[lintian] 06/08: Drop hardening-info and missing stackprotector check
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch master
in repository lintian.
commit 8f40b6935e51d986a566385aaf71f34d4272340a
Author: Niels Thykier <niels@thykier.net>
Date: Sat Sep 17 20:42:12 2016 +0000
Drop hardening-info and missing stackprotector check
Signed-off-by: Niels Thykier <niels@thykier.net>
---
checks/binaries.desc | 2 +-
checks/binaries.pm | 14 ---
collection/hardening-info | 98 ---------------------
collection/hardening-info.desc | 8 --
helpers/coll/hardening-info-helper | 147 --------------------------------
profiles/debian/extra-hardening.profile | 5 --
t/tests/binaries-hardening/desc | 2 -
t/tests/binaries-hardening/tags | 1 -
8 files changed, 1 insertion(+), 276 deletions(-)
diff --git a/checks/binaries.desc b/checks/binaries.desc
index 2267f36..4893c60 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -2,7 +2,7 @@ Check-Script: binaries
Author: Christian Schwarz <schwarz@debian.org>
Abbrev: bin
Type: binary, udeb
-Needs-Info: hardening-info, objdump-info, file-info, strings, unpacked
+Needs-Info: objdump-info, file-info, strings, unpacked
Info: This script checks binaries and object files for bugs.
Tag: arch-independent-package-contains-binary-or-object
diff --git a/checks/binaries.pm b/checks/binaries.pm
index bf17de8..bd04ef8 100644
--- a/checks/binaries.pm
+++ b/checks/binaries.pm
@@ -591,20 +591,6 @@ sub run {
and $objdump->{'ELF-TYPE'} eq 'EXEC') {
tag 'hardening-no-pie', $file;
}
-
- # Check for missing hardening characteristics. This currently
- # handles the following checks:
- # no-relro no-fortify-functions no-stackprotector no-bindnow no-pie
- if (exists($info->hardening_info->{$fname})) {
- if ($arch_hardening) {
- foreach my $t (@{$info->hardening_info->{$fname}}) {
- my $tag = "hardening-$t";
- # Implemented elsewhere
- next if $t ne 'no-stackprotector';
- tag $tag, $file if $arch_hardening->{$tag};
- }
- }
- }
}
}
diff --git a/collection/hardening-info b/collection/hardening-info
deleted file mode 100755
index a22921b..0000000
--- a/collection/hardening-info
+++ /dev/null
@@ -1,98 +0,0 @@
-#!/usr/bin/perl -w
-# hardening-info -- lintian collection script
-
-# The original shell script version of this script is
-# Copyright (C) 1998 Christian Schwarz
-#
-# The objdump version, including support for etch's binutils, is
-# Copyright (C) 2008 Adam D. Barratt
-#
-# This version, a trimmed-down wrapper for hardening-check, is
-# Copyright (C) 2012 Kees Cook <kees@debian.org>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, you can find it on the World Wide
-# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
-# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
-# MA 02110-1301, USA.
-
-package Lintian::coll::hardening_info;
-
-no lib '.';
-
-use strict;
-use warnings;
-use autodie;
-
-use FileHandle;
-
-use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Collect;
-use Lintian::Command qw(spawn reap);
-use Lintian::Util qw(fail touch_file locate_helper_tool);
-
-my $helper = locate_helper_tool('coll/hardening-info-helper');
-
-sub collect {
- my ($pkg, $type, $dir) = @_;
- my $info = Lintian::Collect->new($pkg, $type, $dir);
-
- if (-e "$dir/hardening-info") {
- unlink("$dir/hardening-info");
- }
-
- # Prepare to examine the file tree.
- chdir("$dir/unpacked");
-
- my %opts;
- my $open_hardening_info = sub {
- # Use xargs to keep processing times of packages like linux-image
- # reasonable.
-
- %opts = (
- pipe_in => FileHandle->new,
- out => "$dir/hardening-info",
- fail => 'error'
- );
- spawn(\%opts, ['xargs', '-0r', 'hardening-check', '--lintian', '--'],
- '|', [$helper]);
- $opts{pipe_in}->blocking(1);
- };
-
- foreach my $bin ($info->sorted_index) {
- next unless $bin->is_file;
- my $name = $bin->name;
- # Skip kernel modules and debug files
- next if $name =~ m/\.ko$/o or $name =~ m{\A usr/lib/debug/ }xsm;
- my $finfo = $info->file_info($name);
- next unless $finfo =~ m/\bELF\b/o;
- $open_hardening_info->() unless %opts;
- printf {$opts{pipe_in}} "%s\0", $name;
- }
-
- if (%opts) {
- close($opts{pipe_in});
- reap(\%opts);
- }
-
- return;
-}
-
-collect(@ARGV) if $0 =~ m,(?:^|/)hardening-info$,;
-1;
-
-# Local Variables:
-# indent-tabs-mode: nil
-# cperl-indent-level: 4
-# End:
-# vim: syntax=perl sw=4 sts=4 sr et
diff --git a/collection/hardening-info.desc b/collection/hardening-info.desc
deleted file mode 100644
index f631c3c..0000000
--- a/collection/hardening-info.desc
+++ /dev/null
@@ -1,8 +0,0 @@
-Collector-Script: hardening-info
-Author: Kees Cook <kees@debian.org>
-Info: This script runs hardening-check(1) over all ELF binaries of a binary
- package.
-Type: binary, udeb
-Version: 5
-Needs-Info: bin-pkg-control, file-info, unpacked
-Interface: perl-coll
diff --git a/helpers/coll/hardening-info-helper b/helpers/coll/hardening-info-helper
deleted file mode 100755
index 3e91a0d..0000000
--- a/helpers/coll/hardening-info-helper
+++ /dev/null
@@ -1,147 +0,0 @@
-#!/usr/bin/perl
-# hardening-info-helper -- lintian collection script helper
-
-# Copyright (C) 2012 Niels Thykier
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, you can find it on the World Wide
-# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
-# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
-# MA 02110-1301, USA.
-
-no lib '.';
-
-use strict;
-use warnings;
-use autodie;
-
-use FileHandle;
-
-use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Command qw(spawn reap);
-
-# To reduce the number of false-positives in hardening-check for
-# fortify-functions, we have to "double-check" its output in some
-# cases (like we do with file-info).
-#
-# Basic idea - fork and pipe to child in up to two passes.
-# - The parent will filter "hardening-check --lintian" input in first
-# pass.
-# - Filter out (and collect) all no-fortify-function tags
-# - Work around bug #677530
-# - The parent will (in second pass) pipe the verbose hardening-check
-# output to the child.
-# - Only binaries with a no-fortify-function tag in the first pass
-# will be re-checked with --verbose.
-#
-# - In the first pass, the child will behave like cat.
-# - In the second pass, the child will parse hardening-check --verbose
-# output.
-#
-# Implied by the above - the second pass is only done if needed.
-
-my ($in, $out);
-my ($cread, $cwrite);
-my ($cpid, @recheck);
-my %whitelisted_funcs = (
- 'memcpy' => 1,
- 'memset' => 1,
- 'memmove' => 1,
-);
-
-pipe($cread, $cwrite);
-$cpid = fork();
-if ($cpid) {
- # parent
- close($cread); # read end not needed
- $in = \*STDIN;
- $out = $cwrite;
-} else {
- # child
- close($cwrite); # write end not needed.
- $in = $cread;
- $out = \*STDOUT;
-}
-
-while (my $line = <$in>) {
- chomp $line;
- if ($cpid) {
- if ($line =~ m/^no-fortify-functions:(.*)$/o) {
- my $bin = $1;
- push @recheck, $bin;
- next;
- }
- } else {
- # End of "first pass" marker (for the child).
- last if $line eq '__VERBOSE__';
- }
- print {$out} "$line\n";
-}
-
-if (not $cpid) {
- # child's second pass
- my $bin;
- my $infsf = 0;
- my $emit = 0;
- while (my $line = <$in>) {
- chomp $line;
- # At this point we are reading "verbose" hardening-check output
- if ($line =~ m,^(\S.+):$,) {
- if ($emit) {
- print {$out} "no-fortify-functions:$bin\n";
- }
- $bin = $1;
- $infsf = 0;
- $emit = 0;
- } elsif ($line =~ m/^\s+Fortify Source functions:/) {
- $infsf = 1;
- } elsif ($infsf and $line =~ m/^\s+(un)?protected:\s*(\S+)/) {
- next unless ($1//'') eq 'un';
- next if exists $whitelisted_funcs{$2};
- $emit = 1;
- } else {
- $infsf = 0;
- }
- }
- if ($emit) {
- print {$out} "no-fortify-functions:$bin\n";
- }
- # ensure $out is flushed before exiting.
- close($out);
- require POSIX;
- POSIX::_exit(0);
-} elsif (@recheck) {
- # (optionally) parent's second pass.
- my %opts = (
- pipe_in => FileHandle->new,
- out => $out,
- fail => 'never'
- );
- # End the first pass for the child
- print {$out} "__VERBOSE__\n";
- spawn(\%opts, ['xargs', '-0r', 'hardening-check', '--verbose', '--']);
- $opts{pipe_in}->blocking(1);
- foreach my $file (@recheck) {
- printf {$opts{pipe_in}} "%s\0", $file;
- }
- close($opts{pipe_in});
- reap(\%opts);
-}
-
-# Close the out handle, else the child process will wait for
-# ever.
-close($out);
-# wait for the child process.
-wait();
-exit $?;
-
diff --git a/profiles/debian/extra-hardening.profile b/profiles/debian/extra-hardening.profile
deleted file mode 100644
index b42e5de..0000000
--- a/profiles/debian/extra-hardening.profile
+++ /dev/null
@@ -1,5 +0,0 @@
-# This profile is auto-generated
-Profile: debian/extra-hardening
-Extends: debian/main
-Enable-Tags: hardening-no-stackprotector
-
diff --git a/t/tests/binaries-hardening/desc b/t/tests/binaries-hardening/desc
index 4228f38..85d2299 100644
--- a/t/tests/binaries-hardening/desc
+++ b/t/tests/binaries-hardening/desc
@@ -2,10 +2,8 @@ Testname: binaries-hardening
Version: 1.0
Description: Check for missing hardening features
Architecture: amd64 i386 armhf arm64
-Profile: debian/extra-hardening
Test-For:
hardening-no-bindnow
hardening-no-fortify-functions
hardening-no-pie
hardening-no-relro
- hardening-no-stackprotector
diff --git a/t/tests/binaries-hardening/tags b/t/tests/binaries-hardening/tags
index a7e42a3..656e79f 100644
--- a/t/tests/binaries-hardening/tags
+++ b/t/tests/binaries-hardening/tags
@@ -1,5 +1,4 @@
I: binaries-hardening: hardening-no-bindnow usr/bin/weak
I: binaries-hardening: hardening-no-fortify-functions usr/bin/weak
I: binaries-hardening: hardening-no-pie usr/bin/weak
-I: binaries-hardening: hardening-no-stackprotector usr/bin/weak
W: binaries-hardening: hardening-no-relro usr/bin/weak
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: