This is an automated email from the git hooks/post-receive script. nthykier pushed a commit to branch merge-hardening-check in repository lintian.
commit 7c9fddb713781aca9ade6158ec11432ea40eef56 Author: Niels Thykier <ni...@thykier.net> Date: Sat Sep 17 20:42:12 2016 +0000 Drop hardening-info and missing stackprotector check Signed-off-by: Niels Thykier <ni...@thykier.net> --- checks/binaries.desc | 2 +- checks/binaries.pm | 14 --- collection/hardening-info | 98 --------------------- collection/hardening-info.desc | 8 -- helpers/coll/hardening-info-helper | 147 -------------------------------- profiles/debian/extra-hardening.profile | 5 -- t/tests/binaries-hardening/desc | 2 - t/tests/binaries-hardening/tags | 1 - 8 files changed, 1 insertion(+), 276 deletions(-) diff --git a/checks/binaries.desc b/checks/binaries.desc index 2267f36..4893c60 100644 --- a/checks/binaries.desc +++ b/checks/binaries.desc @@ -2,7 +2,7 @@ Check-Script: binaries Author: Christian Schwarz <schw...@debian.org> Abbrev: bin Type: binary, udeb -Needs-Info: hardening-info, objdump-info, file-info, strings, unpacked +Needs-Info: objdump-info, file-info, strings, unpacked Info: This script checks binaries and object files for bugs. Tag: arch-independent-package-contains-binary-or-object diff --git a/checks/binaries.pm b/checks/binaries.pm index bf17de8..bd04ef8 100644 --- a/checks/binaries.pm +++ b/checks/binaries.pm @@ -591,20 +591,6 @@ sub run { and $objdump->{'ELF-TYPE'} eq 'EXEC') { tag 'hardening-no-pie', $file; } - - # Check for missing hardening characteristics. This currently - # handles the following checks: - # no-relro no-fortify-functions no-stackprotector no-bindnow no-pie - if (exists($info->hardening_info->{$fname})) { - if ($arch_hardening) { - foreach my $t (@{$info->hardening_info->{$fname}}) { - my $tag = "hardening-$t"; - # Implemented elsewhere - next if $t ne 'no-stackprotector'; - tag $tag, $file if $arch_hardening->{$tag}; - } - } - } } } diff --git a/collection/hardening-info b/collection/hardening-info deleted file mode 100755 index a22921b..0000000 --- a/collection/hardening-info +++ /dev/null @@ -1,98 +0,0 @@ -#!/usr/bin/perl -w -# hardening-info -- lintian collection script - -# The original shell script version of this script is -# Copyright (C) 1998 Christian Schwarz -# -# The objdump version, including support for etch's binutils, is -# Copyright (C) 2008 Adam D. Barratt -# -# This version, a trimmed-down wrapper for hardening-check, is -# Copyright (C) 2012 Kees Cook <k...@debian.org> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, you can find it on the World Wide -# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free -# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, -# MA 02110-1301, USA. - -package Lintian::coll::hardening_info; - -no lib '.'; - -use strict; -use warnings; -use autodie; - -use FileHandle; - -use lib "$ENV{'LINTIAN_ROOT'}/lib"; -use Lintian::Collect; -use Lintian::Command qw(spawn reap); -use Lintian::Util qw(fail touch_file locate_helper_tool); - -my $helper = locate_helper_tool('coll/hardening-info-helper'); - -sub collect { - my ($pkg, $type, $dir) = @_; - my $info = Lintian::Collect->new($pkg, $type, $dir); - - if (-e "$dir/hardening-info") { - unlink("$dir/hardening-info"); - } - - # Prepare to examine the file tree. - chdir("$dir/unpacked"); - - my %opts; - my $open_hardening_info = sub { - # Use xargs to keep processing times of packages like linux-image - # reasonable. - - %opts = ( - pipe_in => FileHandle->new, - out => "$dir/hardening-info", - fail => 'error' - ); - spawn(\%opts, ['xargs', '-0r', 'hardening-check', '--lintian', '--'], - '|', [$helper]); - $opts{pipe_in}->blocking(1); - }; - - foreach my $bin ($info->sorted_index) { - next unless $bin->is_file; - my $name = $bin->name; - # Skip kernel modules and debug files - next if $name =~ m/\.ko$/o or $name =~ m{\A usr/lib/debug/ }xsm; - my $finfo = $info->file_info($name); - next unless $finfo =~ m/\bELF\b/o; - $open_hardening_info->() unless %opts; - printf {$opts{pipe_in}} "%s\0", $name; - } - - if (%opts) { - close($opts{pipe_in}); - reap(\%opts); - } - - return; -} - -collect(@ARGV) if $0 =~ m,(?:^|/)hardening-info$,; -1; - -# Local Variables: -# indent-tabs-mode: nil -# cperl-indent-level: 4 -# End: -# vim: syntax=perl sw=4 sts=4 sr et diff --git a/collection/hardening-info.desc b/collection/hardening-info.desc deleted file mode 100644 index f631c3c..0000000 --- a/collection/hardening-info.desc +++ /dev/null @@ -1,8 +0,0 @@ -Collector-Script: hardening-info -Author: Kees Cook <k...@debian.org> -Info: This script runs hardening-check(1) over all ELF binaries of a binary - package. -Type: binary, udeb -Version: 5 -Needs-Info: bin-pkg-control, file-info, unpacked -Interface: perl-coll diff --git a/helpers/coll/hardening-info-helper b/helpers/coll/hardening-info-helper deleted file mode 100755 index 3e91a0d..0000000 --- a/helpers/coll/hardening-info-helper +++ /dev/null @@ -1,147 +0,0 @@ -#!/usr/bin/perl -# hardening-info-helper -- lintian collection script helper - -# Copyright (C) 2012 Niels Thykier -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, you can find it on the World Wide -# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free -# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, -# MA 02110-1301, USA. - -no lib '.'; - -use strict; -use warnings; -use autodie; - -use FileHandle; - -use lib "$ENV{'LINTIAN_ROOT'}/lib"; -use Lintian::Command qw(spawn reap); - -# To reduce the number of false-positives in hardening-check for -# fortify-functions, we have to "double-check" its output in some -# cases (like we do with file-info). -# -# Basic idea - fork and pipe to child in up to two passes. -# - The parent will filter "hardening-check --lintian" input in first -# pass. -# - Filter out (and collect) all no-fortify-function tags -# - Work around bug #677530 -# - The parent will (in second pass) pipe the verbose hardening-check -# output to the child. -# - Only binaries with a no-fortify-function tag in the first pass -# will be re-checked with --verbose. -# -# - In the first pass, the child will behave like cat. -# - In the second pass, the child will parse hardening-check --verbose -# output. -# -# Implied by the above - the second pass is only done if needed. - -my ($in, $out); -my ($cread, $cwrite); -my ($cpid, @recheck); -my %whitelisted_funcs = ( - 'memcpy' => 1, - 'memset' => 1, - 'memmove' => 1, -); - -pipe($cread, $cwrite); -$cpid = fork(); -if ($cpid) { - # parent - close($cread); # read end not needed - $in = \*STDIN; - $out = $cwrite; -} else { - # child - close($cwrite); # write end not needed. - $in = $cread; - $out = \*STDOUT; -} - -while (my $line = <$in>) { - chomp $line; - if ($cpid) { - if ($line =~ m/^no-fortify-functions:(.*)$/o) { - my $bin = $1; - push @recheck, $bin; - next; - } - } else { - # End of "first pass" marker (for the child). - last if $line eq '__VERBOSE__'; - } - print {$out} "$line\n"; -} - -if (not $cpid) { - # child's second pass - my $bin; - my $infsf = 0; - my $emit = 0; - while (my $line = <$in>) { - chomp $line; - # At this point we are reading "verbose" hardening-check output - if ($line =~ m,^(\S.+):$,) { - if ($emit) { - print {$out} "no-fortify-functions:$bin\n"; - } - $bin = $1; - $infsf = 0; - $emit = 0; - } elsif ($line =~ m/^\s+Fortify Source functions:/) { - $infsf = 1; - } elsif ($infsf and $line =~ m/^\s+(un)?protected:\s*(\S+)/) { - next unless ($1//'') eq 'un'; - next if exists $whitelisted_funcs{$2}; - $emit = 1; - } else { - $infsf = 0; - } - } - if ($emit) { - print {$out} "no-fortify-functions:$bin\n"; - } - # ensure $out is flushed before exiting. - close($out); - require POSIX; - POSIX::_exit(0); -} elsif (@recheck) { - # (optionally) parent's second pass. - my %opts = ( - pipe_in => FileHandle->new, - out => $out, - fail => 'never' - ); - # End the first pass for the child - print {$out} "__VERBOSE__\n"; - spawn(\%opts, ['xargs', '-0r', 'hardening-check', '--verbose', '--']); - $opts{pipe_in}->blocking(1); - foreach my $file (@recheck) { - printf {$opts{pipe_in}} "%s\0", $file; - } - close($opts{pipe_in}); - reap(\%opts); -} - -# Close the out handle, else the child process will wait for -# ever. -close($out); -# wait for the child process. -wait(); -exit $?; - diff --git a/profiles/debian/extra-hardening.profile b/profiles/debian/extra-hardening.profile deleted file mode 100644 index b42e5de..0000000 --- a/profiles/debian/extra-hardening.profile +++ /dev/null @@ -1,5 +0,0 @@ -# This profile is auto-generated -Profile: debian/extra-hardening -Extends: debian/main -Enable-Tags: hardening-no-stackprotector - diff --git a/t/tests/binaries-hardening/desc b/t/tests/binaries-hardening/desc index 4228f38..85d2299 100644 --- a/t/tests/binaries-hardening/desc +++ b/t/tests/binaries-hardening/desc @@ -2,10 +2,8 @@ Testname: binaries-hardening Version: 1.0 Description: Check for missing hardening features Architecture: amd64 i386 armhf arm64 -Profile: debian/extra-hardening Test-For: hardening-no-bindnow hardening-no-fortify-functions hardening-no-pie hardening-no-relro - hardening-no-stackprotector diff --git a/t/tests/binaries-hardening/tags b/t/tests/binaries-hardening/tags index a7e42a3..656e79f 100644 --- a/t/tests/binaries-hardening/tags +++ b/t/tests/binaries-hardening/tags @@ -1,5 +1,4 @@ I: binaries-hardening: hardening-no-bindnow usr/bin/weak I: binaries-hardening: hardening-no-fortify-functions usr/bin/weak I: binaries-hardening: hardening-no-pie usr/bin/weak -I: binaries-hardening: hardening-no-stackprotector usr/bin/weak W: binaries-hardening: hardening-no-relro usr/bin/weak -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git