fix nx check

Makefile

@@ -0,0 +1,11 @@
+# ----------------------------------------------------------------------------
+SHELL = bash
+
+.PHONY: build
+build:
+	@echo "Building checksec"
+	./hack/build.sh
+
+.PHONY: test
+test:
+	./tests/test-checksec.sh

checksec

@@ -30,6 +30,8 @@ PATH=${PATH}:/sbin/:/usr/sbin/:/usr/bin/:/bin/
 # sanitize the environment before run
 [[ "$(env | sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@"
 
+export PS4='+(${BASH_SOURCE##*/}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
+
 # License: BSD License
 # https://opensource.org/licenses/bsd-license.php
 
@@ -638,7 +640,7 @@ debug_report() {
   echo "OS=${OS}"
   echo "VER=${VER}"
 
-  for command in cat awk sysctl uname objdump mktemp openssl grep stat file find head ps readlink basename id which wget curl readelf eu-readelf; do
+  for command in cat awk sysctl sed uname objdump mktemp openssl grep stat file find head ps readlink basename id which wget curl readelf eu-readelf; do
     path="$(command -v ${command})"
     if [[ -e "${path}" ]]; then
       ls -l "${path}"
@@ -663,8 +665,8 @@ debug_report() {
 # check file(s)
 filecheck() {
   # check for RELRO support
-  if ${readelf} -l "${1}" 2> /dev/null | grep -q 'GNU_RELRO' && objdump -R "${1}" 2> /dev/null | grep -q "$(${readelf} -l "${1}" | grep 'GNU_RELRO' | awk '{ print $3 }' | sed 's/^0x//')"; then
-    if ${readelf} -d "${1}" 2> /dev/null | grep -q 'BIND_NOW' || ! ${readelf} -l "${1}" 2> /dev/null | grep -q '.got.plt'; then
+  if ${readelf} -l "${1}" 2> /dev/null | grep -q 'GNU_RELRO'; then
+    if (${readelf} -d "${1}" 2> /dev/null | grep -q 'BIND_NOW' && ! ${readelf} -l "${1}" 2> /dev/null | grep -q '.got.plt') || ! ${readelf} -l "${1}" 2> /dev/null | grep -q '.got.plt'; then
       echo_message '\033[32mFull RELRO   \033[m   ' 'Full RELRO,' '<file relro="full"' " \"${1}\": { \"relro\":\"full\","
     else
       echo_message '\033[33mPartial RELRO\033[m   ' 'Partial RELRO,' '<file relro="partial"' " \"${1}\": { \"relro\":\"partial\","
@@ -681,8 +683,9 @@ filecheck() {
   fi
 
   # check for NX support
+  # shellcheck disable=SC2126
   if ${readelf} -l "${1}" 2> /dev/null | grep -q 'GNU_STACK'; then
-    if ${readelf} -l "${1}" 2> /dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
+    if [[ $(${s_readelf} -l "${1}" 2> /dev/null | grep -A 1 'GNU_STACK' | sed 'N;s/\n//g' | grep -Eo "0x[0-9a-f]{16}" | grep -v 0x0000000000000000 | wc -l) -gt 0 ]]; then
       echo_message '\033[31mNX disabled\033[m   ' 'NX disabled,' ' nx="no"' '"nx":"no",'
     else
       echo_message '\033[32mNX enabled \033[m   ' 'NX enabled,' ' nx="yes"' '"nx":"yes",'
@@ -1443,8 +1446,8 @@ nxcheck() {
 proccheck() {
   # check for RELRO support
   if ${readelf} -l "${1}/exe" 2> /dev/null | grep -q 'Program Headers'; then
-    if ${readelf} -l "${1}/exe" 2> /dev/null | grep -q 'GNU_RELRO' && objdump -R "${1}/exe" 2> /dev/null | grep -q "$(${readelf} -l "${1}/exe" | grep 'GNU_RELRO' | awk '{ print $3 }' | sed 's/^0x//')"; then
-      if ${readelf} -d "${1}/exe" 2> /dev/null | grep -q 'BIND_NOW' || ! ${readelf} -l "${1}" 2> /dev/null | grep -q '.got.plt'; then
+    if ${readelf} -l "${1}/exe" 2> /dev/null | grep -q 'GNU_RELRO'; then
+      if (${readelf} -d "${1}/exe" 2> /dev/null | grep -q 'BIND_NOW' && ! ${readelf} -l "${1}/exe" 2> /dev/null | grep -q '.got.plt') || ! ${readelf} -l "${1}/exe" 2> /dev/null | grep -q '.got.plt'; then
         echo_message '\033[32mFull RELRO   \033[m   ' 'Full RELRO,' ' relro="full"' '"relro":"full",'
       else
         echo_message '\033[33mPartial RELRO\033[m   ' 'Partial RELRO,' ' relro="partial"' '"relro":"partial",'
@@ -1506,7 +1509,8 @@ proccheck() {
   fi
 
   # first check for PaX support
-  if grep -q 'PaX:' "${1}/status" 2> /dev/null; then
+  # shellcheck disable=SC2126
+  if [[ $(grep -c 'PaX:' "${1}/status" 2> /dev/null) -gt 0 ]]; then
     pageexec=$(grep 'PaX:' "${1}/status" 2> /dev/null | cut -b6)
     segmexec=$(grep 'PaX:' "${1}/status" 2> /dev/null | cut -b10)
     mprotect=$(grep 'PaX:' "${1}/status" 2> /dev/null | cut -b8)
@@ -1525,7 +1529,7 @@ proccheck() {
       echo_message '\033[31mPaX disabled\033[m  ' 'Pax disabled,' ' pax="no"' '"pax":"no",'
     fi
     # fallback check for NX support
-  elif ${readelf} -l "${1}/exe" 2> /dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
+  elif [[ $(${s_readelf} -l "${1}/exe" 2> /dev/null | grep -A 1 'GNU_STACK' | sed 'N;s/\n//g' | grep -Eo "0x[0-9a-f]{16}" | grep -v 0x0000000000000000 | wc -l) -gt 0 ]]; then
     echo_message '\033[31mNX disabled\033[m   ' 'NX disabled,' ' nx="no"' '"nx":"no",'
   else
     echo_message '\033[32mNX enabled \033[m   ' 'NX enabled,' ' pax="yes"' '"nx":"yes",'

src/functions/debug.sh

@@ -48,7 +48,7 @@ debug_report() {
   echo "OS=${OS}"
   echo "VER=${VER}"
 
-  for command in cat awk sysctl uname objdump mktemp openssl grep stat file find head ps readlink basename id which wget curl readelf eu-readelf; do
+  for command in cat awk sysctl sed uname objdump mktemp openssl grep stat file find head ps readlink basename id which wget curl readelf eu-readelf; do
     path="$(command -v ${command})"
     if [[ -e "${path}" ]]; then
       ls -l "${path}"

src/functions/filecheck.sh

@@ -5,8 +5,8 @@
 # check file(s)
 filecheck() {
   # check for RELRO support
-  if ${readelf} -l "${1}" 2> /dev/null | grep -q 'GNU_RELRO' && objdump -R "${1}" 2> /dev/null | grep -q "$(${readelf} -l "${1}" | grep 'GNU_RELRO' | awk '{ print $3 }' | sed 's/^0x//')"; then
-    if ${readelf} -d "${1}" 2> /dev/null | grep -q 'BIND_NOW' || ! ${readelf} -l "${1}" 2> /dev/null | grep -q '.got.plt'; then
+  if ${readelf} -l "${1}" 2> /dev/null | grep -q 'GNU_RELRO'; then
+    if (${readelf} -d "${1}" 2> /dev/null | grep -q 'BIND_NOW' && ! ${readelf} -l "${1}" 2> /dev/null | grep -q '.got.plt') || ! ${readelf} -l "${1}" 2> /dev/null | grep -q '.got.plt'; then
       echo_message '\033[32mFull RELRO   \033[m   ' 'Full RELRO,' '<file relro="full"' " \"${1}\": { \"relro\":\"full\","
     else
       echo_message '\033[33mPartial RELRO\033[m   ' 'Partial RELRO,' '<file relro="partial"' " \"${1}\": { \"relro\":\"partial\","
@@ -23,8 +23,9 @@ filecheck() {
   fi
 
   # check for NX support
+  # shellcheck disable=SC2126
   if ${readelf} -l "${1}" 2> /dev/null | grep -q 'GNU_STACK'; then
-    if ${readelf} -l "${1}" 2> /dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
+    if [[ $(${s_readelf} -l "${1}" 2> /dev/null | grep -A 1 'GNU_STACK' | sed 'N;s/\n//g' | grep -Eo "0x[0-9a-f]{16}" | grep -v 0x0000000000000000 | wc -l) -gt 0 ]]; then
       echo_message '\033[31mNX disabled\033[m   ' 'NX disabled,' ' nx="no"' '"nx":"no",'
     else
       echo_message '\033[32mNX enabled \033[m   ' 'NX enabled,' ' nx="yes"' '"nx":"yes",'

src/functions/proccheck.sh

@@ -6,8 +6,8 @@
 proccheck() {
   # check for RELRO support
   if ${readelf} -l "${1}/exe" 2> /dev/null | grep -q 'Program Headers'; then
-    if ${readelf} -l "${1}/exe" 2> /dev/null | grep -q 'GNU_RELRO' && objdump -R "${1}/exe" 2> /dev/null | grep -q "$(${readelf} -l "${1}/exe" | grep 'GNU_RELRO' | awk '{ print $3 }' | sed 's/^0x//')"; then
-      if ${readelf} -d "${1}/exe" 2> /dev/null | grep -q 'BIND_NOW' || ! ${readelf} -l "${1}" 2> /dev/null | grep -q '.got.plt'; then
+    if ${readelf} -l "${1}/exe" 2> /dev/null | grep -q 'GNU_RELRO'; then
+      if (${readelf} -d "${1}/exe" 2> /dev/null | grep -q 'BIND_NOW' && ! ${readelf} -l "${1}/exe" 2> /dev/null | grep -q '.got.plt') || ! ${readelf} -l "${1}/exe" 2> /dev/null | grep -q '.got.plt'; then
         echo_message '\033[32mFull RELRO   \033[m   ' 'Full RELRO,' ' relro="full"' '"relro":"full",'
       else
         echo_message '\033[33mPartial RELRO\033[m   ' 'Partial RELRO,' ' relro="partial"' '"relro":"partial",'
@@ -69,7 +69,8 @@ proccheck() {
   fi
 
   # first check for PaX support
-  if grep -q 'PaX:' "${1}/status" 2> /dev/null; then
+  # shellcheck disable=SC2126
+  if [[ $(grep -c 'PaX:' "${1}/status" 2> /dev/null) -gt 0 ]]; then
     pageexec=$(grep 'PaX:' "${1}/status" 2> /dev/null | cut -b6)
     segmexec=$(grep 'PaX:' "${1}/status" 2> /dev/null | cut -b10)
     mprotect=$(grep 'PaX:' "${1}/status" 2> /dev/null | cut -b8)
@@ -88,7 +89,7 @@ proccheck() {
       echo_message '\033[31mPaX disabled\033[m  ' 'Pax disabled,' ' pax="no"' '"pax":"no",'
     fi
     # fallback check for NX support
-  elif ${readelf} -l "${1}/exe" 2> /dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
+  elif [[ $(${s_readelf} -l "${1}/exe" 2> /dev/null | grep -A 1 'GNU_STACK' | sed 'N;s/\n//g' | grep -Eo "0x[0-9a-f]{16}" | grep -v 0x0000000000000000 | wc -l) -gt 0 ]]; then
     echo_message '\033[31mNX disabled\033[m   ' 'NX disabled,' ' nx="no"' '"nx":"no",'
   else
     echo_message '\033[32mNX enabled \033[m   ' 'NX enabled,' ' pax="yes"' '"nx":"yes",'

src/header.sh

@@ -30,5 +30,7 @@ PATH=${PATH}:/sbin/:/usr/sbin/:/usr/bin/:/bin/
 # sanitize the environment before run
 [[ "$(env | sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@"
 
+export PS4='+(${BASH_SOURCE##*/}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
+
 # License: BSD License
 # https://opensource.org/licenses/bsd-license.php