Adding upstream version 2.117.0.upstream/2.117.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

7 files changed, 128 insertions, 0 deletions

diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values
new file mode 100644
index 0000000..96dea07
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values
@@ -0,0 +1,4 @@
+Skeleton: upload-native
+Testname: binaries-hardening
+Description: Check for missing hardening features
+Package-Architecture: any
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile
new file mode 100644
index 0000000..f1e06f8
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile
@@ -0,0 +1,35 @@
+# turn off PIE in CC in case we have a PIEful toolchain:
+ifneq ($(findstring -no-pie,$(shell ${CC} -no-pie 2>&1)),)
+  CCWEAK := ${CC}
+else
+  CCWEAK := ${CC} -fno-pie -no-pie
+endif
+
+all: weak.1 strong.1
+	# Build without dpkg-buildflags.
+	$(CCWEAK) -o weak -g \
+		-fno-stack-protector \
+		-Wl,-z,norelro \
+		-U_FORTIFY_SOURCE \
+		hello.c
+	$(CC) -o strong \
+		$(shell dpkg-buildflags --get CPPFLAGS) \
+		$(shell dpkg-buildflags --get CFLAGS) \
+		$(shell dpkg-buildflags --get LDFLAGS) \
+		hello.c
+%.1: base.pod
+	sed s/@NAME@/$(basename $@)/g < $< | \
+	   pod2man --name $(basename $@) --section 1 > $@
+
+install:
+	install -d $(DESTDIR)/usr/bin/
+	install -d $(DESTDIR)/usr/share/man/man1
+	install -m 755 -c weak $(DESTDIR)/usr/bin/weak
+	install -m 755 -c strong $(DESTDIR)/usr/bin/strong
+	install -m 644 -c weak.1 $(DESTDIR)/usr/share/man/man1/weak.1
+	install -m 644 -c strong.1 $(DESTDIR)/usr/share/man/man1/strong.1
+
+clean distclean:
+	rm -f weak strong *.1
+
+check test:
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod
new file mode 100644
index 0000000..1e900d7
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod
@@ -0,0 +1,12 @@
+=head1 NAME
+
+@NAME@ -- binary that does something
+
+=head1 SYNOPSIS
+
+ @NAME@ [options]
+
+=head1 DESCRIPTION
+
+@NAME@ does something very useful.
+
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c
new file mode 100644
index 0000000..7b87bd7
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c
@@ -0,0 +1,17 @@
+#include <stdio.h>
+
+void
+report(char *string)
+{
+    char buf[80];
+    int len;
+
+    strcpy(buf, string);
+    fprintf(stdout, "Hello world from %s!\n%n", buf, &len);
+}
+
+int
+main(int argc, char *argv[])
+{
+    report(argv[0]);
+}
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc
new file mode 100644
index 0000000..92ef00e
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc
@@ -0,0 +1,3 @@
+Testname: binaries-hardening
+Test-Architectures: amd64 i386 armhf arm64
+Check: binaries/hardening
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints
new file mode 100644
index 0000000..43f2544
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints
@@ -0,0 +1,4 @@
+binaries-hardening (binary): hardening-no-relro [usr/bin/weak]
+binaries-hardening (binary): hardening-no-pie [usr/bin/weak]
+binaries-hardening (binary): hardening-no-fortify-functions [usr/bin/weak]
+binaries-hardening (binary): hardening-no-bindnow [usr/bin/weak]
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration
new file mode 100755
index 0000000..89c85ec
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration
@@ -0,0 +1,53 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use lib "$ENV{LINTIAN_BASE}/lib";
+
+use Lintian::Profile;
+
+my $PROFILE = Lintian::Profile->new;
+$PROFILE->load('debian/main', [$ENV{'LINTIAN_BASE'}]);
+
+my %recommended_hardening_features
+  = %{$PROFILE->data->hardening_buildflags->recommended_features};
+
+my ($expected, undef, $calibrated) = @ARGV;
+
+my $arch = `dpkg-architecture -qDEB_HOST_ARCH`;
+chomp $arch;
+
+die "Unknown architecture: $arch"
+  unless exists $recommended_hardening_features{$arch};
+
+open my $cfd, '>', $calibrated or die "open $calibrated: $!";
+open my $efd, '<', $expected or die "open $expected: $!";
+
+while (my $line = <$efd>) {
+    my $dp = 0;
+    if ($line =~ m/^.: [^:]+: hardening-no-(\S+)/) {
+
+        # hardening flag, but maybe not for this architecture
+        my $feature = $1;
+
+        my %renames = ('fortify-functions' => 'fortify');
+        my $renamed_feature = $renames{$feature} // $feature;
+
+        $dp = 1 if $recommended_hardening_features{$arch}{$renamed_feature};
+    } else {
+        # only calibrate hardening flags.
+        $dp = 1;
+    }
+
+    print $cfd $line if $dp;
+}
+
+close $efd;
+close $cfd or die "close $expected: $!";
+
+# Local Variables:
+# indent-tabs-mode: nil
+# cperl-indent-level: 4
+# End:
+# vim: syntax=perl sw=4 sts=4 sr et