#!/bin/bash
###############################################################################
#                                                                             #
# Pakfire - The IPFire package management system                              #
# Copyright (C) 2021 Pakfire development team                                 #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

error() {
	echo "$@" >&2
}

main() {
	local buildroot="${1}"
	shift

	# Check if BUILDROOT exists
	if [ ! -d "${buildroot}" ]; then
		error "BUILDROOT does not exist"
		return 1
	fi

	local missing_ssp=()
	local no_pie=()
	local exec_stack=()
	local not_relro=()
	local partly_relro=()

	local file
	for file in $(find "${buildroot}" -type f | sort); do
		case "${file}" in
			# Filter out startfiles
			*/crt[1in].o)
				continue
				;;

			# Filter out kernel modules
			*.ko)
				continue
				;;
		esac

		# Skip anything that isn't an ELF file
		if ! file "${file}" | grep -q "ELF"; then
			continue
		fi

		# Does this file have stack smashing protection enabled?
		if ! readelf -s "${file}" 2>/dev/null | grep -q "__stack_chk_fail"; then
			missing_ssp+=( "${file}" )
		fi

		# Is this file built with -fPIC?
		if readelf -h "${file}" 2>/dev/null | grep -qE "Type:[[:space:]]*EXEC"; then
			no_pie+=( "${file}" )
		fi

		# Does this file have an executable stack?
		if readelf -l "${file}" 2>/dev/null | grep -A1 "GNU_STACK" | grep -q "RWE"; then
			exec_stack+=( "${file}" )
		fi

		# Perform more checks for shared objects (i.e. libraries)
		if file "${file}" | grep -q "shared object"; then
			# Is this file partly RELRO?
			if ! readelf -l "${file}" 2>/dev/null | grep -q "GNU_RELRO"; then
				not_relro+=( "${file}" )
				continue
			fi

			# Is this file fully RELRO?
			if ! readelf -d "${file}" 2>/dev/null | grep -q "BIND_NOW"; then
				partly_relro+=( "${file}" )
			fi
		fi
	done

	local r=0

	# Log files without SSP
	if [ "${#missing_ssp[@]}" -gt 0 ]; then
		error "The following files do not have stack-smashing protection enabled:"
		for file in ${missing_ssp[@]}; do
			error "  ${file/${buildroot}/}"
		done

		r=1
	fi

	# Log files without PIE
	if [ "${#no_pie[@]}" -gt 0 ]; then
		error "The following files have not been compiled as place-independent executables:"
		for file in ${no_pie[@]}; do
			error "  ${file/${buildroot}/}"
		done

		r=1
	fi

	# Log files with an executable stack
	if [ "${#exec_stack[@]}" -gt 0 ]; then
		error "The following files have an executable stack:"
		for file in ${exec_stack[@]}; do
			error "  ${file/${buildroot}/}"
		done

		r=1
	fi

	# Log files which are not RELRO
	if [ "${#not_relro[@]}" -gt 0 ]; then
		error "The following files are not fully RELRO:"
		for file in ${not_relro[@]}; do
			error "  ${file/${buildroot}/}"
		done

		r=1
	fi

	# Log files which are only partially RELRO
	if [ "${#partly_relro[@]}" -gt 0 ]; then
		error "The following files are only partially RELRO:"
		for file in ${partly_relro[@]}; do
			error "  ${file/${buildroot}/}"
		done

		r=1
	fi

	return "${r}"
}

main "$@" || exit $?
