- add not-a-position-independent-executable check

OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=14

BashismsCheck.py

@@ -28,9 +28,12 @@ class BashismsCheck(AbstractCheck.AbstractFilesCheck):
                 status, output = Pkg.getstatusoutput(["dash", "-n", filename])
                 if status == 2:
                     printWarning(pkg, "bin-sh-syntax-error", filename)
-                status, output = Pkg.getstatusoutput(["checkbashisms", filename])
+                try:
-                if status == 1:
+                    status, output = Pkg.getstatusoutput(["checkbashisms", filename])
-                    printInfo(pkg, "potential-bashisms", filename)
+                    if status == 1:
+                        printInfo(pkg, "potential-bashisms", filename)
+                except Exception, x:
+                    printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':filename, 'x':x})
         finally:
             f.close()
 

CheckSUIDPermissions.py

@@ -135,6 +135,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck):
                     else:
                         f += '/'
 
+                if type == 010:
+                    if not 'shared object' in pkgfile.magic:
+                        printError(pkg, 'not-a-position-independent-executable', f)
+
                 m = self.perms[f]['mode']
                 o = self.perms[f]['owner']
 
@@ -159,6 +163,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck):
                     else:
                         printWarning(pkg, 'permissions-directory-setuid-bit', msg)
 
+                    if type == 010:
+                        if not 'shared object' in pkgfile.magic:
+                            printError(pkg, 'not-a-position-independent-executable', f)
+
                 if mode&02:
                     need_verifyscript = True
                     printError(pkg, 'permissions-world-writable', \

rpmlint-pie.diff

@@ -0,0 +1,68 @@
+From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Mon, 9 May 2011 11:54:48 +0200
+Subject: [PATCH] check for position independent executables
+
+---
+ BinariesCheck.py |   11 +++++++++++
+ config           |    4 ++++
+ 2 files changed, 15 insertions(+), 0 deletions(-)
+
+Index: rpmlint-1.1/BinariesCheck.py
+===================================================================
+--- rpmlint-1.1.orig/BinariesCheck.py
++++ rpmlint-1.1/BinariesCheck.py
+@@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = (
+     '/lib', '/usr/lib', '/usr/X11R6/lib',
+     '/lib64', '/usr/lib64', '/usr/X11R6/lib64')
+ 
++DEFAULT_PIE_EXECUTABLES = (
++)
++
+ class BinaryInfo:
+ 
+     needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]')
+@@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\.
+ validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$')
+ sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC')
+ system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS)
++pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES)
+ usr_lib_regex = re.compile('^/usr/lib(64)?/')
+ bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/')
+ soversion_regex = re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*')
+@@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra
+             if not is_exec and not is_shobj:
+                 continue
+ 
++            if fname in pie_executables and not is_shobj:
++                printError(pkg, 'not-a-position-independent-executable', fname)
++
+             if is_exec:
+ 
+                 if bin_regex.search(fname):
+@@ -598,6 +605,10 @@ that use prelink, make sure that prelink
+ placing a blacklist file in /etc/prelink.conf.d.  For more information, see
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''',
+ 
++'not-a-position-independent-executable',
++'''As per distribution policy the binary must be position independent. Add
++-fPIE to CFLAGS and -pie to LDFLAGS'''
++
+ 'unstripped-binary-or-object',
+ '''stripping debug info from binaries happens automatically according to global
+ project settings. So there's normally no need to manually strip binaries.
+Index: rpmlint-1.1/config
+===================================================================
+--- rpmlint-1.1.orig/config
++++ rpmlint-1.1/config
+@@ -130,6 +130,10 @@ from Config import *
+ # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck
+ #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))
+ 
++# List of binaries that must be position independent executables
++# Type: tuple of strings, default: empty
++#setOption("PieExecutables", ('/bin/ping', '/bin/su'))
++
+ # Whether to want default start/stop runlevels specified in init scripts.
+ # Type: boolean, default: True
+ #setOption("UseDefaultRunlevels", True)

rpmlint.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue May 10 11:38:05 UTC 2011 - lnussel@suse.de
+
+- add not-a-position-independent-executable check
+
 -------------------------------------------------------------------
 Thu May  5 07:15:39 UTC 2011 - lnussel@suse.de
 

rpmlint.spec

@@ -124,6 +124,7 @@ Patch86:        suse-rclink-check.diff
 # already upstream
 Patch87:        rpmlint-add-details.diff
 Patch88:        suse-speccheck-utf8.diff
+Patch89:        rpmlint-pie.diff
 %py_requires
 
 %description
@@ -203,6 +204,7 @@ Authors:
 %patch86
 %patch87 -p1
 %patch88
+%patch89 -p1
 cp -p %{SOURCE1} .
 cp -p %{SOURCE2} .
 cp -p %{SOURCE3} .