From 26a8a665b834b935e3a5363d06b7b392200de67075371a7c9dc81267cbb00007 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Tue, 10 May 2011 11:38:20 +0000 Subject: [PATCH] - add not-a-position-independent-executable check OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=14 --- BashismsCheck.py | 9 ++++-- CheckSUIDPermissions.py | 8 +++++ rpmlint-pie.diff | 68 +++++++++++++++++++++++++++++++++++++++++ rpmlint.changes | 5 +++ rpmlint.spec | 2 ++ 5 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 rpmlint-pie.diff diff --git a/BashismsCheck.py b/BashismsCheck.py index d6bfe7a..000ae9c 100644 --- a/BashismsCheck.py +++ b/BashismsCheck.py @@ -28,9 +28,12 @@ class BashismsCheck(AbstractCheck.AbstractFilesCheck): status, output = Pkg.getstatusoutput(["dash", "-n", filename]) if status == 2: printWarning(pkg, "bin-sh-syntax-error", filename) - status, output = Pkg.getstatusoutput(["checkbashisms", filename]) - if status == 1: - printInfo(pkg, "potential-bashisms", filename) + try: + status, output = Pkg.getstatusoutput(["checkbashisms", filename]) + if status == 1: + printInfo(pkg, "potential-bashisms", filename) + except Exception, x: + printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':filename, 'x':x}) finally: f.close() diff --git a/CheckSUIDPermissions.py b/CheckSUIDPermissions.py index 112b568..5255d54 100644 --- a/CheckSUIDPermissions.py +++ b/CheckSUIDPermissions.py @@ -135,6 +135,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck): else: f += '/' + if type == 010: + if not 'shared object' in pkgfile.magic: + printError(pkg, 'not-a-position-independent-executable', f) + m = self.perms[f]['mode'] o = self.perms[f]['owner'] @@ -159,6 +163,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck): else: printWarning(pkg, 'permissions-directory-setuid-bit', msg) + if type == 010: + if not 'shared object' in pkgfile.magic: + printError(pkg, 'not-a-position-independent-executable', f) + if mode&02: need_verifyscript = True printError(pkg, 'permissions-world-writable', \ diff --git a/rpmlint-pie.diff b/rpmlint-pie.diff new file mode 100644 index 0000000..3facb6d --- /dev/null +++ b/rpmlint-pie.diff @@ -0,0 +1,68 @@ +From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Mon, 9 May 2011 11:54:48 +0200 +Subject: [PATCH] check for position independent executables + +--- + BinariesCheck.py | 11 +++++++++++ + config | 4 ++++ + 2 files changed, 15 insertions(+), 0 deletions(-) + +Index: rpmlint-1.1/BinariesCheck.py +=================================================================== +--- rpmlint-1.1.orig/BinariesCheck.py ++++ rpmlint-1.1/BinariesCheck.py +@@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = ( + '/lib', '/usr/lib', '/usr/X11R6/lib', + '/lib64', '/usr/lib64', '/usr/X11R6/lib64') + ++DEFAULT_PIE_EXECUTABLES = ( ++) ++ + class BinaryInfo: + + needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]') +@@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\. + validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$') + sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC') + system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS) ++pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES) + usr_lib_regex = re.compile('^/usr/lib(64)?/') + bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/') + soversion_regex = re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*') +@@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra + if not is_exec and not is_shobj: + continue + ++ if fname in pie_executables and not is_shobj: ++ printError(pkg, 'not-a-position-independent-executable', fname) ++ + if is_exec: + + if bin_regex.search(fname): +@@ -598,6 +605,10 @@ that use prelink, make sure that prelink + placing a blacklist file in /etc/prelink.conf.d. For more information, see + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''', + ++'not-a-position-independent-executable', ++'''As per distribution policy the binary must be position independent. Add ++-fPIE to CFLAGS and -pie to LDFLAGS''' ++ + 'unstripped-binary-or-object', + '''stripping debug info from binaries happens automatically according to global + project settings. So there's normally no need to manually strip binaries. +Index: rpmlint-1.1/config +=================================================================== +--- rpmlint-1.1.orig/config ++++ rpmlint-1.1/config +@@ -130,6 +130,10 @@ from Config import * + # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck + #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64')) + ++# List of binaries that must be position independent executables ++# Type: tuple of strings, default: empty ++#setOption("PieExecutables", ('/bin/ping', '/bin/su')) ++ + # Whether to want default start/stop runlevels specified in init scripts. + # Type: boolean, default: True + #setOption("UseDefaultRunlevels", True) diff --git a/rpmlint.changes b/rpmlint.changes index 5405844..d628e15 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue May 10 11:38:05 UTC 2011 - lnussel@suse.de + +- add not-a-position-independent-executable check + ------------------------------------------------------------------- Thu May 5 07:15:39 UTC 2011 - lnussel@suse.de diff --git a/rpmlint.spec b/rpmlint.spec index ddc2348..02b45f2 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -124,6 +124,7 @@ Patch86: suse-rclink-check.diff # already upstream Patch87: rpmlint-add-details.diff Patch88: suse-speccheck-utf8.diff +Patch89: rpmlint-pie.diff %py_requires %description @@ -203,6 +204,7 @@ Authors: %patch86 %patch87 -p1 %patch88 +%patch89 -p1 cp -p %{SOURCE1} . cp -p %{SOURCE2} . cp -p %{SOURCE3} .