Libguestfs - Aug 2009 - [PATCH] Add a test for an executable stack in libguestfs.so

---
 capitests/Makefile.am           |    4 ++-
 capitests/check-noexec-stack.pl |   58 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletions(-)
 create mode 100755 capitests/check-noexec-stack.pl

diff --git a/capitests/Makefile.am b/capitests/Makefile.am
index 71928ec..08466ac 100644
--- a/capitests/Makefile.am
+++ b/capitests/Makefile.am
@@ -22,13 +22,15 @@ EXTRA_DIST = \
 # in the generator.
 
 check_PROGRAMS = tests test-command
+check_SCRIPTS = check-noexec-stack.pl
 
 tests_SOURCES = tests.c
 tests_CFLAGS = -I$(top_srcdir)/src -I$(top_builddir)/src -Wall
 tests_LDADD = $(top_builddir)/src/libguestfs.la
 
-TESTS = tests
+TESTS = check-noexec-stack.pl tests
 TESTS_ENVIRONMENT = \
+	NOEXEC_CHECK=$(top_builddir)/src/.libs/libguestfs.so \
 	SKIP_TEST_COMMAND=$(shell ldd test-command | grep -sq 'not a dynamic
executable' || echo 1) \
 	SKIP_TEST_COMMAND_LINES=$(shell ldd test-command | grep -sq 'not a dynamic
executable' || echo 1) \
 	SKIP_TEST_ZEROFREE=$(shell test -x ../initramfs/usr/sbin/zerofree || echo 1) \
diff --git a/capitests/check-noexec-stack.pl b/capitests/check-noexec-stack.pl
new file mode 100755
index 0000000..7654c78
--- /dev/null
+++ b/capitests/check-noexec-stack.pl
@@ -0,0 +1,58 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+my $file = $ENV{NOEXEC_CHECK};
+die("NOEXEC_CHECK not set") unless(defined($file));
+
+my $output;
+open($output, '-|', "readelf -l $file") or die("Unable
to execute readelf");
+
+my $offset;
+my $line = 1;
+
+# Find the offset of the Flags field
+while(<$output>) {
+    next unless(/^\s*Type\b/);
+
+    my @lines;
+    push(@lines, $_);
+
+    # Look for a Flg field on this line (32 bit)
+    $offset = index($_, 'Flg ');
+
+    if(-1 == $offset) {
+        # 64 bit is split over 2 lines. Look for a Flags field on the next line
+        $_ = <$output>;
+        $offset = index($_, 'Flags ');
+        $line = 2;
+        push(@lines, $_);
+    }
+
+    die("Unrecognised header: ".join("\n", @lines)) if(-1
== $offset);
+    last;
+}
+
+# Find the GNU_STACK entry
+while(<$output>) {
+    next unless(/^\s*GNU_STACK\b/);
+
+    # Skip over input lines according to the header
+    for(my $i = 1; $i < $line; $i++) {
+        $_ = <$output>;
+    }
+
+    my $flags = substr($_, $offset, 3);
+
+    $flags =~ /^[ R][ W]([ E])$/ or die("Unrecognised flags:
$flags");
+
+    if('E' eq $1) {
+        print "***** $ARGV[0] has an executable stack *****\n";
+        exit(1);
+    }
+
+    exit(0);
+}
+
+die("Didn't find GNU_STACK entry");
-- 
1.6.2.5

On Wed, Aug 05, 2009 at 11:11:59AM +0100, Matthew Booth
wrote:
> diff --git a/capitests/Makefile.am b/capitests/Makefile.am
Tests like this should probably go in the 'regressions/'
directory, which (despite its name) contains random tests
written in Perl and shell scripts.

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 75 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora

I've updated the patch. It's now in regressions, and checks both
libguestfs.so
and the guest daemon. It occurs to me that it's the daemon that's would
get an
executable stack from the specific patch I posted the other day. However, would
this actually matter specifically for the daemon?