my ($line, @flags) = @_;
foreach my $flag (@flags) {
- return 1 if $line =~ /\s$flag(?:\s|\\|$)/;
+ return 1 if $line =~ /\s$flag(?:\s|\\)/;
}
return 0;
my @missing_flags = ();
foreach my $flag (@flags) {
- if ($line !~ /\s$flag(?:\s|\\|$)/) {
+ if ($line !~ /\s$flag(?:\s|\\)/) {
push @missing_flags, $flag;
}
}
my $option_version = 0;
my $option_all = 0;
my $option_arch = undef;
+my $option_buildd = 0;
if (not Getopt::Long::GetOptions(
'help|h|?' => \$option_help,
'version' => \$option_version,
'all' => \$option_all,
# Misc.
'arch' => \$option_arch,
+ 'buildd' => \$option_buildd,
)) {
require Pod::Usage;
Pod::Usage::pod2usage(2);
my $continuation = 0;
my $complete_line = undef;
while (my $line = <>) {
- # We skip over unimportant lines at the beginning to prevent false
- # positives.
+ # dpkg-buildflags only provides hardening flags since 1.16.1, don't check
+ # for hardening flags in buildd mode if an older dpkg-dev is used. Default
+ # flags (-g -O2) are still checked.
+ #
+ # Packages which were built before 1.16.1 but used their own hardening
+ # flags are not checked.
+ if ($option_buildd and not $start
+ and $line =~ /^Toolchain package versions: /) {
+ require Dpkg::Version;
+ if ($line !~ /dpkg-dev_(\S+)/
+ or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
+ $harden_format = 0;
+ $harden_fortify = 0;
+ $harden_stack = 0;
+ $harden_relro = 0;
+ $harden_bindnow = 0;
+ $harden_pie = 0;
+ }
+ }
+
+ # We skip over unimportant lines at the beginning of the log to prevent
+ # false positives.
$start = 1 if $line =~ /^dpkg-buildpackage:/;
next if not $start;
# Remove all ANSI color sequences which are sometimes used in non-verbose
# builds.
$line = Term::ANSIColor::colorstrip($line);
- # Also strip '\0xf' (delete previous character), used by Elink's build
+ # Also strip '\0xf' (delete previous character), used by Elinks' build
# system.
$line =~ s/\x0f//g;
# And "ESC(B" which seems to be used on armhf and hurd (not sure what it
--bindnow force +bindbow check
--all force +all (+pie, +bindnow) check
--arch set architecture (autodetected)
+ --buildd parser mode for buildds
=head1 DESCRIPTION
disables hardening flags not available on this architecture. Is detected
automatically if dpkg-buildpackage is used.
+=item B<--buildd>
+
+Special mode for buildds when automatically parsing log files. The following
+changes are in effect:
+
+=over 2
+
+=item
+
+Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is
+detected).
+
+=back
+
=back
Auto detection for B<--pie> and B<--bindnow> only works if at least one