation.read += 1 - if item.arch not in ARCHES: + if item.arch not in ARCHES: #TODO move to cron.py BUG_ON('[Error] Wrong architecture %s' % item.arch, item.bugid) if item.arch != kernel.arch and item.arch != 'all': @@ -655,7 +662,7 @@ def eval_kernel_updates(kernel, kernel_eval, spinner): (compare.version == kernel.version and \ compare.revision > kernel.revision): compare.arch = kernel.arch - compare.genpatch = get_genpatch(PORTDIR, compare) + compare.genpatch = get_genpatch(compare) compare_eval = eval_cve_files(KERNELDIR, compare, spinner) comparison = compare_evaluation(kernel_eval, compare_eval) @@ -670,25 +677,58 @@ def eval_kernel_updates(kernel, kernel_eval, spinner): return kernel_dict +def read_proc_entry(proc_entry): + "Return information from /proc" + + if type(proc_entry) is not str: + return '' + + result = str() + try: + result = open(proc_entry).read().strip() + except: + result = '' + + return result + + +def check_nx_bit(): + "Return true if NX bit is supported by the processor architecture" + + cpuinfo = read_proc_entry('/proc/cpuinfo') + if ' nx ' in cpuinfo: + return True + + return False + + def gather_configuration(): - "" + "Return a dictionary containing kernel configuration information" config = dict() - mmap_min_addr = str() - modules = str() + aslr_desc = str() + loaded_modules = str() + + aslr = read_proc_entry('/proc/sys/kernel/randomize_va_space') + if aslr == '1': + aslr_desc = 'mmap_base stack vdso' + elif aslr == '2': + aslr_desc = 'heap mmap_base stack vdso' + elif aslr == 0: + aslr_desc = 'none' + else: + aslr_desc = aslr - try: - mmap_min_addr = open('/proc/sys/vm/mmap_min_addr').read().strip() - except: #FIXME - mmap_min_addr = '?' - config['Mmap_min_addr'] = mmap_min_addr + mmap_min_addr = read_proc_entry('/proc/sys/vm/mmap_min_addr') - try: - for line in open('/proc/modules').readlines(): - modules += '%s ' % line.split(' ')[0] - except: #FIXME - modules = '?' - config['Loaded modules'] = modules + for line in read_proc_entry('/proc/modules').split('\n'): + loaded_modules += '%s ' % line.split(' ')[0] + + config = { + 'Randomization' : aslr_desc, + 'Mmap_min_addr' : mmap_min_addr, + 'Loaded modules' : loaded_modules + } return config -- cgit v1.2.3-65-gdbad