[lintian] 03/08: c/binaries: Implement hardening-no-bindnow directly
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch master
in repository lintian.
commit db4f3041e20ebcb4f454f3a3e10331464c34b7a8
Author: Niels Thykier <niels@thykier.net>
Date: Sat Sep 17 19:43:16 2016 +0000
c/binaries: Implement hardening-no-bindnow directly
Signed-off-by: Niels Thykier <niels@thykier.net>
---
checks/binaries.pm | 7 ++++++-
helpers/coll/objdump-info-helper | 10 ++++++++++
lib/Lintian/Collect/Binary.pm | 6 +++++-
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/checks/binaries.pm b/checks/binaries.pm
index 5497660..e9d1d5d 100644
--- a/checks/binaries.pm
+++ b/checks/binaries.pm
@@ -560,6 +560,11 @@ sub run {
tag 'hardening-no-relro', $file;
}
+ if ($arch_hardening->{'hardening-no-bindnow'}
+ and not exists($objdump->{'FLAGS_1'}{'NOW'})) {
+ tag 'hardening-no-bindnow', $file;
+ }
+
# Check for missing hardening characteristics. This currently
# handles the following checks:
# no-relro no-fortify-functions no-stackprotector no-bindnow no-pie
@@ -568,7 +573,7 @@ sub run {
foreach my $t (@{$info->hardening_info->{$fname}}) {
my $tag = "hardening-$t";
# Implemented elsewhere
- next if $t eq 'no-relro';
+ next if $t eq 'no-relro' or $t eq 'no-bindnow';
# Binaries built by the Go compiler do not support all
# hardening measures.
next
diff --git a/helpers/coll/objdump-info-helper b/helpers/coll/objdump-info-helper
index c7199b1..4f8a24a 100755
--- a/helpers/coll/objdump-info-helper
+++ b/helpers/coll/objdump-info-helper
@@ -172,6 +172,16 @@ while (my $line = <$readelf>) {
$keep = 1;
} elsif ($type eq 'TEXTREL') {
$keep = 1;
+ } elsif ($type eq 'FLAGS_1') {
+ # Will contain "NOW" if the binary was built with -Wl,-z,now
+ $keep = 1;
+ $value =~ s/^Flags:\s*//i;
+ } elsif (($type eq 'FLAGS' and $value =~ m/\bBIND_NOW\b/)
+ or $type eq 'BIND_NOW') {
+ # Variants of bindnow
+ $type = 'FLAGS_1';
+ $value = 'NOW';
+ $keep = 1;
}
$keep = 1
if $value =~ s/^(?:Shared library|Library soname): \[(.*)\]/$1/;
diff --git a/lib/Lintian/Collect/Binary.pm b/lib/Lintian/Collect/Binary.pm
index 93d727e..50aba9d 100644
--- a/lib/Lintian/Collect/Binary.pm
+++ b/lib/Lintian/Collect/Binary.pm
@@ -415,7 +415,7 @@ sub objdump_info {
foreach my $data (split m/\s*\n\s*/, $pg->{'dynamic-section'}//'') {
next unless $data;
# Here we just need RPATH and NEEDS, so ignore the rest for now
- my ($header, $val) = split m/\s++/, $data;
+ my ($header, $val) = split(m/\s++/, $data, 2);
if ($header eq 'RPATH') {
# RPATH is like PATH
foreach my $rpathcomponent (split(m/:/,$val)) {
@@ -425,6 +425,10 @@ sub objdump_info {
push @{ $info{$header} }, $val;
} elsif ($header eq 'TEXTREL') {
$info{$header} = 1;
+ } elsif ($header eq 'FLAGS_1') {
+ for my $flag (split(m/\s++/, $val)) {
+ $info{$header}{$flag} = 1;
+ }
}
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: