From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Mon, 9 May 2011 11:54:48 +0200
Subject: [PATCH] check for position independent executables

---
 BinariesCheck.py |   11 +++++++++++
 config           |    4 ++++
 2 files changed, 15 insertions(+), 0 deletions(-)

Index: rpmlint-1.1/BinariesCheck.py
===================================================================
--- rpmlint-1.1.orig/BinariesCheck.py
+++ rpmlint-1.1/BinariesCheck.py
@@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = (
     '/lib', '/usr/lib', '/usr/X11R6/lib',
     '/lib64', '/usr/lib64', '/usr/X11R6/lib64')
 
+DEFAULT_PIE_EXECUTABLES = (
+)
+
 class BinaryInfo:
 
     needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]')
@@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\.
 validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$')
 sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC')
 system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS)
+pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES)
 usr_lib_regex = re.compile('^/usr/lib(64)?/')
 bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/')
 soversion_regex = re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*')
@@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra
             if not is_exec and not is_shobj:
                 continue
 
+            if fname in pie_executables and not is_shobj:
+                printError(pkg, 'not-a-position-independent-executable', fname)
+
             if is_exec:
 
                 if bin_regex.search(fname):
@@ -598,6 +605,10 @@ that use prelink, make sure that prelink
 placing a blacklist file in /etc/prelink.conf.d.  For more information, see
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''',
 
+'not-a-position-independent-executable',
+'''As per distribution policy the binary must be position independent. Add
+-fPIE to CFLAGS and -pie to LDFLAGS'''
+
 'unstripped-binary-or-object',
 '''stripping debug info from binaries happens automatically according to global
 project settings. So there's normally no need to manually strip binaries.
Index: rpmlint-1.1/config
===================================================================
--- rpmlint-1.1.orig/config
+++ rpmlint-1.1/config
@@ -130,6 +130,10 @@ from Config import *
 # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck
 #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))
 
+# List of binaries that must be position independent executables
+# Type: tuple of strings, default: empty
+#setOption("PieExecutables", ('/bin/ping', '/bin/su'))
+
 # Whether to want default start/stop runlevels specified in init scripts.
 # Type: boolean, default: True
 #setOption("UseDefaultRunlevels", True)