# Regexp to match file extensions.
my $file_extension_regex = qr/
\s
- \S+ # Filename without extension.
+ \S+ # Filename without extension.
\.
- ([^\\.\s]+) # File extension.
- (?=\s|\\) # At end of word. Can't use \b because some files have non
- # word characters at the end and because \b matches double
- # extensions (like .cpp.o). Works always as all lines are
- # terminated with "\n".
+ ([^\\.,;:\s]+) # File extension.
+ (?=\s|\\) # At end of word. Can't use \b because some files have non
+ # word characters at the end and because \b matches double
+ # extensions (like .cpp.o). Works always as all lines are
+ # terminated with "\n".
/x;
# Expected (hardening) flags. All flags are used as regexps.
my @def_ldflags_pic = (
'-fPIC',
'-fpic',
+ '-shared',
);
# Renaming rules for the output so the regex parts are not visible. Also
# stores string values of flag regexps above, see compile_flag_regexp().
'-Wl,(-z,)?now' => '-Wl,-z,now',
);
+my %exit_code = (
+ no_compiler_commands => 1 << 0,
+ # used by POD::Usage => 1 << 1,
+ non_verbose_build => 1 << 2,
+ flags_missing => 1 << 3,
+ hardening_wrapper => 1 << 4,
+ invalid_cmake => 1 << 5,
+);
+
# Statistics of missing flags and non-verbose build commands. Used for
# $option_buildd.
my %statistics = (
error_color(':', 'yellow'),
$line;
}
+sub error_invalid_cmake {
+ my ($version) = @_;
+
+ printf "%s%s %s\n",
+ error_color('INVALID CMAKE', 'red'),
+ error_color(':', 'yellow'),
+ $version;
+}
sub error_hardening_wrapper {
printf "%s%s %s\n",
error_color('HARDENING WRAPPER', 'red'),
my ($line, $next_line, $skip_ref) = @_;
if (not ($line =~ /^checking if you want to see long compiling messages\.\.\. no/
- or $line =~ /^\s*\[?(?:CC|CCLD|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
+ or $line =~ /^\s*\[?(?:CC|CCLD|C\+\+|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
or $line =~ /^\s*(?:C|c)ompiling\s+(.+?)(?:\.\.\.)?$/
or $line =~ /^\s*(?:B|b)uilding (?:program|shared library)\s+(.+?)$/
or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) {
return 0;
}
+ # False positives.
+ return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
+
my $file = $1;
# On the first pass we only check if this line is verbose or not.
}
}
+ # The following two versions of CMake in Debian obeyed CPPFLAGS, but
+ # this was later dropped because upstream rejected the patch. Thus
+ # build logs with these versions will have fortify hardening flags
+ # enabled, even though they may be not correctly set and are missing
+ # when build with later CMake versions. Thanks to Aron Xu for letting
+ # me know.
+ if ($line =~ /^Package versions: /
+ and $line =~ /\bcmake_(\S+)/
+ and ($1 eq '2.8.7-1' or $1 eq '2.8.7-2')) {
+ if (not $option_buildd) {
+ error_invalid_cmake($1);
+ } else {
+ print "W-invalid-cmake-used $1\n";
+ }
+ $exit |= $exit_code{invalid_cmake};
+ }
+
# If hardening wrapper is used (wraps calls to gcc and adds hardening
# flags automatically) we can't perform any checks, abort.
if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
} else {
print "I-hardening-wrapper-used\n";
}
- $exit |= 1 << 4;
+ $exit |= $exit_code{hardening_wrapper};
next FILE;
}
}
# Ignore lines with no compiler commands.
- next if $line !~ /\b$cc_regex(?:\s|\\)/o and not $non_verbose;
+ next if not $non_verbose
+ and not $line =~ /\b$cc_regex(?:\s|\\)/o;
+ # Ignore lines with no filenames with extensions. May miss
+ # some non-verbose builds (e.g. "gcc -o test" [sic!]), but
+ # shouldn't be a problem as the log will most likely contain
+ # other non-verbose commands which are detected.
+ next if not $non_verbose
+ and not $line =~ /$file_extension_regex/o;
# Ignore false positives.
#
# `./configure` output.
next if not $non_verbose
and $line =~ /^(?:checking|(?:C|c)onfigure:) /;
- next if $line =~ /^\s*(?:Host\s+)?(?:C\s+)?
+ next if $line =~ /^\s*(?:Host\s+)?(?:C(?:\+\+)?\s+)?
(?:C|c)ompiler[\s.]*:?\s+
- $cc_regex_full
- (?:\s-std=[a-z0-9:+]+)?\s*$
- /xo
- or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o
- or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: /
- or $line =~ /^\s*(?:echo )?Using [A-Z_]+\s*=\s*/;
- # `make` output.
- next if $line =~ /^Making [a-z]+ in \S+/; # e.g. "[...] in c++"
+ /xo;
+ next if $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o;
# Check if additional hardening options were used. Used to
# ensure they are used for the complete build.
close $fh;
if (scalar @input == 0) {
- print "No compiler commands!\n";
- $exit |= 1;
+ if (not $option_buildd) {
+ print "No compiler commands!\n";
+ } else {
+ print "W-no-compiler-commands\n";
+ }
+ $exit |= $exit_code{no_compiler_commands};
next FILE;
}
} else {
$statistics{commands_nonverbose}++;
}
- $exit |= 1 << 2;
+ $exit |= $exit_code{non_verbose_build};
next;
}
# Even if it's a verbose build, we might have to skip this line.
} else {
$statistics{compile_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
} elsif ($compile_cpp and not all_flags_used($line, \@missing, @cflags)
# Libraries linked with -fPIC don't have to (and can't) be
# linked with -fPIE as well. It's no error if only PIE flags
} else {
$statistics{compile_cpp_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
if ($preprocess and not all_flags_used($line, \@missing, @cppflags)
# Assume dpkg-buildflags returns the correct flags.
} else {
$statistics{preprocess_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
if ($link and not all_flags_used($line, \@missing, @ldflags)
# Same here, -fPIC conflicts with -fPIE.
} else {
$statistics{link_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
}
}
=head1 SYNOPSIS
-B<blhc> [options] <dpkg-buildpackage build log file>..
+B<blhc> [I<options>] I<E<lt>dpkg-buildpackage build log fileE<gt>..>
=head1 DESCRIPTION
Force check for all +all (+pie, +bindnow) hardening flags. By default it's
auto detected.
-=item B<--arch>
+=item B<--arch> I<architecture>
Set the specific architecture (e.g. amd64, armel, etc.), automatically
disables hardening flags not available on this architecture. Is detected
ruderich.org/simon / blhc / blhc.git / blobdiff