Linux/ELF: Add option to scan loaded shared libraries (#24)

Dynamic linking is the standard on Linux.  Thus the hardening of dynamic
loaded shared libraries can affect programs as well.

Add a an option to scan all dynamic libraries for a binary/process.  For
binaries the list of libraries is taken from the ELF information and for
processes all executable mapped memory regions backed up by a file are
scanned.

Author: cgzones

Cargo.lock

@@ -28,9 +28,13 @@ panic = 'abort'   # Abort on panic
 clap = {version = "4.0.14", features = ["cargo"]}
 colored = {version = "2.0.0", optional = true}
 colored_json = {version = "3.0.1", optional = true}
+either = "1.8.1"
+glob = "0.3.0"
 goblin = "0.6.0"
 ignore = "0.4.18"
+itertools = "0.10.5"
 memmap2 = "0.5.7"
+rayon = "1.7.0"
 scroll = "0.11.0"
 scroll_derive = "0.11.0"
 serde = {version = "1.0.145", features = ["derive"]}

Cargo.toml

@@ -1,10 +1,6 @@
 #[cfg(feature = "color")]
 use colored::Colorize;
 use serde::{Deserialize, Serialize};
-#[cfg(all(feature = "color", not(target_os = "windows")))]
-use std::os::unix::fs::PermissionsExt;
-#[cfg(all(feature = "color", not(target_os = "windows")))]
-use std::path::Path;
 use std::path::PathBuf;
 use std::{fmt, usize};
 
@@ -15,7 +11,7 @@ use checksec::macho;
 #[cfg(feature = "pe")]
 use checksec::pe;
 
-#[derive(Debug, Deserialize, Eq, PartialEq, Serialize)]
+#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
 pub enum BinType {
     #[cfg(feature = "elf")]
     Elf32,
@@ -69,7 +65,7 @@ impl fmt::Display for BinType {
     }
 }
 
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize)]
 pub enum BinSpecificProperties {
     #[cfg(feature = "elf")]
     Elf(elf::CheckSecResults),
@@ -91,83 +87,30 @@ impl fmt::Display for BinSpecificProperties {
     }
 }
 
-#[derive(Debug, Deserialize, Serialize)]
-pub struct Binary {
+#[derive(Clone, Debug, Deserialize, Serialize)]
+pub struct Blob {
     pub binarytype: BinType,
-    pub file: PathBuf,
     pub properties: BinSpecificProperties,
 }
-#[cfg(not(feature = "color"))]
-impl fmt::Display for Binary {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(
-            f,
-            "{}: | {} | File: {}",
-            self.binarytype,
-            self.properties,
-            self.file.display()
-        )
-    }
-}
-#[cfg(feature = "color")]
-impl fmt::Display for Binary {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        #[cfg(target_os = "windows")]
-        let filefmt = self.file.display().to_string().bright_blue();
-        #[cfg(not(target_os = "windows"))]
-        let filefmt = match std::fs::metadata(&self.file) {
-            Ok(md) => {
-                #[cfg(target_os = "linux")]
-                fn has_filecaps(file: &Path) -> bool {
-                    xattr::get(file, "security.capability")
-                        .unwrap_or(None)
-                        .is_some()
-                }
-                #[cfg(not(target_os = "linux"))]
-                fn has_filecaps(_file: &Path) -> bool {
-                    false
-                }
 
-                let mode = md.permissions().mode();
-                if mode & 0o4000 == 0o4000 {
-                    self.file.display().to_string().white().on_red()
-                } else if mode & 0o2000 == 0o2000 {
-                    self.file.display().to_string().black().on_yellow()
-                } else if has_filecaps(&self.file) {
-                    self.file.display().to_string().black().on_blue()
-                } else {
-                    self.file.display().to_string().bright_blue()
-                }
-            }
-            Err(_) => self.file.display().to_string().bright_blue(),
-        };
-
-        write!(
-            f,
-            "{}: | {} | {} {}",
-            self.binarytype,
-            self.properties,
-            "File:".bold().underline(),
-            filefmt
-        )
-    }
-}
-impl Binary {
-    pub const fn new(
+impl Blob {
+    pub fn new(
         binarytype: BinType,
-        file: PathBuf,
         properties: BinSpecificProperties,
     ) -> Self {
-        Self { binarytype, file, properties }
+        Self { binarytype, properties }
     }
 }
 
-#[derive(Deserialize, Serialize)]
-pub struct Binaries {
-    pub binaries: Vec<Binary>,
+#[derive(Clone, Deserialize, Serialize)]
+pub struct Binary {
+    pub file: PathBuf,
+    pub blobs: Vec<Blob>,
+    pub libraries: Vec<Binary>,
 }
-impl Binaries {
-    pub fn new(binaries: Vec<Binary>) -> Self {
-        Self { binaries }
+
+impl Binary {
+    pub fn new(file: PathBuf, blobs: Vec<Blob>) -> Self {
+        Self { file, blobs, libraries: vec![] }
     }
 }

src/binary.rs

@@ -1,6 +1,8 @@
 //! Implements checksec for ELF binaries
 #[cfg(feature = "color")]
 use colored::Colorize;
+#[cfg(target_os = "linux")]
+use either::Either;
 use goblin::elf::dynamic::{
     DF_1_NOW, DF_1_PIE, DF_BIND_NOW, DT_RPATH, DT_RUNPATH,
 };
@@ -9,13 +11,17 @@ use goblin::elf::program_header::{PF_X, PT_GNU_RELRO, PT_GNU_STACK};
 use goblin::elf::Elf;
 use serde_derive::{Deserialize, Serialize};
 use std::fmt;
+#[cfg(target_os = "linux")]
+use std::path::{Path, PathBuf};
 
 #[cfg(feature = "color")]
 use crate::colorize_bool;
+#[cfg(target_os = "linux")]
+use crate::ldso::{LdSoError, LdSoLookup};
 use crate::shared::{Rpath, VecRpath};
 
 /// Relocation Read-Only mode: `None`, `Partial`, or `Full`
-#[derive(Debug, Deserialize, Serialize, Eq, PartialEq)]
+#[derive(Clone, Debug, Deserialize, Serialize, Eq, PartialEq)]
 pub enum Relro {
     None,
     Partial,
@@ -50,7 +56,7 @@ impl fmt::Display for Relro {
 }
 
 /// Position Independent Executable mode: `None`, `DSO`, or `PIE`
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize)]
 pub enum PIE {
     None,
     DSO,
@@ -85,7 +91,7 @@ impl fmt::Display for PIE {
 }
 
 /// Fortification status: `Full`, `Partial`, `None` or `Undecidable`
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize)]
 pub enum Fortify {
     Full,
     Partial,
@@ -140,7 +146,7 @@ impl fmt::Display for Fortify {
 /// }
 /// ```
 #[allow(clippy::struct_excessive_bools)]
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct CheckSecResults {
     /// Stack Canary (*CFLAGS=*`-fstack-protector*`)
     pub canary: bool,
@@ -164,6 +170,8 @@ pub struct CheckSecResults {
     pub rpath: VecRpath,
     /// Run-time search path (`DT_RUNTIME`)
     pub runpath: VecRpath,
+    /// Linked dynamic libraries
+    pub dynlibs: Vec<String>,
 }
 impl CheckSecResults {
     #[must_use]
@@ -187,6 +195,11 @@ impl CheckSecResults {
             relro: elf.has_relro(),
             rpath: elf.has_rpath(),
             runpath: elf.has_runpath(),
+            dynlibs: elf
+                .libraries
+                .iter()
+                .map(std::string::ToString::to_string)
+                .collect(),
         }
     }
 }
@@ -540,6 +553,75 @@ impl Properties for Elf<'_> {
     }
 }
 
+#[cfg(target_os = "linux")]
+pub struct LibraryLookup {
+    ldsolookup: LdSoLookup,
+}
+
+#[cfg(target_os = "linux")]
+impl LibraryLookup {
+    /// Initialize a library lookup handle for Elf files.
+    ///
+    /// # Errors
+    /// Will fail if the ld.so.conf configuration can not be read or has an
+    /// invalid format.
+    pub fn new() -> Result<Self, LdSoError> {
+        Ok(Self { ldsolookup: LdSoLookup::gen_lookup_dirs()? })
+    }
+
+    #[must_use]
+    pub fn lookup(
+        &self,
+        binarypath: &Path,
+        rpath: &VecRpath,
+        runpath: &VecRpath,
+        libfilename: &str,
+    ) -> Option<PathBuf> {
+        let parentbinpath = if let Some(parent) = binarypath.parent() {
+            parent.to_str()
+        } else {
+            None
+        };
+
+        for rpath in rpath.iter().filter_map(|rpath| match rpath {
+            Rpath::YesRW(ref str) | Rpath::Yes(ref str) => Some(str),
+            Rpath::None => None,
+        }) {
+            let rpath = if let Some(p) = parentbinpath {
+                Either::Left(rpath.replace("$ORIGIN", p))
+            } else {
+                Either::Right(rpath)
+            };
+            let path = Path::new(&rpath).join(libfilename);
+            if path.is_file() {
+                return Some(path);
+            }
+        }
+
+        if let Some(path) = self.ldsolookup.search(libfilename) {
+            return Some(path);
+        }
+
+        for runpath in runpath.iter().filter_map(|rpath| match rpath {
+            Rpath::YesRW(ref str) | Rpath::Yes(ref str) => Some(str),
+
+            Rpath::None => None,
+        }) {
+            let runpath = if let Some(p) = parentbinpath {
+                Either::Left(runpath.replace("$ORIGIN", p))
+            } else {
+                Either::Right(runpath)
+            };
+            let path = Path::new(&runpath).join(libfilename);
+            if path.is_file() {
+                return Some(path);
+            }
+        }
+
+        None
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::FORTIFIABLE_FUNCTIONS;