# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012-2020 Simon Ruderich
+# Copyright (C) 2012-2022 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.12';
+our $VERSION = '0.13';
# CONSTANTS/VARIABLES
# @def_cxxflags_* is the same as @def_cflags_*.
my @def_cppflags = ();
my @def_cppflags_fortify = (
- '-D_FORTIFY_SOURCE=2', # must be first, see cppflags_fortify_broken()
+ '-D_FORTIFY_SOURCE=[23]', # must be first, see cppflags_fortify_broken()
# If you add another flag fix hack below (search for "Hack to fix") and
# $def_cppflags_fortify[0].
);
'-O(?:2|3)' => '-O2',
'-Wformat(?:=2)?' => '-Wformat',
'--param[= ]ssp-buffer-size=4' => '--param=ssp-buffer-size=4',
+ '-D_FORTIFY_SOURCE=[23]' => '-D_FORTIFY_SOURCE=2',
'-Wl,(?:-z,)?relro' => '-Wl,-z,relro',
'-Wl,(?:-z,)?now' => '-Wl,-z,now',
);
my @result = ();
foreach my $flag (@flags) {
# Compile flag regexp for faster execution.
- my $regex = qr/\s$flag(?:\s|\\)/;
+ my $regex = qr/\s(['"]?)$flag\1(?:\s|\\)/;
# Store flag name in replacement string for correct flags in messages
# with qr//ed flag regexps.
}
if ($option_version) {
print <<"EOF";
-blhc $VERSION Copyright (C) 2012-2020 Simon Ruderich
+blhc $VERSION Copyright (C) 2012-2022 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
$complete_line = undef;
}
+ my $noenv = $line;
+ # Strip (basic) environment variables for compiler detection. This
+ # prevents false positives when environment variables contain
+ # compiler binaries. Nested quotes, command substitution, etc. is
+ # not supported.
+ $noenv =~ s/^
+ \s*
+ (?:
+ [a-zA-Z_]+ # environment variable name
+ =
+ (?:
+ [^\s"'\$`\\]+ # non-quoted string
+ |
+ '[^"'\$`\\]*' # single-quoted string
+ |
+ "[^"'\$`\\]*" # double-quoted string
+ )
+ \s+
+ )*
+ //x;
# Ignore lines with no compiler commands.
next if not $non_verbose
- and not $line =~ /$cc_regex_normal/o;
+ and not $noenv =~ /$cc_regex_normal/o;
# Ignore lines with no filenames with extensions. May miss some
# non-verbose builds (e.g. "gcc -o test" [sic!]), but shouldn't be
# a problem as the log will most likely contain other non-verbose
# C++ files. No hardening flags are relevant during this step,
# thus ignore `moc-qt*` lines. The resulting files will be
# compiled in a separate step (and therefore checked).
- next if $line =~ m{^\S+/bin/moc(?:-qt[45])?
+ next if $line =~ m{^\S+(?:/bin/moc(?:-qt[45])?|/lib/qt6/libexec/moc)
\s.+\s
-I\S+/mkspecs/[a-z]+-g\++(?:-64)?
\s}x;
+ # nvcc is not a regular C compiler
+ next if $line =~ m{^\S+/bin/nvcc\s};
# Ignore false positives when the line contains only CC=gcc but no
# other gcc command.
if ($line =~ /(.*)CC=$cc_regex_full(.*)/o) {
next if $line =~ /^C\+\+ linker for the host machine: /;
# Embedded `gcc -print-*` commands
next if $line =~ /`$cc_regex_normal\s*[^`]*-print-\S+`/;
+ # cmake checking for compiler flags without setting CPPFLAGS
+ next if $line =~ m{^\s*/usr/(bin|lib)/(ccache/)?c\+\+ -dM -E -c /usr/share/cmake-\S+/Modules/CMakeCXXCompilerABI\.cpp};
# Check if additional hardening options were used. Used to ensure
# they are used for the complete build.
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.20.5
+ # The following was partially copied from dpkg-dev 1.21.13
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Guillem Jover
# <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
To generate this string simply use echo in C<debian/rules>; make sure to use @
to suppress the echo command itself as it could also trigger a false positive.
+If the build process takes a long time edit the C<.build> file in place and
+tweak the ignore string until B<blhc --all --debian package.build> no longer
+reports any false positives.
=head1 OPTIONS
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012-2020 by Simon Ruderich
+Copyright (C) 2012-2022 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by