Adding upstream version 2.117.0.upstream/2.117.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

14 files changed, 205 insertions, 0 deletions

diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values
new file mode 100644
index 0000000..96dea07
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values
@@ -0,0 +1,4 @@
+Skeleton: upload-native
+Testname: binaries-hardening
+Description: Check for missing hardening features
+Package-Architecture: any
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile
new file mode 100644
index 0000000..f1e06f8
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile
@@ -0,0 +1,35 @@
+# turn off PIE in CC in case we have a PIEful toolchain:
+ifneq ($(findstring -no-pie,$(shell ${CC} -no-pie 2>&1)),)
+  CCWEAK := ${CC}
+else
+  CCWEAK := ${CC} -fno-pie -no-pie
+endif
+
+all: weak.1 strong.1
+	# Build without dpkg-buildflags.
+	$(CCWEAK) -o weak -g \
+		-fno-stack-protector \
+		-Wl,-z,norelro \
+		-U_FORTIFY_SOURCE \
+		hello.c
+	$(CC) -o strong \
+		$(shell dpkg-buildflags --get CPPFLAGS) \
+		$(shell dpkg-buildflags --get CFLAGS) \
+		$(shell dpkg-buildflags --get LDFLAGS) \
+		hello.c
+%.1: base.pod
+	sed s/@NAME@/$(basename $@)/g < $< | \
+	   pod2man --name $(basename $@) --section 1 > $@
+
+install:
+	install -d $(DESTDIR)/usr/bin/
+	install -d $(DESTDIR)/usr/share/man/man1
+	install -m 755 -c weak $(DESTDIR)/usr/bin/weak
+	install -m 755 -c strong $(DESTDIR)/usr/bin/strong
+	install -m 644 -c weak.1 $(DESTDIR)/usr/share/man/man1/weak.1
+	install -m 644 -c strong.1 $(DESTDIR)/usr/share/man/man1/strong.1
+
+clean distclean:
+	rm -f weak strong *.1
+
+check test:
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod
new file mode 100644
index 0000000..1e900d7
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod
@@ -0,0 +1,12 @@
+=head1 NAME
+
+@NAME@ -- binary that does something
+
+=head1 SYNOPSIS
+
+ @NAME@ [options]
+
+=head1 DESCRIPTION
+
+@NAME@ does something very useful.
+
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c
new file mode 100644
index 0000000..7b87bd7
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c
@@ -0,0 +1,17 @@
+#include <stdio.h>
+
+void
+report(char *string)
+{
+    char buf[80];
+    int len;
+
+    strcpy(buf, string);
+    fprintf(stdout, "Hello world from %s!\n%n", buf, &len);
+}
+
+int
+main(int argc, char *argv[])
+{
+    report(argv[0]);
+}
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc
new file mode 100644
index 0000000..92ef00e
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc
@@ -0,0 +1,3 @@
+Testname: binaries-hardening
+Test-Architectures: amd64 i386 armhf arm64
+Check: binaries/hardening
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints
new file mode 100644
index 0000000..43f2544
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints
@@ -0,0 +1,4 @@
+binaries-hardening (binary): hardening-no-relro [usr/bin/weak]
+binaries-hardening (binary): hardening-no-pie [usr/bin/weak]
+binaries-hardening (binary): hardening-no-fortify-functions [usr/bin/weak]
+binaries-hardening (binary): hardening-no-bindnow [usr/bin/weak]
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration
new file mode 100755
index 0000000..89c85ec
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration
@@ -0,0 +1,53 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use lib "$ENV{LINTIAN_BASE}/lib";
+
+use Lintian::Profile;
+
+my $PROFILE = Lintian::Profile->new;
+$PROFILE->load('debian/main', [$ENV{'LINTIAN_BASE'}]);
+
+my %recommended_hardening_features
+  = %{$PROFILE->data->hardening_buildflags->recommended_features};
+
+my ($expected, undef, $calibrated) = @ARGV;
+
+my $arch = `dpkg-architecture -qDEB_HOST_ARCH`;
+chomp $arch;
+
+die "Unknown architecture: $arch"
+  unless exists $recommended_hardening_features{$arch};
+
+open my $cfd, '>', $calibrated or die "open $calibrated: $!";
+open my $efd, '<', $expected or die "open $expected: $!";
+
+while (my $line = <$efd>) {
+    my $dp = 0;
+    if ($line =~ m/^.: [^:]+: hardening-no-(\S+)/) {
+
+        # hardening flag, but maybe not for this architecture
+        my $feature = $1;
+
+        my %renames = ('fortify-functions' => 'fortify');
+        my $renamed_feature = $renames{$feature} // $feature;
+
+        $dp = 1 if $recommended_hardening_features{$arch}{$renamed_feature};
+    } else {
+        # only calibrate hardening flags.
+        $dp = 1;
+    }
+
+    print $cfd $line if $dp;
+}
+
+close $efd;
+close $cfd or die "close $expected: $!";
+
+# Local Variables:
+# indent-tabs-mode: nil
+# cperl-indent-level: 4
+# End:
+# vim: syntax=perl sw=4 sts=4 sr et
diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/install b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/install
new file mode 100644
index 0000000..c10e578
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/install
@@ -0,0 +1 @@
+foreign-binary usr/bin
diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/rules b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/rules
new file mode 100755
index 0000000..2ce6f53
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/rules
@@ -0,0 +1,22 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
+
+%:
+	dh $@
+
+override_dh_strip:
+	# do not try to strip cross-compiled binaries with native tooling
+
+override_dh_shlibdeps:
+	# do not try to include missing libraries
+
+override_dh_dwz:
+	# cross-compiled binaries do not always seem to have a debug section
+
+# In Ubuntu, dh does not catch this file by default.
+#  They have diffed it to reduce the size of packages.
+ifneq (,$(strip $(wildcard Changes)))
+override_dh_installchangelogs:
+	dh_installchangelogs Changes
+endif
diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/fill-values b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/fill-values
new file mode 100644
index 0000000..24f607a
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/fill-values
@@ -0,0 +1,6 @@
+Skeleton: upload-native
+Testname: wrong-binary-architecture
+Description: Binary architecture does not match package declaration
+Package-Architecture: any
+Extra-Build-Depends:
+ gcc-arm-linux-gnueabihf [amd64 i386], gcc-x86-64-linux-gnu [!amd64 !i386]
diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/Makefile b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/Makefile
new file mode 100644
index 0000000..bf92eaf
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/Makefile
@@ -0,0 +1,37 @@
+# This test works on amd64 when the cross-compiler for armhf is installed.
+#
+# The build prerequisite was not added to Lintian, however, since it was
+# not clear how the architecture would be enabled in the Gitlab CI   
+# runner.
+#
+# On amd64 or i386, please follow these steps to run the test:
+#
+#    dpkg --add-architecture armhf
+#    apt update
+#    apt install gcc-arm-linux-gnueabihf
+#
+# On all other architectures this may work, but was not tested:
+#
+#    dpkg --add-architecture amd64
+#    apt update
+#    apt install gcc-x86-64-linux-gnu
+#
+# (Taken from: https://wiki.debian.org/CrossToolchains)   
+
+ARCH := $(shell dpkg-architecture -qDEB_HOST_ARCH)
+
+ifeq ($(ARCH),amd64)
+CC := arm-linux-gnueabihf-gcc
+else
+CC := x86_64-linux-gnu-gcc
+endif
+
+foreign-binary: hello.c
+	$(CC) $^ -o $@
+
+.PHONY: clean
+clean:
+	rm -f foreign-binary
+
+.PHONY: clean
+distclean: clean
diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/hello.c b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/hello.c
new file mode 100644
index 0000000..2fb04e1
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/hello.c
@@ -0,0 +1,8 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[]) {
+
+	printf("Hello, World!\n");
+	exit(0);
+}
diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/desc b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/desc
new file mode 100644
index 0000000..b5d2db5
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/desc
@@ -0,0 +1,2 @@
+Testname: wrong-binary-architecture
+Check: binaries/hardening
diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/hints b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/hints
new file mode 100644
index 0000000..68d4010
--- /dev/null
+++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/hints
@@ -0,0 +1 @@
+wrong-binary-architecture (binary): hardening-no-bindnow [usr/bin/foreign-binary]