diff options
Diffstat (limited to '')
30 files changed, 327 insertions, 0 deletions
diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/compat.in b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/compat.in new file mode 100644 index 0000000..640a566 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/compat.in @@ -0,0 +1 @@ +[% $dh_compat_level %] diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/control.in b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/control.in new file mode 100644 index 0000000..91b453f --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/control.in @@ -0,0 +1,53 @@ +Source: [% $source %] +Priority: optional +Section: libs +Maintainer: [% $author %] +Standards-Version: [% $standards_version %] +Build-Depends: [% $build_depends %] +Rules-Requires-Root: no + +Package: libmultiarch-none-dev +Architecture: any +Section: libdevel +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: [% $description %] (M-A: none) + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. + . + This package does not specify a Multi-Arch field. + +Package: libmultiarch-foreign-dev +Architecture: any +Section: libdevel +Depends: ${shlibs:Depends}, ${misc:Depends} +Multi-Arch: foreign +Description: [% $description %] (M-A: foreign) + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. + . + This package specifies Multi-Arch: foreign. + +Package: libmultiarch-same-dev +Architecture: any +Section: libdevel +Depends: ${shlibs:Depends}, ${misc:Depends} +Multi-Arch: same +Description: [% $description %] (M-A: same) + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. + . + This package specifies Multi-Arch: same. + +Package: libmultiarch-contrib-dev +Architecture: any +Section: contrib/libdevel +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: [% $description %] (contrib) + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. + . + This package is in the contrib/libdevel section. diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/rules b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/rules new file mode 100755 index 0000000..fe4db63 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/debian/rules @@ -0,0 +1,22 @@ +#!/usr/bin/make -f + +export DEB_BUILD_MAINT_OPTIONS=hardening=+all + +include /usr/share/dpkg/buildflags.mk + +%: + dh $@ + +override_dh_auto_install: + set -e; for X in none same foreign contrib; do \ + install -d debian/libmultiarch-$$X-dev/usr/bin; \ + install -d debian/libmultiarch-$$X-dev/var/lib/private; \ + install -m 755 true debian/libmultiarch-$$X-dev/usr/bin/$$X; \ + install -m 755 true debian/libmultiarch-$$X-dev/var/lib/private/$$X; \ + install -m 755 script debian/libmultiarch-$$X-dev/usr/bin/$$X-script; \ + install -m 755 script debian/libmultiarch-$$X-dev/var/lib/private/$$X-script; \ + done + +override_dh_strip: + # Avoid symbol conflicts warnings + dh_strip --no-automatic-dbgsym diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/fill-values b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/fill-values new file mode 100644 index 0000000..929c501 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/fill-values @@ -0,0 +1,5 @@ +Skeleton: upload-native +Testname: binaries-development-package-ships-elf-binary-in-path +Description: Test for development packages shipping ELF binaries in $PATH +Default-Build-Depends: debhelper (>= 9.20160114~) +Dh-Compat-Level: 9 diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/Makefile b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/Makefile new file mode 100644 index 0000000..a877dfd --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/Makefile @@ -0,0 +1,7 @@ +all: + gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o true true.c + +clean distclean: + rm -f true + +check test: diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/script b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/script new file mode 100755 index 0000000..c52d3c2 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/script @@ -0,0 +1,3 @@ +#!/bin/sh + +exit 0 diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/true.c b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/true.c new file mode 100644 index 0000000..8479e67 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/build-spec/orig/true.c @@ -0,0 +1,5 @@ +int +main(void) +{ + return 0; +} diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/eval/desc b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/eval/desc new file mode 100644 index 0000000..0d0db95 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/eval/desc @@ -0,0 +1,2 @@ +Testname: binaries-development-package-ships-elf-binary-in-path +Check: binaries/location diff --git a/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/eval/hints b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/eval/hints new file mode 100644 index 0000000..ad80dad --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-development-package-ships-elf-binary-in-path/eval/hints @@ -0,0 +1,5 @@ +libmultiarch-same-dev (binary): development-package-ships-elf-binary-in-path [usr/bin/same] +libmultiarch-same-dev (binary): arch-dependent-file-not-in-arch-specific-directory [var/lib/private/same] +libmultiarch-same-dev (binary): arch-dependent-file-not-in-arch-specific-directory [usr/bin/same] +libmultiarch-none-dev (binary): development-package-ships-elf-binary-in-path [usr/bin/none] +libmultiarch-contrib-dev (binary): development-package-ships-elf-binary-in-path [usr/bin/contrib] diff --git a/t/recipes/checks/binaries/location/binaries-general/build-spec/debian/rules b/t/recipes/checks/binaries/location/binaries-general/build-spec/debian/rules new file mode 100644 index 0000000..3ea7a63 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/build-spec/debian/rules @@ -0,0 +1,12 @@ +#!/usr/bin/make -f + +export DEB_BUILD_MAINT_OPTIONS=hardening=+all + +%: + dh $@ + +override_dh_strip: + dh_strip -X usr/lib/debug -X unstripped -X ocaml + +override_dh_dwz: + # Can error with "deadbeefdeadbeef.debug: Found compressed .debug_info section, not attempting dwz compression" diff --git a/t/recipes/checks/binaries/location/binaries-general/build-spec/fill-values b/t/recipes/checks/binaries/location/binaries-general/build-spec/fill-values new file mode 100644 index 0000000..a24247d --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/build-spec/fill-values @@ -0,0 +1,4 @@ +Skeleton: upload-native +Testname: binaries-general +Description: Misc errors related to binaries +Package-Architecture: any diff --git a/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/Makefile b/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/Makefile new file mode 100644 index 0000000..cf0f211 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/Makefile @@ -0,0 +1,64 @@ +# turn off PIE in CC in case we have a PIEful toolchain: +ifneq ($(findstring -no-pie,$(shell gcc -no-pie 2>&1)),) + CC := gcc +else + CC := gcc -fno-pie -no-pie +endif + +NOPIE_CFLAGS = $(filter-out -fPIE,$(CFLAGS)) +NOPIE_LDFLAGS = $(filter-out -fPIE -pie,$(LDFLAGS)) +COMPILE:= $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) +COMPILE_NOPIE:= $(CC) $(NOPIE_CFLAGS) $(CPPFLAGS) $(NOPIE_LDFLAGS) +# extract from readelf +GETBUILDID:=./getbuildid + +all: + # rpath not matching any of the exceptions to the rpath checks + # - with profiling enabled. + $(COMPILE_NOPIE) -o basic basic.c -pg -Wl,--rpath,/usr/local/lib + # rpath shipped in the package, but one of {/usr}?/lib + $(COMPILE) -o basiclibrpath basic.c -Wl,--rpath,/usr/lib + # non-special rpath shipped in the package + $(COMPILE) -o basicshippedrpath basic.c -Wl,--rpath,/usr/share/foo + # special rpath shipped in the package, multiple paths + $(COMPILE) -o basicshippedrpathmore basic.c -Wl,--rpath,/usr/lib/binaries-general:/usr/lib/binaries-general/bar + # static version of basic for debugging checks + $(COMPILE_NOPIE) -static -o basic.static basic.c + # static executable to trigger ocaml check + $(COMPILE_NOPIE) -o ocaml-exec ocaml.c + # version with debug + $(COMPILE) -o basicdebug -g3 -Wl,--build-id basic.c + +install: + # according to local debian rules /usr/lib/debug is unstripped + install -d $(DESTDIR)/usr/share/foo/ + install -d $(DESTDIR)/usr/lib/debug/usr/share/foo/ + install -d $(DESTDIR)/usr/lib/foo/ + install -d $(DESTDIR)/usr/bin + + install -m 755 -c basic $(DESTDIR)/usr/share/foo/basic + objcopy --only-keep-debug basic $(DESTDIR)/usr/lib/debug/usr/share/foo/basic + strip -s $(DESTDIR)/usr/lib/debug/usr/share/foo/basic + install -m 755 -c basiclibrpath $(DESTDIR)/usr/lib/foo/basiclibrpath + install -m 755 -c basicshippedrpath $(DESTDIR)/usr/lib/foo/basicshippedrpath + install -m 755 -c ocaml-exec $(DESTDIR)/usr/lib/foo/ocaml-exec + install -m 744 -c basicshippedrpathmore $(DESTDIR)/usr/lib/foo/basicshippedrpathmore + objcopy --only-keep-debug basic $(DESTDIR)/usr/lib/debug/basic + install -d "$(DESTDIR)/usr/lib/debug/.build-id/"`$(GETBUILDID) -s basicdebug` + install -m 755 -c basicdebug $(DESTDIR)/usr/share/foo/basicdebug + # force fake buildid in order to have tag matching ok (deadbeefdeadbeef) + install -d "$(DESTDIR)/usr/lib/debug/.build-id/de" + objcopy --compress-debug-sections basicdebug \ + "$(DESTDIR)/usr/lib/debug/.build-id/de/deadbeefdeadbeef.debug" + install -d "$(DESTDIR)/usr/lib/debug/.build-id/"`$(GETBUILDID) -s basicdebug` + objcopy --compress-debug-sections --only-keep-debug basicdebug \ + "$(DESTDIR)/usr/lib/debug/.build-id/"`$(GETBUILDID) -s basicdebug`"/"`$(GETBUILDID) -f basicdebug`.debug + install -m 755 -c basic.static $(DESTDIR)/usr/lib/debug/ + # according to local debian rules unstripped in name avoid dh_strip to do the work + install -m 755 basicdebug $(DESTDIR)/usr/bin/unstripped + install -m 755 basic.static $(DESTDIR)/usr/bin/static + +clean distclean: + rm -f basic + +check test: diff --git a/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/basic.c b/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/basic.c new file mode 100644 index 0000000..3618004 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/basic.c @@ -0,0 +1,12 @@ +#include <stdio.h> +#include <string.h> + +int +main(int argc, char *argv[]) +{ + char t[10]; + printf("Hello world!\n"); + /* forces a stack protector */ + (void) strcpy(t,argv[0]); + return (int) t[0]; +} diff --git a/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/getbuildid b/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/getbuildid new file mode 100755 index 0000000..0060d2b --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/getbuildid @@ -0,0 +1,30 @@ +#!/bin/sh +# get build-id of binary + +set -e + +usage() { + echo "Usage: getbuildid [flag] file"; + echo " print build-id of an object file" + echo "flags:" + echo " -f : full build-id (default)." + echo " -s : short build-id aka the first two characters." +} + +if test $# -lt 1; then usage; exit 77; fi +if test $# -gt 3; then usage; exit 77; fi + +if test $# -eq 1; then + LC_ALL=C readelf -n "$1" | grep -i 'Build Id:' | sed 's/.*:[[:blank:]]*\([[:digit:]|abcdef]*\).*/\1/g' +else + case "x$1" in + 'x-f') + LC_ALL=C readelf -n "$2" | grep -i 'Build Id:' | sed 's/.*:[[:blank:]]*\([[:digit:]|abcdef]*\).*/\1/g' ;; + 'x-s') + LC_ALL=C readelf -n "$2" | grep -i 'Build Id:' | sed 's/.*:[[:blank:]]*\([[:digit:]|abcdef]\{2\}\).*/\1/g' ;; + *) + exit 2; + esac +fi + +exit 0; diff --git a/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/ocaml.c b/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/ocaml.c new file mode 100644 index 0000000..370d17d --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/build-spec/orig/ocaml.c @@ -0,0 +1,11 @@ +#include <stdio.h> + +int +main(int argc, char **argv) +{ + if (argc > 2) { + puts("Caml1999X000"); + } + puts("\n"); + return 0; +} diff --git a/t/recipes/checks/binaries/location/binaries-general/eval/desc b/t/recipes/checks/binaries/location/binaries-general/eval/desc new file mode 100644 index 0000000..74bbf38 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/eval/desc @@ -0,0 +1,2 @@ +Testname: binaries-general +Check: binaries/location diff --git a/t/recipes/checks/binaries/location/binaries-general/eval/hints b/t/recipes/checks/binaries/location/binaries-general/eval/hints new file mode 100644 index 0000000..ae43fff --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/eval/hints @@ -0,0 +1,2 @@ +binaries-general (binary): arch-dependent-file-in-usr-share [usr/share/foo/basicdebug] +binaries-general (binary): arch-dependent-file-in-usr-share [usr/share/foo/basic] diff --git a/t/recipes/checks/binaries/location/binaries-general/eval/post-test b/t/recipes/checks/binaries/location/binaries-general/eval/post-test new file mode 100755 index 0000000..11ad2c8 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-general/eval/post-test @@ -0,0 +1 @@ +/: hardening-.*/ d diff --git a/t/recipes/checks/binaries/location/binaries-misplaced/build-spec/debian/rules b/t/recipes/checks/binaries/location/binaries-misplaced/build-spec/debian/rules new file mode 100755 index 0000000..a3ab46d --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-misplaced/build-spec/debian/rules @@ -0,0 +1,12 @@ +#!/usr/bin/make -f +pkg=binaries-misplaced +%: + dh $@ + +override_dh_install: + mkdir -p debian/$(pkg)/etc/ + cp -a /bin/true debian/$(pkg)/etc/foo + # explicitly call dh_shlibdeps since debhelper is being + # "smart" and not calling it in newer versions (8.9.something) + dh_shlibdeps + dh_install diff --git a/t/recipes/checks/binaries/location/binaries-misplaced/build-spec/fill-values b/t/recipes/checks/binaries/location/binaries-misplaced/build-spec/fill-values new file mode 100644 index 0000000..6f79eab --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-misplaced/build-spec/fill-values @@ -0,0 +1,3 @@ +Skeleton: upload-native +Testname: binaries-misplaced +Description: Test binaries in /etc diff --git a/t/recipes/checks/binaries/location/binaries-misplaced/eval/desc b/t/recipes/checks/binaries/location/binaries-misplaced/eval/desc new file mode 100644 index 0000000..5e2795a --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-misplaced/eval/desc @@ -0,0 +1,2 @@ +Testname: binaries-misplaced +Check: binaries/location diff --git a/t/recipes/checks/binaries/location/binaries-misplaced/eval/hints b/t/recipes/checks/binaries/location/binaries-misplaced/eval/hints new file mode 100644 index 0000000..91f0ef7 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-misplaced/eval/hints @@ -0,0 +1 @@ +binaries-misplaced (binary): binary-in-etc [etc/foo] diff --git a/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/compat.in b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/compat.in new file mode 100644 index 0000000..640a566 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/compat.in @@ -0,0 +1 @@ +[% $dh_compat_level %] diff --git a/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/control.in b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/control.in new file mode 100644 index 0000000..2efaa33 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/control.in @@ -0,0 +1,25 @@ +Source: [% $source %] +Priority: optional +Section: libs +Maintainer: [% $author %] +Standards-Version: [% $standards_version %] +Build-Depends: [% $build_depends %] +Rules-Requires-Root: no + +Package: libbasic2 +Architecture: [% $package_architecture %] +Pre-Depends: ${misc:Pre-Depends}, multiarch-support +Depends: ${misc:Depends}, ${shlibs:Depends} +Multi-Arch: same +Description: [% $description %] + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. It may + be an empty package. + . + Note there is an explicitly pre-depends on multiarch-support, since + older versions of debhelper might not use it yet. dpkg-dev will + remove the duplicate entry (if any). + + + diff --git a/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/libbasic2.symbols b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/libbasic2.symbols new file mode 100644 index 0000000..c2b8fb3 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/debian/libbasic2.symbols @@ -0,0 +1,2 @@ +libbasic.so.2 libbasic2 #MINVER# + lib_interface@Base 1.0 diff --git a/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/fill-values b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/fill-values new file mode 100644 index 0000000..c508b75 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/fill-values @@ -0,0 +1,6 @@ +Skeleton: upload-native +Testname: binaries-multiarch-same +Package-Architecture: any +Default-Build-Depends: debhelper (>= 9.20151004~) +Dh-Compat-Level: 9 +Description: Test of multiarch same package with unsafe binaries diff --git a/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/orig/Makefile b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/orig/Makefile new file mode 100644 index 0000000..ad7783b --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/orig/Makefile @@ -0,0 +1,12 @@ + +all: + gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -fPIC -shared -Wl,-z,defs -Wl,-soname,libbasic.so.2 -o libbasic.so.2 basic.c + +install: + install -d $(DESTDIR)/usr/lib/ + install -m 644 -c -s libbasic.so.2 $(DESTDIR)/usr/lib/libbasic.so.2 + +clean distclean: + rm -f libbasic.so.2 + +check test: diff --git a/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/orig/basic.c b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/orig/basic.c new file mode 100644 index 0000000..27e93fc --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-multiarch-same/build-spec/orig/basic.c @@ -0,0 +1,19 @@ +#include <stdio.h> +#include <string.h> + +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + +int +lib_interface(void) +{ + printf("Hello world!\n"); + hardening_trigger(NULL, 0, NULL); + return 0; +} diff --git a/t/recipes/checks/binaries/location/binaries-multiarch-same/eval/desc b/t/recipes/checks/binaries/location/binaries-multiarch-same/eval/desc new file mode 100644 index 0000000..50a4f57 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-multiarch-same/eval/desc @@ -0,0 +1,2 @@ +Testname: binaries-multiarch-same +Check: binaries/location diff --git a/t/recipes/checks/binaries/location/binaries-multiarch-same/eval/hints b/t/recipes/checks/binaries/location/binaries-multiarch-same/eval/hints new file mode 100644 index 0000000..b482a07 --- /dev/null +++ b/t/recipes/checks/binaries/location/binaries-multiarch-same/eval/hints @@ -0,0 +1 @@ +libbasic2 (binary): arch-dependent-file-not-in-arch-specific-directory [usr/lib/libbasic.so.2] |