Bug#688522: hardening-includes: hardening-check - please consider invoking readelf fewer times

Sun, 23 Sep 2012 06:27:16 -0700 

Package: hardening-includes
Version: 2.2
Severity: wishlist

Hi,

Currently hardening-check invokes readelf 3 times per ELF file.  It is
my understanding that forking is significantly more expensive on
kFreeBSD based platforms.  Please consider reducing it to at most once
per file.

It is possible to reduce the number of readelf calls even more by
using (e.g.) xargs, though it is hardly trivial.  If you need
inspiration for this case, consider looking at
collection/object-dump{,-helper} in Lintian.

Below sample ad-hoc patch I used for testing.  It seems to work ok,
but not tested a lot and has a couple of "style" issues...  :)

~Niels

$ diff -u /usr/bin/hardening-check hardening-check-forkless
--- /usr/bin/hardening-check    2012-06-14 16:41:46.000000000 +0000
+++ hardening-check-forkless    2012-09-23 13:00:09.000000000 +0000
@@ -200,14 +200,15 @@
     return $1 || "";
 }
 
-sub find_functions($$) {
-    my ($file, $undefined) = @_;
+sub find_functions($$;$) {
+    my ($file, $undefined, $relocs) = @_;
     my (%funcs);
 
     # Catch "NOTYPE" for object archives.
     my $func_regex = " (I?FUNC|NOTYPE) ";
 
-    my $relocs = output("readelf", "-sW", $file);
+    $relocs = output("readelf", "-sW", $file)
+       unless defined $relocs;
     for my $line (split("\n", $relocs)) {
         next if ($line !~ /$func_regex/);
         next if ($undefined && $line !~ /$func_regex.* UND /);
@@ -247,17 +248,18 @@
     @tags = ();
 
     # Get program headers.
-    my $PROG_REPORT=output("readelf", "-lW", $file);
+    my $PROG_REPORT=output("readelf", "-lsdW", $file);
     if (length($PROG_REPORT) == 0) {
         $overall = 1;
         next;
     }
 
     # Get ELF headers.
-    my $DYN_REPORT=output("readelf", "-dW", $file);
+#    my $DYN_REPORT=output("readelf", "-dW", $file);
+    my $DYN_REPORT=$PROG_REPORT;
 
     # Get list of all symbols needing external resolution.
-    my $functions = find_functions($file, 1);
+    my $functions = find_functions($file, 1, $PROG_REPORT);
 
     # PIE
     # First, verify this is an executable, not a library. This seems to be


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to