# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012-2018 Simon Ruderich
+# Copyright (C) 2012-2019 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.08';
+our $VERSION = '0.10';
# CONSTANTS/VARIABLES
my $warning_regex = qr/^(.+?):(\d+):\d+: warning: (.+?) \[(.+?)\]$/;
# Regex to catch libtool commands and not lines which show commands executed
# by libtool (e.g. libtool: link: ...).
-my $libtool_regex = qr/\blibtool\s.*--mode=/;
+my $libtool_regex = qr/\blibtool["']?\s.*--mode=/;
my $libtool_link_regex = qr/\blibtool: link: /;
# List of source file extensions which require preprocessing.
return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/;
# "Compiling" non binary files.
- return 0 if $line =~ /^\s*Compiling \S+\.(?:py|el)['"]?\s*(?:\.\.\.)?$/;
+ return 0 if $line =~ /^\s*Compiling \S+\.(?:py|pyx|el)['"]?\s*(?:\.\.\.|because it changed\.)?$/;
+ return 0 if $line =~ /^\s*[Cc]ompiling catalog \S+\.po\b/;
# "Compiling" with no file name.
if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
# $file_extension_regex may need spaces around the filename.
}
if ($option_version) {
print <<"EOF";
-blhc $VERSION Copyright (C) 2012-2018 Simon Ruderich
+blhc $VERSION Copyright (C) 2012-2019 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
- # Does this build log use ada? Ada also uses gcc as compiler but uses
- # different CFLAGS. But only perform ada checks if an ada compiler is used
- # for performance reasons.
- my $ada = 0;
- # Fortran also requires different CFLAGS.
- my $fortran = 0;
-
# Number of parallel jobs to prevent false positives when detecting
# non-verbose builds. As not all jobs declare the number of parallel jobs
# use a large enough default.
}
next FILE;
}
-
- # Ada compiler.
- if ($line =~ /\bgnat\b/) {
- $ada = 1;
- }
- # Fortran compiler.
- if ($line =~ /\bgfortran\b/) {
- $fortran = 1;
- }
}
# This flags is not always available, but if it is use it.
# Detect architecture automatically unless overridden.
if (not $arch
+ and index($line, 'dpkg-buildpackage: info: host architecture ') == 0) {
+ $arch = substr $line, 43, -1; # -1 to ignore '\n' at the end
+ # Older versions of dpkg-buildpackage
+ } elsif (not $arch
and index($line, 'dpkg-buildpackage: host architecture ') == 0) {
$arch = substr $line, 37, -1; # -1 to ignore '\n' at the end
# look like a compiler executable thus causing the line to be
# treated as a normal compiler line.
next if $line =~ m{^\s*rm\s+};
+ next if $line =~ m{^\s*dwz\s+};
# Some build systems emit "gcc > file".
next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
# Hex output may contain "cc".
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.19.0.5
+ # The following was partially copied from dpkg-dev 1.19.7
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Guillem Jover
# <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
}
my %builtin_pie_arch = map { $_ => 1 } qw(
- amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386
- mips mipsel mips64el powerpc ppc64 ppc64el s390x sparc sparc64
+ amd64
+ arm64
+ armel
+ armhf
+ hurd-i386
+ i386
+ kfreebsd-amd64
+ kfreebsd-i386
+ mips
+ mipsel
+ mips64el
+ powerpc
+ ppc64
+ ppc64el
+ riscv64
+ s390x
+ sparc
+ sparc64
);
# Disable unsupported hardening options.
}
# Ada doesn't support format hardening flags, see #680117 for more
- # information. Same for fortran. Filter them out if either language is
- # used.
+ # information. Same for fortran.
my @cflags_backup;
- my @cflags_noformat;
- if (($ada or $fortran) and $harden_format) {
- @cflags_noformat = grep {
- my $ok = 1;
- foreach my $flag (@def_cflags_format) {
- $ok = 0 if $_ eq $flag;
- }
- $ok;
- } @cflags;
- }
+ my @cflags_noformat = grep {
+ my $ok = 1;
+ foreach my $flag (@def_cflags_format) {
+ $ok = 0 if $_ eq $flag;
+ }
+ $ok;
+ } @cflags;
# Hack to fix cppflags_fortify_broken() if --ignore-flag
# -D_FORTIFY_SOURCE=2 is used to ignore missing fortification. Only works
and extension_found(\%extensions_compile_cpp, @extensions)) {
$compile = 0;
$compile_cpp = 1;
- # Ada needs special CFLAGS, use them if only ada files are compiled.
- } elsif ($ada
- and extension_found(\%extensions_ada, @extensions)) {
+ # Ada needs special CFLAGS
+ } elsif (extension_found(\%extensions_ada, @extensions)) {
$restore_cflags = 1;
$preprocess = 0; # Ada uses no CPPFLAGS
@cflags_backup = @cflags;
@cflags = @cflags_noformat;
- # Same for fortran.
- } elsif ($fortran
- and extension_found(\%extensions_fortran, @extensions)) {
+ # Same for fortran
+ } elsif (extension_found(\%extensions_fortran, @extensions)) {
$restore_cflags = 1;
@cflags_backup = @cflags;
@cflags = @cflags_noformat;
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012-2018 by Simon Ruderich
+Copyright (C) 2012-2019 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
ruderich.org/simon / blhc / blhc.git / blobdiff