#!/usr/bin/perl -w
# hardening-info -- lintian collection script

# The original shell script version of this script is
# Copyright (C) 1998 Christian Schwarz
#
# The objdump version, including support for etch's binutils, is
# Copyright (C) 2008 Adam D. Barratt
#
# This version, a trimmed-down wrapper for hardening-check, is
# Copyright (C) 2012 Kees Cook <kees@debian.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, you can find it on the World Wide
# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
# MA 02110-1301, USA.

use strict;
use warnings;

use lib "$ENV{'LINTIAN_ROOT'}/lib";
use Lintian::Collect;
use Lintian::Util qw(fail);

my ($pkg, $type, $dir) = @ARGV;
my $info = Lintian::Collect->new ($pkg, $type, $dir);
my $file_info = $info->file_info;

if ( -e "$dir/hardening-info" ) {
    unlink "$dir/hardening-info" or fail "unlink hardening-info: $!";
}

open OUT, '>', "$dir/hardening-info"
    or fail("cannot open hardening-info: $!");

# Prepare to examine the file tree.
chdir ("$dir/unpacked")
    or fail("unable to chdir to unpacked: $!");

foreach my $bin (keys %$file_info) {
    my $finfo = $file_info->{$bin};
    next unless $finfo =~ m/\bELF\b/o;
    if (open (my $pipe, '-|', "hardening-check --lintian -- \Q$bin\E 2>&1")) {
        while ( my $line = <$pipe> ) {
            my $emit = 1;
            if ($line =~ m/^no-fortify-functions:/o ) {
                $emit = 0;
                open my $p2, '-|', "hardening-check --verbose -- \Q$bin\E 2>&1" or fail "hardening-check: $!";
                while ( my $l2 = <$p2> ) {
                    if ($l2 =~ m/^\s+unprotected:\s*(\S+)/) {
                        next if $1 eq 'memcpy';
                        $emit = 1;
                        last;
                    }
                }
                close $p2;
            }
            print OUT $line if $emit;
        }
        close $pipe;
    }
}

close OUT or fail("cannot write hardening-info: $!");

exit 0;

# Local Variables:
# indent-tabs-mode: nil
# cperl-indent-level: 4
# End:
# vim: syntax=perl sw=4 sts=4 sr et
