3 # Build log hardening check, checks build logs for missing hardening flags.
5 # Copyright (C) 2012 Simon Ruderich
7 # This program is free software: you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation, either version 3 of the License, or
10 # (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
25 use Term::ANSIColor ();
27 our $VERSION = '0.01';
33 my ($message, $missing_flags_ref, $flag_renames_ref, $line) = @_;
35 # Rename flags if requested.
36 my @missing_flags = map {
37 (exists $flag_renames_ref->{$_})
38 ? $flag_renames_ref->{$_}
40 } @{$missing_flags_ref};
42 my $flags = join ' ', @missing_flags;
43 printf "%s (%s)%s %s",
44 error_color($message, 'red'), $flags, error_color(':', 'yellow'),
47 sub error_nonverbose_build {
51 error_color('NONVERBOSE BUILD', 'red'),
52 error_color(':', 'yellow'),
56 my ($message, $color) = @_;
58 # Use colors when writing to a terminal.
60 return Term::ANSIColor::colored($message, $color);
67 my ($line, @flags) = @_;
69 foreach my $flag (@flags) {
70 return 1 if $line =~ /\s$flag(\s|\\|$)/;
76 my ($line, $missing_flags_ref, @flags) = @_;
78 my @missing_flags = ();
79 foreach my $flag (@flags) {
80 if ($line !~ /\s$flag(\s|\\|$)/) {
81 push @missing_flags, $flag;
85 if (scalar @missing_flags == 0) {
89 @{$missing_flags_ref} = @missing_flags;
93 # Modifies $missing_flags_ref array.
94 sub pic_pie_conflict {
95 my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
98 return 0 if not any_flags_used($line, ('-fPIC', '-fpic'));
100 my %flags = map { $_ => 1 } @flags_pie;
102 # Remove all PIE flags from @missing_flags as they are not required with
105 not exists $flags{$_}
106 } @{$missing_flags_ref};
107 @{$missing_flags_ref} = @result;
109 # We got a conflict when no flags are left, thus only PIE flags were
110 # missing. If other flags were missing abort because the conflict is not
112 return scalar @result == 0;
116 # CONSTANTS/VARIABLES
118 # Regex to catch compiler commands.
119 my $cc_regex = qr/((?<!\.)cc|(x86_64-linux-gnu-)?gcc|g\+\+|c\+\+)/;
121 # Regex to catch (GCC) compiler warnings.
122 my $warning_regex = qr/^(.+?):([0-9]+):[0-9]+: warning: (.+?) \[(.+?)\]$/;
124 # Expected hardening flags. All flags are used as regexps.
129 '--param=ssp-buffer-size=4',
132 '-Werror=format-security',
138 '-D_FORTIFY_SOURCE=2',
147 my @ldflags_bindnow = (
150 # All (hardening) flags.
151 my @flags = (@cflags, @cflags_pie,
153 @ldflags, @ldflags_pie, @ldflags_bindnow);
154 # Renaming rules for the output so the regex parts are not visible.
156 '-Wl,(-z,)?relro' => '-Wl,-z,relro',
157 '-Wl,(-z,)?now' => '-Wl,-z,now',
163 # Additional hardening options.
167 # Parse command line arguments.
170 my $option_version = 0;
171 if (not Getopt::Long::GetOptions(
172 'help|h|?' => \$option_help,
173 'version' => \$option_version,
175 'bindnow' => \$bindnow,
176 'all' => \$option_all,
179 Pod::Usage::pod2usage(2);
183 Pod::Usage::pod2usage(1);
185 if ($option_version) {
186 print "blhc $VERSION Copyright (C) 2012 Simon Ruderich
188 This program is free software: you can redistribute it and/or modify
189 it under the terms of the GNU General Public License as published by
190 the Free Software Foundation, either version 3 of the License, or
191 (at your option) any later version.
193 This program is distributed in the hope that it will be useful,
194 but WITHOUT ANY WARRANTY; without even the implied warranty of
195 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
196 GNU General Public License for more details.
198 You should have received a copy of the GNU General Public License
199 along with this program. If not, see <http://www.gnu.org/licenses/>.
212 # Input lines, contain only the lines with compiler commands.
215 my $continuation = 0;
216 while (my $line = <>) {
217 # Ignore compiler warnings for now.
218 next if $line =~ /$warning_regex/;
220 # Try to detect non verbose build logs.
221 if ($line =~ /^checking if you want to see long compiling messages\.\.\. no/
222 or $line =~ /^\s*(CC|CCLD)\s+/
223 or $line =~ /^\s*(C|c)ompiling\s+/
224 or $line =~ /^\s*\[[\d ]+%\] Building /) {
225 error_nonverbose_build($line);
230 # One line may contain multiple commands (";"). Treat each one as single
232 my @line = split /(?<!\\);/, $line;
233 foreach $line (@line) {
234 # Add newline, drop all other whitespace at the end of a line.
241 # Join lines, but leave the "\" in place so it's clear where the
242 # original line break was.
244 $input[-1] .= ' ' . $line;
247 # Ignore lines with no compiler commands.
248 next if $line !~ /\b$cc_regex(\s|\\)/;
250 # Ignore false positives.
252 # `./configure` output.
253 if ($line =~ /^checking /) {
260 # Line continuation, line ends with "\".
261 if ($line =~ /\\\s*$/) {
267 if (scalar @input == 0) {
268 print "No compiler commands!\n";
273 # Check if additional hardening options were used. Used to ensure they are
274 # used for the complete build.
275 foreach my $line (@input) {
276 $pie = 1 if any_flags_used($line, @cflags_pie, @ldflags_pie);
277 $bindnow = 1 if any_flags_used($line, @ldflags_bindnow);
281 @cflags = (@cflags, @cflags_pie);
282 @ldflags = (@ldflags, @ldflags_pie);
285 @ldflags = (@ldflags, @ldflags_bindnow);
288 foreach my $line (@input) {
289 # Ignore false positives.
291 # ./configure summary.
292 next if $line =~ /^\s*(C|c)ompiler[\s.]*:\s+$cc_regex(\s-std=[a-z0-9:+]+)?\s*$/
293 or $line =~ /^\s*- (CC|CXX)\s*=\s*$cc_regex\s*$/
294 or $line =~ /^\s*-- Check for working (C|CXX) compiler: /;
296 # Is this a compiler or linker command?
301 if ($line =~ m{\s-o # -o
302 [\s\\]*\s+ # possible line continuation
303 ([A-Za-z0-9_/.-]+/)? # path to file
304 [A-Za-z0-9_-]+ # binary name (no dots!)
305 ([0-9.]*\.so[0-9.]*[a-z]? # library (including version)
307 (\s|\\|\$) # end of file name
309 or $line =~ /^libtool: link: /
310 or $line =~ m{\s*/bin/bash .+?libtool\s+(.+?\s+)?--mode=(re)?link}) {
315 # If there are source files then it's compiling/linking in one step and we
317 if ($line =~ /\.(c|cc|cpp)\b/) {
321 # Check hardening flags.
323 if ($compiler and not all_flags_used($line, \@missing, @cflags)
324 # Libraries linked with -fPIC don't have to (and can't) be linked
325 # with -fPIE as well. It's no error if only PIE flags are missing.
326 and not pic_pie_conflict($line, $pie, \@missing, @cflags_pie)) {
327 error_flags('CFLAGS missing', \@missing, \%flag_renames, $line);
330 if ($compiler and not all_flags_used($line, \@missing, @cppflags)) {
331 error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $line);
334 if ($linker and not all_flags_used($line, \@missing, @ldflags)
335 # Same here, -fPIC conflicts with -fPIE.
336 and not pic_pie_conflict($line, $pie, \@missing, @ldflags_pie)) {
337 error_flags('LDFLAGS missing', \@missing, \%flag_renames, $line);
349 blhc - build log hardening check, checks build logs for missing hardening flags
353 B<blhc> [-h -? --help]
355 B<blhc> [--pie] [--bindnow] [--all]
357 --help available options
358 --version version number and license
359 --pie force +pie check
360 --bindnow force +bindbow check
361 --all force +all (+pie, +bindnow) check
365 blhc is a small tool which checks build logs for missing hardening flags and
366 other important warnings. It's licensed under the GPL 3 or later.
372 =item B<-h -? --help>
374 Print available options.
378 Print version number and license.
382 Force check for all +pie hardening flags. By default it's auto detected.
386 Force check for all +bindnow hardening flags. By default it's auto detected.
390 Force check for all +all (+pie, +bindnow) hardening flags. By default it's
395 Auto detection only works if at least one command uses the required hardening
396 flag (e.g. -fPIE). Then it's required for all other commands as well.
400 The exit status is a "bit mask", each listed status is ORed when the error
401 condition occurs to get the result.
411 No compiler commands were found.
415 Invalid arguments/options given to blhc.
423 Missing hardening flags.
429 Simon Ruderich, E<lt>simon@ruderich.orgE<gt>
431 =head1 COPYRIGHT AND LICENSE
433 Copyright (C) 2012 by Simon Ruderich
435 This program is free software: you can redistribute it and/or modify
436 it under the terms of the GNU General Public License as published by
437 the Free Software Foundation, either version 3 of the License, or
438 (at your option) any later version.
440 This program is distributed in the hope that it will be useful,
441 but WITHOUT ANY WARRANTY; without even the implied warranty of
442 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
443 GNU General Public License for more details.
445 You should have received a copy of the GNU General Public License
446 along with this program. If not, see <http://www.gnu.org/licenses/>.