[lintian] 06/08: Drop hardening-info and missing stackprotector check

[Niels Thykier <nthykier@moszumanska.debian.org>]

This is an automated email from the git hooks/post-receive script.

nthykier pushed a commit to branch master
in repository lintian.

commit 8f40b6935e51d986a566385aaf71f34d4272340a
Author: Niels Thykier <niels@thykier.net>
Date:   Sat Sep 17 20:42:12 2016 +0000

    Drop hardening-info and missing stackprotector check
    
    Signed-off-by: Niels Thykier <niels@thykier.net>
---
 checks/binaries.desc                    |   2 +-
 checks/binaries.pm                      |  14 ---
 collection/hardening-info               |  98 ---------------------
 collection/hardening-info.desc          |   8 --
 helpers/coll/hardening-info-helper      | 147 --------------------------------
 profiles/debian/extra-hardening.profile |   5 --
 t/tests/binaries-hardening/desc         |   2 -
 t/tests/binaries-hardening/tags         |   1 -
 8 files changed, 1 insertion(+), 276 deletions(-)

diff --git a/checks/binaries.desc b/checks/binaries.desc
index 2267f36..4893c60 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -2,7 +2,7 @@ Check-Script: binaries
 Author: Christian Schwarz <schwarz@debian.org>
 Abbrev: bin
 Type: binary, udeb
-Needs-Info: hardening-info, objdump-info, file-info, strings, unpacked
+Needs-Info: objdump-info, file-info, strings, unpacked
 Info: This script checks binaries and object files for bugs.
 
 Tag: arch-independent-package-contains-binary-or-object
diff --git a/checks/binaries.pm b/checks/binaries.pm
index bf17de8..bd04ef8 100644
--- a/checks/binaries.pm
+++ b/checks/binaries.pm
@@ -591,20 +591,6 @@ sub run {
                 and $objdump->{'ELF-TYPE'} eq 'EXEC') {
                 tag 'hardening-no-pie', $file;
             }
-
-            # Check for missing hardening characteristics. This currently
-            # handles the following checks:
-            # no-relro no-fortify-functions no-stackprotector no-bindnow no-pie
-            if (exists($info->hardening_info->{$fname})) {
-                if ($arch_hardening) {
-                    foreach my $t (@{$info->hardening_info->{$fname}}) {
-                        my $tag = "hardening-$t";
-                        # Implemented elsewhere
-                        next if $t ne 'no-stackprotector';
-                        tag $tag, $file if $arch_hardening->{$tag};
-                    }
-                }
-            }
         }
     }
 
diff --git a/collection/hardening-info b/collection/hardening-info
deleted file mode 100755
index a22921b..0000000
--- a/collection/hardening-info
+++ /dev/null
@@ -1,98 +0,0 @@
-#!/usr/bin/perl -w
-# hardening-info -- lintian collection script
-
-# The original shell script version of this script is
-# Copyright (C) 1998 Christian Schwarz
-#
-# The objdump version, including support for etch's binutils, is
-# Copyright (C) 2008 Adam D. Barratt
-#
-# This version, a trimmed-down wrapper for hardening-check, is
-# Copyright (C) 2012 Kees Cook <kees@debian.org>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, you can find it on the World Wide
-# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
-# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
-# MA 02110-1301, USA.
-
-package Lintian::coll::hardening_info;
-
-no lib '.';
-
-use strict;
-use warnings;
-use autodie;
-
-use FileHandle;
-
-use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Collect;
-use Lintian::Command qw(spawn reap);
-use Lintian::Util qw(fail touch_file locate_helper_tool);
-
-my $helper = locate_helper_tool('coll/hardening-info-helper');
-
-sub collect {
-    my ($pkg, $type, $dir) = @_;
-    my $info = Lintian::Collect->new($pkg, $type, $dir);
-
-    if (-e "$dir/hardening-info") {
-        unlink("$dir/hardening-info");
-    }
-
-    # Prepare to examine the file tree.
-    chdir("$dir/unpacked");
-
-    my %opts;
-    my $open_hardening_info = sub {
-        # Use xargs to keep processing times of packages like linux-image
-        # reasonable.
-
-        %opts = (
-            pipe_in => FileHandle->new,
-            out => "$dir/hardening-info",
-            fail => 'error'
-        );
-        spawn(\%opts, ['xargs', '-0r', 'hardening-check', '--lintian', '--'],
-            '|', [$helper]);
-        $opts{pipe_in}->blocking(1);
-    };
-
-    foreach my $bin ($info->sorted_index) {
-        next unless $bin->is_file;
-        my $name = $bin->name;
-        # Skip kernel modules and debug files
-        next if $name =~ m/\.ko$/o or $name =~ m{\A usr/lib/debug/ }xsm;
-        my $finfo = $info->file_info($name);
-        next unless $finfo =~ m/\bELF\b/o;
-        $open_hardening_info->() unless %opts;
-        printf {$opts{pipe_in}} "%s\0", $name;
-    }
-
-    if (%opts) {
-        close($opts{pipe_in});
-        reap(\%opts);
-    }
-
-    return;
-}
-
-collect(@ARGV) if $0 =~ m,(?:^|/)hardening-info$,;
-1;
-
-# Local Variables:
-# indent-tabs-mode: nil
-# cperl-indent-level: 4
-# End:
-# vim: syntax=perl sw=4 sts=4 sr et
diff --git a/collection/hardening-info.desc b/collection/hardening-info.desc
deleted file mode 100644
index f631c3c..0000000
--- a/collection/hardening-info.desc
+++ /dev/null
@@ -1,8 +0,0 @@
-Collector-Script: hardening-info
-Author: Kees Cook <kees@debian.org>
-Info: This script runs hardening-check(1) over all ELF binaries of a binary
- package.
-Type: binary, udeb
-Version: 5
-Needs-Info: bin-pkg-control, file-info, unpacked
-Interface: perl-coll
diff --git a/helpers/coll/hardening-info-helper b/helpers/coll/hardening-info-helper
deleted file mode 100755
index 3e91a0d..0000000
--- a/helpers/coll/hardening-info-helper
+++ /dev/null
@@ -1,147 +0,0 @@
-#!/usr/bin/perl
-# hardening-info-helper -- lintian collection script helper
-
-# Copyright (C) 2012 Niels Thykier
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, you can find it on the World Wide
-# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
-# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
-# MA 02110-1301, USA.
-
-no lib '.';
-
-use strict;
-use warnings;
-use autodie;
-
-use FileHandle;
-
-use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Command qw(spawn reap);
-
-# To reduce the number of false-positives in hardening-check for
-# fortify-functions, we have to "double-check" its output in some
-# cases (like we do with file-info).
-#
-# Basic idea - fork and pipe to child in up to two passes.
-# - The parent will filter "hardening-check --lintian" input in first
-#   pass.
-#   - Filter out (and collect) all no-fortify-function tags
-#   - Work around bug #677530
-# - The parent will (in second pass) pipe the verbose hardening-check
-#   output to the child.
-#   - Only binaries with a no-fortify-function tag in the first pass
-#     will be re-checked with --verbose.
-#
-# - In the first pass, the child will behave like cat.
-# - In the second pass, the child will parse hardening-check --verbose
-#   output.
-#
-# Implied by the above - the second pass is only done if needed.
-
-my ($in, $out);
-my ($cread, $cwrite);
-my ($cpid, @recheck);
-my %whitelisted_funcs = (
-    'memcpy' => 1,
-    'memset' => 1,
-    'memmove' => 1,
-);
-
-pipe($cread, $cwrite);
-$cpid = fork();
-if ($cpid) {
-    # parent
-    close($cread); # read end not needed
-    $in = \*STDIN;
-    $out = $cwrite;
-} else {
-    # child
-    close($cwrite); # write end not needed.
-    $in = $cread;
-    $out = \*STDOUT;
-}
-
-while (my $line = <$in>) {
-    chomp $line;
-    if ($cpid) {
-        if ($line =~ m/^no-fortify-functions:(.*)$/o) {
-            my $bin = $1;
-            push @recheck, $bin;
-            next;
-        }
-    } else {
-        # End of "first pass" marker (for the child).
-        last if $line eq '__VERBOSE__';
-    }
-    print {$out} "$line\n";
-}
-
-if (not $cpid) {
-    # child's second pass
-    my $bin;
-    my $infsf = 0;
-    my $emit = 0;
-    while (my $line = <$in>) {
-        chomp $line;
-        # At this point we are reading "verbose" hardening-check output
-        if ($line =~ m,^(\S.+):$,) {
-            if ($emit) {
-                print {$out} "no-fortify-functions:$bin\n";
-            }
-            $bin = $1;
-            $infsf = 0;
-            $emit = 0;
-        } elsif ($line =~ m/^\s+Fortify Source functions:/) {
-            $infsf = 1;
-        } elsif ($infsf and $line =~ m/^\s+(un)?protected:\s*(\S+)/) {
-            next unless ($1//'') eq 'un';
-            next if exists $whitelisted_funcs{$2};
-            $emit = 1;
-        } else {
-            $infsf = 0;
-        }
-    }
-    if ($emit) {
-        print {$out} "no-fortify-functions:$bin\n";
-    }
-    # ensure $out is flushed before exiting.
-    close($out);
-    require POSIX;
-    POSIX::_exit(0);
-} elsif (@recheck) {
-    # (optionally) parent's second pass.
-    my %opts = (
-        pipe_in => FileHandle->new,
-        out => $out,
-        fail => 'never'
-    );
-    # End the first pass for the child
-    print {$out} "__VERBOSE__\n";
-    spawn(\%opts, ['xargs', '-0r', 'hardening-check', '--verbose', '--']);
-    $opts{pipe_in}->blocking(1);
-    foreach my $file (@recheck) {
-        printf {$opts{pipe_in}} "%s\0", $file;
-    }
-    close($opts{pipe_in});
-    reap(\%opts);
-}
-
-# Close the out handle, else the child process will wait for
-# ever.
-close($out);
-# wait for the child process.
-wait();
-exit $?;
-
diff --git a/profiles/debian/extra-hardening.profile b/profiles/debian/extra-hardening.profile
deleted file mode 100644
index b42e5de..0000000
--- a/profiles/debian/extra-hardening.profile
+++ /dev/null
@@ -1,5 +0,0 @@
-# This profile is auto-generated
-Profile: debian/extra-hardening
-Extends: debian/main
-Enable-Tags: hardening-no-stackprotector
-
diff --git a/t/tests/binaries-hardening/desc b/t/tests/binaries-hardening/desc
index 4228f38..85d2299 100644
--- a/t/tests/binaries-hardening/desc
+++ b/t/tests/binaries-hardening/desc
@@ -2,10 +2,8 @@ Testname: binaries-hardening
 Version: 1.0
 Description: Check for missing hardening features
 Architecture: amd64 i386 armhf arm64
-Profile: debian/extra-hardening
 Test-For:
  hardening-no-bindnow
  hardening-no-fortify-functions
  hardening-no-pie
  hardening-no-relro
- hardening-no-stackprotector
diff --git a/t/tests/binaries-hardening/tags b/t/tests/binaries-hardening/tags
index a7e42a3..656e79f 100644
--- a/t/tests/binaries-hardening/tags
+++ b/t/tests/binaries-hardening/tags
@@ -1,5 +1,4 @@
 I: binaries-hardening: hardening-no-bindnow usr/bin/weak
 I: binaries-hardening: hardening-no-fortify-functions usr/bin/weak
 I: binaries-hardening: hardening-no-pie usr/bin/weak
-I: binaries-hardening: hardening-no-stackprotector usr/bin/weak
 W: binaries-hardening: hardening-no-relro usr/bin/weak

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git