diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-14 13:42:30 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-14 13:42:30 +0000 |
commit | 75808db17caf8b960b351e3408e74142f4c85aac (patch) | |
tree | 7989e9c09a4240248bf4658a22208a0a52d991c4 /t/recipes/checks/binaries/hardening/binaries-hardening/eval | |
parent | Initial commit. (diff) | |
download | lintian-75808db17caf8b960b351e3408e74142f4c85aac.tar.xz lintian-75808db17caf8b960b351e3408e74142f4c85aac.zip |
Adding upstream version 2.117.0.upstream/2.117.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 't/recipes/checks/binaries/hardening/binaries-hardening/eval')
3 files changed, 60 insertions, 0 deletions
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc new file mode 100644 index 0000000..92ef00e --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc @@ -0,0 +1,3 @@ +Testname: binaries-hardening +Test-Architectures: amd64 i386 armhf arm64 +Check: binaries/hardening diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints new file mode 100644 index 0000000..43f2544 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints @@ -0,0 +1,4 @@ +binaries-hardening (binary): hardening-no-relro [usr/bin/weak] +binaries-hardening (binary): hardening-no-pie [usr/bin/weak] +binaries-hardening (binary): hardening-no-fortify-functions [usr/bin/weak] +binaries-hardening (binary): hardening-no-bindnow [usr/bin/weak] diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration new file mode 100755 index 0000000..89c85ec --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration @@ -0,0 +1,53 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use lib "$ENV{LINTIAN_BASE}/lib"; + +use Lintian::Profile; + +my $PROFILE = Lintian::Profile->new; +$PROFILE->load('debian/main', [$ENV{'LINTIAN_BASE'}]); + +my %recommended_hardening_features + = %{$PROFILE->data->hardening_buildflags->recommended_features}; + +my ($expected, undef, $calibrated) = @ARGV; + +my $arch = `dpkg-architecture -qDEB_HOST_ARCH`; +chomp $arch; + +die "Unknown architecture: $arch" + unless exists $recommended_hardening_features{$arch}; + +open my $cfd, '>', $calibrated or die "open $calibrated: $!"; +open my $efd, '<', $expected or die "open $expected: $!"; + +while (my $line = <$efd>) { + my $dp = 0; + if ($line =~ m/^.: [^:]+: hardening-no-(\S+)/) { + + # hardening flag, but maybe not for this architecture + my $feature = $1; + + my %renames = ('fortify-functions' => 'fortify'); + my $renamed_feature = $renames{$feature} // $feature; + + $dp = 1 if $recommended_hardening_features{$arch}{$renamed_feature}; + } else { + # only calibrate hardening flags. + $dp = 1; + } + + print $cfd $line if $dp; +} + +close $efd; +close $cfd or die "close $expected: $!"; + +# Local Variables: +# indent-tabs-mode: nil +# cperl-indent-level: 4 +# End: +# vim: syntax=perl sw=4 sts=4 sr et |