X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=bin%2Fblhc;h=3611c6de4c3980fa743b201be179484705559590;hb=HEAD;hp=c4443832eff00b2552fcf4c1f94468775b6a9c35;hpb=f1ac73364a8d0a20e279328db6b6e1e8dbfe9a4e;p=blhc%2Fblhc.git diff --git a/bin/blhc b/bin/blhc index c444383..f90fd7a 100755 --- a/bin/blhc +++ b/bin/blhc @@ -24,7 +24,7 @@ use warnings; use Getopt::Long (); use Text::ParseWords (); -our $VERSION = '0.13'; +our $VERSION = '0.14'; # CONSTANTS/VARIABLES @@ -243,6 +243,12 @@ my @def_cflags_stack_clash = ( my @def_cflags_pie = ( '-fPIE', ); +my @def_cflags_branch_amd64 = ( + '-fcf-protection', +); +my @def_cflags_branch_arm64 = ( + '-mbranch-protection=standard', +); my @def_cxxflags = ( @def_cflags, ); @@ -285,6 +291,8 @@ my @flag_refs = ( \@def_cflags_stack_bad, \@def_cflags_stack_clash, \@def_cflags_pie, + \@def_cflags_branch_amd64, + \@def_cflags_branch_arm64, \@def_cxxflags, \@def_cppflags, \@def_cppflags_fortify, @@ -558,11 +566,12 @@ sub is_non_verbose_build { # C++ compiler setting. return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/; return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/; + return 0 if $line =~ /^\s*CXX\s*:\s*g\+\+\s*$/; # "Compiling" non binary files. return 0 if $line =~ /^\s*Compiling \S+\.(?:py|pyx|el)['"]?\s*(?:\.\.\.|because it changed\.)?$/; return 0 if $line =~ /^\s*[Cc]ompiling catalog \S+\.po\b/; # cargo build - return 0 if $cargo and $line =~ m{^\s*Compiling\s+\S+\s+v\S+(?:\s+\(/<>\))?$}; + return 0 if $cargo and $line =~ m{^\s*Compiling\s+\S+\s+v\S+(?:\s+\(/(?:<>|builds/\S+)\))?$}; # "Compiling" with no file name. if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) { # $file_extension_regex may need spaces around the filename. @@ -807,6 +816,7 @@ foreach my $file (@ARGV) { my $harden_stack = 1; my $harden_stack_strong = 1; my $harden_stack_clash = 1; + my $harden_branch = 1; my $harden_relro = 1; my $harden_bindnow = $option_bindnow; # defaults to 0 my $harden_pie = $option_pie; # defaults to 0 @@ -862,6 +872,7 @@ foreach my $file (@ARGV) { my $disable = 1; my $disable_strong = 1; my $disable_clash = 1; + my $disable_branch = 1; if ($line =~ /\bdpkg-dev_(\S+)/) { if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) { @@ -875,6 +886,7 @@ foreach my $file (@ARGV) { } if (Dpkg::Version::version_compare($1, '1.22.0') >= 0) { $disable_clash = 0; + $disable_branch = 0; } } @@ -892,6 +904,9 @@ foreach my $file (@ARGV) { if ($disable_clash) { $harden_stack_clash = 0; } + if ($disable_branch) { + $harden_branch = 0; + } } # The following two versions of CMake in Debian obeyed CPPFLAGS, but @@ -1165,11 +1180,13 @@ foreach my $file (@ARGV) { } if (scalar @input == 0) { - if (not $option_buildd) { - print "No compiler commands!\n"; - $exit |= $exit_code{no_compiler_commands}; - } else { - print "$buildd_tag{no_compiler_commands}||\n"; + if (not $cargo) { + if (not $option_buildd) { + print "No compiler commands!\n"; + $exit |= $exit_code{no_compiler_commands}; + } else { + print "$buildd_tag{no_compiler_commands}||\n"; + } } next FILE; } @@ -1179,6 +1196,7 @@ foreach my $file (@ARGV) { } # Option or auto detected. + my @harden_branch_flags; if ($arch) { # The following was partially copied from dpkg-dev 1.22.0 # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, set_build_features and @@ -1248,6 +1266,11 @@ foreach my $file (@ARGV) { $harden_relro = 0; $harden_bindnow = 0; } + if ($cpu eq 'amd64') { + @harden_branch_flags = @def_cflags_branch_amd64; + } elsif ($cpu eq 'arm64') { + @harden_branch_flags = @def_cflags_branch_arm64; + } } # Default values. @@ -1281,6 +1304,10 @@ foreach my $file (@ARGV) { @cflags = (@cflags, @def_cflags_format); @cxxflags = (@cxxflags, @def_cflags_format); } + if ($harden_branch and @harden_branch_flags) { + @cflags = (@cflags, @harden_branch_flags); + @cxxflags = (@cxxflags, @harden_branch_flags); + } if ($harden_relro) { @ldflags = (@ldflags, @def_ldflags_relro); }