Hi Niels, On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote: > I have started an unofficial branch[1] to get something more concrete on > this. I decided to rename the tags so they had a common prefix (it > simplified the updated to t/scripts/implemented-tags.t).
Attached is a patch to clean up the remaining tests that still needed stack protector and fortify to show up in their binaries. > Last I checked we still have an "outstanding issue" hardening-check > using ldd, which I am not certain will work with "foreign" binaries (see > comment #39). I suspect it will mostly affect people who do > cross-builds and lintian.d.o[2]. And this should be taken care of now in hardening-includes 2.0, which uses a hard-coded list of libc functions instead of trying to build the list at runtime. After this patch, the TODO's single remaining item is: + revise tag certainty and description: - overrides (we can't do much about FP etc.) What is needed for this? Should I expand the descriptions more? Or was there something else? Thanks! -Kees -- Kees Cook @debian.org
>From 44917dcc8af48043cb22b104398cfc494b74fbf6 Mon Sep 17 00:00:00 2001 From: Kees Cook <k...@outflux.net> Date: Sat, 31 Mar 2012 23:59:28 -0700 Subject: [PATCH] Update for latest hardening-check Additionally, clean up remaining hardening warnings in the tests. Signed-off-by: Kees Cook <k...@debian.org> --- collection/hardening-info | 7 ------- debian/changelog | 7 +------ debian/control | 2 +- .../debian/hardening-trigger.h | 6 ++++++ t/tests/binaries-embedded-libs/debian/libbz2.c | 1 + t/tests/binaries-embedded-libs/debian/libexpat.c | 1 + t/tests/binaries-embedded-libs/debian/libjpeg.c | 1 + t/tests/binaries-embedded-libs/debian/libm.c | 1 + t/tests/binaries-embedded-libs/debian/libmagic.c | 1 + .../binaries-embedded-libs/debian/libopenjpeg.c | 1 + t/tests/binaries-embedded-libs/debian/libpcre3.c | 1 + t/tests/binaries-embedded-libs/debian/libpng.c | 1 + t/tests/binaries-embedded-libs/debian/libsqlite.c | 1 + t/tests/binaries-embedded-libs/debian/libtiff.c | 1 + t/tests/binaries-embedded-libs/debian/libxml2.c | 1 + t/tests/binaries-embedded-libs/debian/zlib.c | 1 + .../debian/basic.c | 10 ++++++++++ .../debian/basic.c | 10 ++++++++++ .../debian/basic.c | 10 ++++++++++ t/tests/binaries-missing-depends/debian/basic.c | 10 ++++++++++ t/tests/binaries-multiarch-same/debian/basic.c | 10 ++++++++++ .../binaries-multiarch-wrong-dir/debian/basic.c | 10 ++++++++++ t/tests/binaries-multiarch/debian/basic.c | 10 ++++++++++ t/tests/binaries-spelling/debian/basic.c | 10 ++++++++++ t/tests/binaries-unsafe-open/debian/dummy.c | 10 ++++++++++ t/tests/strings-elf-detection/debian/Makefile | 7 +++++++ t/tests/strings-elf-detection/debian/debian/rules | 3 +-- t/tests/strings-elf-detection/debian/true.c | 17 +++++++++++++++++ 28 files changed, 135 insertions(+), 16 deletions(-) create mode 100644 t/tests/binaries-embedded-libs/debian/hardening-trigger.h create mode 100644 t/tests/strings-elf-detection/debian/Makefile create mode 100644 t/tests/strings-elf-detection/debian/true.c diff --git a/collection/hardening-info b/collection/hardening-info index 6692c96..b7408be 100755 --- a/collection/hardening-info +++ b/collection/hardening-info @@ -44,13 +44,6 @@ if ( -e "$dir/hardening-info" ) { open OUT, '>', "$dir/hardening-info" or fail("cannot open hardening-info: $!"); -# If we're running inside the Lintian test suite itself, we need to avoid -# all the tests except the "binaries-hardening" test. -exit 0 - if (defined $ENV{'LINTIAN_INTERNAL_TESTSUITE'} and - $ENV{'LINTIAN_INTERNAL_TESTSUITE'} eq "1" and - $dir !~ m|/binaries-hardening/binaries-hardening_1.0_.*_binary$|); - # Prepare to examine the file tree. chdir ("$dir/unpacked") or fail("unable to chdir to unpacked: $!"); diff --git a/debian/changelog b/debian/changelog index 1a71129..42224a0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,13 +1,8 @@ lintian (2.5.6) UNRELEASED; urgency=low * BRANCH TODO: - + handle checking of binaries from foreign architectures: - - hardening-check uses ldd + revise tag certainty and description: - overrides (we can't do much about FP etc.) - + test suite clean up: - - remove test-suite check in coll/hardening-info - - fix broken tests * checks/*: + [NT] Simplified some bit operations done on file permissions. @@ -58,7 +53,7 @@ lintian (2.5.6) UNRELEASED; urgency=low * checks/binaries, collector/hardening-info*: + Add ELF hardening checks. (Closes: 650536) - -- Kees Cook <k...@ubuntu.com> Sun, 04 Mar 2012 12:40:41 -0800 + -- Kees Cook <k...@debian.org> Sat, 31 Mar 2012 18:03:36 -0700 lintian (2.5.5) unstable; urgency=low diff --git a/debian/control b/debian/control index f13205a..e0a983e 100644 --- a/debian/control +++ b/debian/control @@ -19,7 +19,7 @@ Build-Depends: binutils, fakeroot, file, gettext, - hardening-includes (>= 1.35), + hardening-includes (>= 2.0), intltool-debian, javahelper (>= 0.32~), libapt-pkg-perl, diff --git a/t/tests/binaries-embedded-libs/debian/hardening-trigger.h b/t/tests/binaries-embedded-libs/debian/hardening-trigger.h new file mode 100644 index 0000000..0bfe592 --- /dev/null +++ b/t/tests/binaries-embedded-libs/debian/hardening-trigger.h @@ -0,0 +1,6 @@ +void e(char *p, int i, void (*f)(char *)){ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} diff --git a/t/tests/binaries-embedded-libs/debian/libbz2.c b/t/tests/binaries-embedded-libs/debian/libbz2.c index d0ab79b..9fc9d92 100644 --- a/t/tests/binaries-embedded-libs/debian/libbz2.c +++ b/t/tests/binaries-embedded-libs/debian/libbz2.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" static const char bzip2_bug[] = "This is a bug in bzip2"; diff --git a/t/tests/binaries-embedded-libs/debian/libexpat.c b/t/tests/binaries-embedded-libs/debian/libexpat.c index 707f1d6..1df8c01 100644 --- a/t/tests/binaries-embedded-libs/debian/libexpat.c +++ b/t/tests/binaries-embedded-libs/debian/libexpat.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" /* * The XML_DTD warning string is always present, even if expat was diff --git a/t/tests/binaries-embedded-libs/debian/libjpeg.c b/t/tests/binaries-embedded-libs/debian/libjpeg.c index ddf2cc9..6f76a7d 100644 --- a/t/tests/binaries-embedded-libs/debian/libjpeg.c +++ b/t/tests/binaries-embedded-libs/debian/libjpeg.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" /* * The quantization tables warning message is unique enough to be used to diff --git a/t/tests/binaries-embedded-libs/debian/libm.c b/t/tests/binaries-embedded-libs/debian/libm.c index 31e43f5..b69548d 100644 --- a/t/tests/binaries-embedded-libs/debian/libm.c +++ b/t/tests/binaries-embedded-libs/debian/libm.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" static const char domain_error[] = "neg**non-integral: DOMAIN error"; diff --git a/t/tests/binaries-embedded-libs/debian/libmagic.c b/t/tests/binaries-embedded-libs/debian/libmagic.c index 8bd0788..d8a7d4c 100644 --- a/t/tests/binaries-embedded-libs/debian/libmagic.c +++ b/t/tests/binaries-embedded-libs/debian/libmagic.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" static const char no_magic_files[] = "could not find any magic files!"; diff --git a/t/tests/binaries-embedded-libs/debian/libopenjpeg.c b/t/tests/binaries-embedded-libs/debian/libopenjpeg.c index 0dd0f28..b232b21 100644 --- a/t/tests/binaries-embedded-libs/debian/libopenjpeg.c +++ b/t/tests/binaries-embedded-libs/debian/libopenjpeg.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" /* * The tcd_decode error message appears to be unique enough to be used to diff --git a/t/tests/binaries-embedded-libs/debian/libpcre3.c b/t/tests/binaries-embedded-libs/debian/libpcre3.c index 9ec595f..5eca82e 100644 --- a/t/tests/binaries-embedded-libs/debian/libpcre3.c +++ b/t/tests/binaries-embedded-libs/debian/libpcre3.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" /* * The PCRE_UTF8 message is unique enough to be used to diff --git a/t/tests/binaries-embedded-libs/debian/libpng.c b/t/tests/binaries-embedded-libs/debian/libpng.c index 80718a9..3de5e57 100644 --- a/t/tests/binaries-embedded-libs/debian/libpng.c +++ b/t/tests/binaries-embedded-libs/debian/libpng.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" /* * The png_zalloc overflow error message is unique enough to be used to diff --git a/t/tests/binaries-embedded-libs/debian/libsqlite.c b/t/tests/binaries-embedded-libs/debian/libsqlite.c index 1d2020c..9bc97d0 100644 --- a/t/tests/binaries-embedded-libs/debian/libsqlite.c +++ b/t/tests/binaries-embedded-libs/debian/libsqlite.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" /* * the sqlite_master table is used by sqlite 2 and 3 diff --git a/t/tests/binaries-embedded-libs/debian/libtiff.c b/t/tests/binaries-embedded-libs/debian/libtiff.c index 3d0d34f..ec36402 100644 --- a/t/tests/binaries-embedded-libs/debian/libtiff.c +++ b/t/tests/binaries-embedded-libs/debian/libtiff.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" /* * The PixarLog error message is unique enough to be used to diff --git a/t/tests/binaries-embedded-libs/debian/libxml2.c b/t/tests/binaries-embedded-libs/debian/libxml2.c index 609602f..5c151d2 100644 --- a/t/tests/binaries-embedded-libs/debian/libxml2.c +++ b/t/tests/binaries-embedded-libs/debian/libxml2.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" static const char root_dtd_mismatch[] = "root and DTD name do not match '%s' and '%s'"; diff --git a/t/tests/binaries-embedded-libs/debian/zlib.c b/t/tests/binaries-embedded-libs/debian/zlib.c index 3237ebd..eb43c79 100644 --- a/t/tests/binaries-embedded-libs/debian/zlib.c +++ b/t/tests/binaries-embedded-libs/debian/zlib.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include "hardening-trigger.h" /* * zlib asks derivative works to include this string, so it's the signature diff --git a/t/tests/binaries-missing-depends-on-libc/debian/basic.c b/t/tests/binaries-missing-depends-on-libc/debian/basic.c index a03a790..7bdd01c 100644 --- a/t/tests/binaries-missing-depends-on-libc/debian/basic.c +++ b/t/tests/binaries-missing-depends-on-libc/debian/basic.c @@ -1,7 +1,17 @@ #include <stdio.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + int lib_interface(void) { printf("Hello world!\n"); + hardening_trigger(NULL, 0, NULL); } diff --git a/t/tests/binaries-missing-depends-on-numpy-abi/debian/basic.c b/t/tests/binaries-missing-depends-on-numpy-abi/debian/basic.c index deea058..5e0971d 100644 --- a/t/tests/binaries-missing-depends-on-numpy-abi/debian/basic.c +++ b/t/tests/binaries-missing-depends-on-numpy-abi/debian/basic.c @@ -1,7 +1,17 @@ #include <Python.h> #include <numpy/arrayobject.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + void do_import_array(void) { import_array(); + hardening_trigger(NULL, 0, NULL); } diff --git a/t/tests/binaries-missing-depends-on-xapi/debian/basic.c b/t/tests/binaries-missing-depends-on-xapi/debian/basic.c index a03a790..7bdd01c 100644 --- a/t/tests/binaries-missing-depends-on-xapi/debian/basic.c +++ b/t/tests/binaries-missing-depends-on-xapi/debian/basic.c @@ -1,7 +1,17 @@ #include <stdio.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + int lib_interface(void) { printf("Hello world!\n"); + hardening_trigger(NULL, 0, NULL); } diff --git a/t/tests/binaries-missing-depends/debian/basic.c b/t/tests/binaries-missing-depends/debian/basic.c index a03a790..7bdd01c 100644 --- a/t/tests/binaries-missing-depends/debian/basic.c +++ b/t/tests/binaries-missing-depends/debian/basic.c @@ -1,7 +1,17 @@ #include <stdio.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + int lib_interface(void) { printf("Hello world!\n"); + hardening_trigger(NULL, 0, NULL); } diff --git a/t/tests/binaries-multiarch-same/debian/basic.c b/t/tests/binaries-multiarch-same/debian/basic.c index a03a790..7bdd01c 100644 --- a/t/tests/binaries-multiarch-same/debian/basic.c +++ b/t/tests/binaries-multiarch-same/debian/basic.c @@ -1,7 +1,17 @@ #include <stdio.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + int lib_interface(void) { printf("Hello world!\n"); + hardening_trigger(NULL, 0, NULL); } diff --git a/t/tests/binaries-multiarch-wrong-dir/debian/basic.c b/t/tests/binaries-multiarch-wrong-dir/debian/basic.c index a03a790..7bdd01c 100644 --- a/t/tests/binaries-multiarch-wrong-dir/debian/basic.c +++ b/t/tests/binaries-multiarch-wrong-dir/debian/basic.c @@ -1,7 +1,17 @@ #include <stdio.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + int lib_interface(void) { printf("Hello world!\n"); + hardening_trigger(NULL, 0, NULL); } diff --git a/t/tests/binaries-multiarch/debian/basic.c b/t/tests/binaries-multiarch/debian/basic.c index a03a790..7bdd01c 100644 --- a/t/tests/binaries-multiarch/debian/basic.c +++ b/t/tests/binaries-multiarch/debian/basic.c @@ -1,7 +1,17 @@ #include <stdio.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + int lib_interface(void) { printf("Hello world!\n"); + hardening_trigger(NULL, 0, NULL); } diff --git a/t/tests/binaries-spelling/debian/basic.c b/t/tests/binaries-spelling/debian/basic.c index 419cbfb..d952f45 100644 --- a/t/tests/binaries-spelling/debian/basic.c +++ b/t/tests/binaries-spelling/debian/basic.c @@ -1,7 +1,17 @@ #include <stdio.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + int main(void) { printf("I iz an exprimental speling error!\n"); + hardening_trigger(NULL, 0,NULL); } diff --git a/t/tests/binaries-unsafe-open/debian/dummy.c b/t/tests/binaries-unsafe-open/debian/dummy.c index 54dcf61..0f69947 100644 --- a/t/tests/binaries-unsafe-open/debian/dummy.c +++ b/t/tests/binaries-unsafe-open/debian/dummy.c @@ -1,7 +1,17 @@ #include <stdio.h> +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + int main(void) { printf("hello world\n"); + hardening_trigger(NULL, 0, NULL); } diff --git a/t/tests/strings-elf-detection/debian/Makefile b/t/tests/strings-elf-detection/debian/Makefile new file mode 100644 index 0000000..a877dfd --- /dev/null +++ b/t/tests/strings-elf-detection/debian/Makefile @@ -0,0 +1,7 @@ +all: + gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o true true.c + +clean distclean: + rm -f true + +check test: diff --git a/t/tests/strings-elf-detection/debian/debian/rules b/t/tests/strings-elf-detection/debian/debian/rules index 9225aff..ff00c70 100755 --- a/t/tests/strings-elf-detection/debian/debian/rules +++ b/t/tests/strings-elf-detection/debian/debian/rules @@ -4,9 +4,8 @@ pkg=strings-elf-detection dh $@ override_dh_install: - cp /bin/true . touch foo bar::ELF mkdir -p debian/$(pkg)/usr/lib/foo - cp /bin/true debian/$(pkg)/usr/lib/foo/true\ false + cp true debian/$(pkg)/usr/lib/foo/true\ false dh_install diff --git a/t/tests/strings-elf-detection/debian/true.c b/t/tests/strings-elf-detection/debian/true.c new file mode 100644 index 0000000..0f69947 --- /dev/null +++ b/t/tests/strings-elf-detection/debian/true.c @@ -0,0 +1,17 @@ +#include <stdio.h> + +static void +hardening_trigger(char *p, int i, void (*f)(char *)) +{ + char test[10]; + memcpy(test, p, i); + f(test); + printf("%s", test); +} + +int +main(void) +{ + printf("hello world\n"); + hardening_trigger(NULL, 0, NULL); +} -- 1.7.9.1