diff options
Diffstat (limited to 't/recipes/checks/binaries/hardening')
14 files changed, 205 insertions, 0 deletions
diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values new file mode 100644 index 0000000..96dea07 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/fill-values @@ -0,0 +1,4 @@ +Skeleton: upload-native +Testname: binaries-hardening +Description: Check for missing hardening features +Package-Architecture: any diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile new file mode 100644 index 0000000..f1e06f8 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/Makefile @@ -0,0 +1,35 @@ +# turn off PIE in CC in case we have a PIEful toolchain: +ifneq ($(findstring -no-pie,$(shell ${CC} -no-pie 2>&1)),) + CCWEAK := ${CC} +else + CCWEAK := ${CC} -fno-pie -no-pie +endif + +all: weak.1 strong.1 + # Build without dpkg-buildflags. + $(CCWEAK) -o weak -g \ + -fno-stack-protector \ + -Wl,-z,norelro \ + -U_FORTIFY_SOURCE \ + hello.c + $(CC) -o strong \ + $(shell dpkg-buildflags --get CPPFLAGS) \ + $(shell dpkg-buildflags --get CFLAGS) \ + $(shell dpkg-buildflags --get LDFLAGS) \ + hello.c +%.1: base.pod + sed s/@NAME@/$(basename $@)/g < $< | \ + pod2man --name $(basename $@) --section 1 > $@ + +install: + install -d $(DESTDIR)/usr/bin/ + install -d $(DESTDIR)/usr/share/man/man1 + install -m 755 -c weak $(DESTDIR)/usr/bin/weak + install -m 755 -c strong $(DESTDIR)/usr/bin/strong + install -m 644 -c weak.1 $(DESTDIR)/usr/share/man/man1/weak.1 + install -m 644 -c strong.1 $(DESTDIR)/usr/share/man/man1/strong.1 + +clean distclean: + rm -f weak strong *.1 + +check test: diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod new file mode 100644 index 0000000..1e900d7 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/base.pod @@ -0,0 +1,12 @@ +=head1 NAME + +@NAME@ -- binary that does something + +=head1 SYNOPSIS + + @NAME@ [options] + +=head1 DESCRIPTION + +@NAME@ does something very useful. + diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c new file mode 100644 index 0000000..7b87bd7 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/build-spec/orig/hello.c @@ -0,0 +1,17 @@ +#include <stdio.h> + +void +report(char *string) +{ + char buf[80]; + int len; + + strcpy(buf, string); + fprintf(stdout, "Hello world from %s!\n%n", buf, &len); +} + +int +main(int argc, char *argv[]) +{ + report(argv[0]); +} diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc new file mode 100644 index 0000000..92ef00e --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/desc @@ -0,0 +1,3 @@ +Testname: binaries-hardening +Test-Architectures: amd64 i386 armhf arm64 +Check: binaries/hardening diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints new file mode 100644 index 0000000..43f2544 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/hints @@ -0,0 +1,4 @@ +binaries-hardening (binary): hardening-no-relro [usr/bin/weak] +binaries-hardening (binary): hardening-no-pie [usr/bin/weak] +binaries-hardening (binary): hardening-no-fortify-functions [usr/bin/weak] +binaries-hardening (binary): hardening-no-bindnow [usr/bin/weak] diff --git a/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration new file mode 100755 index 0000000..89c85ec --- /dev/null +++ b/t/recipes/checks/binaries/hardening/binaries-hardening/eval/test-calibration @@ -0,0 +1,53 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use lib "$ENV{LINTIAN_BASE}/lib"; + +use Lintian::Profile; + +my $PROFILE = Lintian::Profile->new; +$PROFILE->load('debian/main', [$ENV{'LINTIAN_BASE'}]); + +my %recommended_hardening_features + = %{$PROFILE->data->hardening_buildflags->recommended_features}; + +my ($expected, undef, $calibrated) = @ARGV; + +my $arch = `dpkg-architecture -qDEB_HOST_ARCH`; +chomp $arch; + +die "Unknown architecture: $arch" + unless exists $recommended_hardening_features{$arch}; + +open my $cfd, '>', $calibrated or die "open $calibrated: $!"; +open my $efd, '<', $expected or die "open $expected: $!"; + +while (my $line = <$efd>) { + my $dp = 0; + if ($line =~ m/^.: [^:]+: hardening-no-(\S+)/) { + + # hardening flag, but maybe not for this architecture + my $feature = $1; + + my %renames = ('fortify-functions' => 'fortify'); + my $renamed_feature = $renames{$feature} // $feature; + + $dp = 1 if $recommended_hardening_features{$arch}{$renamed_feature}; + } else { + # only calibrate hardening flags. + $dp = 1; + } + + print $cfd $line if $dp; +} + +close $efd; +close $cfd or die "close $expected: $!"; + +# Local Variables: +# indent-tabs-mode: nil +# cperl-indent-level: 4 +# End: +# vim: syntax=perl sw=4 sts=4 sr et diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/install b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/install new file mode 100644 index 0000000..c10e578 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/install @@ -0,0 +1 @@ +foreign-binary usr/bin diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/rules b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/rules new file mode 100755 index 0000000..2ce6f53 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/debian/rules @@ -0,0 +1,22 @@ +#!/usr/bin/make -f + +export DEB_BUILD_MAINT_OPTIONS=hardening=+all + +%: + dh $@ + +override_dh_strip: + # do not try to strip cross-compiled binaries with native tooling + +override_dh_shlibdeps: + # do not try to include missing libraries + +override_dh_dwz: + # cross-compiled binaries do not always seem to have a debug section + +# In Ubuntu, dh does not catch this file by default. +# They have diffed it to reduce the size of packages. +ifneq (,$(strip $(wildcard Changes))) +override_dh_installchangelogs: + dh_installchangelogs Changes +endif diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/fill-values b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/fill-values new file mode 100644 index 0000000..24f607a --- /dev/null +++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/fill-values @@ -0,0 +1,6 @@ +Skeleton: upload-native +Testname: wrong-binary-architecture +Description: Binary architecture does not match package declaration +Package-Architecture: any +Extra-Build-Depends: + gcc-arm-linux-gnueabihf [amd64 i386], gcc-x86-64-linux-gnu [!amd64 !i386] diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/Makefile b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/Makefile new file mode 100644 index 0000000..bf92eaf --- /dev/null +++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/Makefile @@ -0,0 +1,37 @@ +# This test works on amd64 when the cross-compiler for armhf is installed. +# +# The build prerequisite was not added to Lintian, however, since it was +# not clear how the architecture would be enabled in the Gitlab CI +# runner. +# +# On amd64 or i386, please follow these steps to run the test: +# +# dpkg --add-architecture armhf +# apt update +# apt install gcc-arm-linux-gnueabihf +# +# On all other architectures this may work, but was not tested: +# +# dpkg --add-architecture amd64 +# apt update +# apt install gcc-x86-64-linux-gnu +# +# (Taken from: https://wiki.debian.org/CrossToolchains) + +ARCH := $(shell dpkg-architecture -qDEB_HOST_ARCH) + +ifeq ($(ARCH),amd64) +CC := arm-linux-gnueabihf-gcc +else +CC := x86_64-linux-gnu-gcc +endif + +foreign-binary: hello.c + $(CC) $^ -o $@ + +.PHONY: clean +clean: + rm -f foreign-binary + +.PHONY: clean +distclean: clean diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/hello.c b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/hello.c new file mode 100644 index 0000000..2fb04e1 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/build-spec/orig/hello.c @@ -0,0 +1,8 @@ +#include <stdio.h> +#include <stdlib.h> + +int main(int argc, char *argv[]) { + + printf("Hello, World!\n"); + exit(0); +} diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/desc b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/desc new file mode 100644 index 0000000..b5d2db5 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/desc @@ -0,0 +1,2 @@ +Testname: wrong-binary-architecture +Check: binaries/hardening diff --git a/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/hints b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/hints new file mode 100644 index 0000000..68d4010 --- /dev/null +++ b/t/recipes/checks/binaries/hardening/wrong-binary-architecture/eval/hints @@ -0,0 +1 @@ +wrong-binary-architecture (binary): hardening-no-bindnow [usr/bin/foreign-binary] |