From: Simon Ruderich Date: Thu, 17 Aug 2017 10:25:30 +0000 (+0200) Subject: Add --debian to handle PIE flags like buildd mode X-Git-Tag: 0.08~7 X-Git-Url: https://ruderich.org/simon/gitweb/?a=commitdiff_plain;h=a232d32f22387fdaf393ee3fa51c0ae9922cf824;p=blhc%2Fblhc.git Add --debian to handle PIE flags like buildd mode --- diff --git a/MANIFEST b/MANIFEST index e6bf651..09932f4 100644 --- a/MANIFEST +++ b/MANIFEST @@ -39,6 +39,7 @@ t/logs/debian t/logs/debian-cmake t/logs/debian-cmake-2 t/logs/debian-cmake-ok +t/logs/debian-gcc-pie t/logs/debian-hardening-wrapper t/logs/debian-hardening-wrapper-old-build-depends t/logs/debian-hardening-wrapper-pbuilder diff --git a/NEWS b/NEWS index f980c07..62dd83b 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,10 @@ Version 0.XX - Add better support for Fortran (c.f. Debian Bug #853265). - Don't report missing PIE flags in buildd mode if GCC defaults to PIE (c.f. Debian Bug 845339). +- Add new --debian option to handle PIE flags like buildd mode, thanks to + Eriberto Mota for the suggestion. This is not enabled per default to prevent + false negatives as the flags are missing from the build log and blhc can't + detect if the compiler applied PIE internally (c.f. Debian Bug 845339). Version 0.07 diff --git a/bin/blhc b/bin/blhc index cfdcbba..daf5bd2 100755 --- a/bin/blhc +++ b/bin/blhc @@ -602,6 +602,7 @@ my @option_ignore_arch_line = (); my $option_all = 0; my $option_arch = undef; my $option_buildd = 0; +my $option_debian = 0; $option_color = 0; if (not Getopt::Long::GetOptions( 'help|h|?' => \$option_help, @@ -620,6 +621,7 @@ if (not Getopt::Long::GetOptions( 'color' => \$option_color, 'arch=s' => \$option_arch, 'buildd' => \$option_buildd, + 'debian' => \$option_debian, )) { require Pod::Usage; Pod::Usage::pod2usage(2); @@ -751,8 +753,11 @@ foreach my $file (@ARGV) { my $parallel = 10; # Don't check for PIE flags if automatically applied by the compiler. Only - # used in buildd mode. + # used in buildd and Debian mode. my $disable_harden_pie = 0; + if ($option_debian) { + $disable_harden_pie = 1; + } while (my $line = <$fh>) { # Detect architecture automatically unless overridden. For buildd logs @@ -1488,6 +1493,12 @@ error). =back +=item B<--debian> + +Apply Debian-specific settings. At the moment this only disables checking for +PIE which is automatically applied by Debian's GCC and no longer requires a +compiler command line argument. + =item B<--color> Use colored (ANSI) output for warning messages. diff --git a/t/logs/debian-gcc-pie b/t/logs/debian-gcc-pie new file mode 100644 index 0000000..b804389 --- /dev/null +++ b/t/logs/debian-gcc-pie @@ -0,0 +1,5 @@ +dpkg-buildpackage: source package foo package +dpkg-buildpackage: host architecture amd64 + +gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c +gcc -fPIE -pie -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c diff --git a/t/tests.t b/t/tests.t index 4c6b5dc..1ed4dd3 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 226; +use Test::More tests => 228; sub is_blhc { @@ -967,6 +967,11 @@ is_blhc 'debian-cmake', '--buildd', 0, '; +# debian specific settings + +is_blhc 'debian-gcc-pie', '--debian', 0, ''; + + # multiple files is_blhc ['good', 'good-pie', 'good-bindnow', 'good-all', 'good-multiline', 'good-library'], '', 0,