'-Wl,(-z,)?now' => '-Wl,-z,now',
);
+my %exit_code = (
+ no_compiler_commands => 1 << 0,
+ # used by POD::Usage => 1 << 1,
+ non_verbose_build => 1 << 2,
+ flags_missing => 1 << 3,
+ hardening_wrapper => 1 << 4,
+ invalid_cmake => 1 << 5,
+);
+
# Statistics of missing flags and non-verbose build commands. Used for
# $option_buildd.
my %statistics = (
error_color(':', 'yellow'),
$line;
}
+sub error_invalid_cmake {
+ my ($version) = @_;
+
+ printf "%s%s %s\n",
+ error_color('INVALID CMAKE', 'red'),
+ error_color(':', 'yellow'),
+ $version;
+}
sub error_hardening_wrapper {
printf "%s%s %s\n",
error_color('HARDENING WRAPPER', 'red'),
FILE: foreach my $file (@ARGV) {
open my $fh, '<', $file or die "$!: $file";
+ # Architecture of this file.
+ my $arch = $option_arch;
+
# Hardening options. Not all architectures support all hardening options.
my $harden_format = 1;
my $harden_fortify = 1;
# flags are not checked.
if ($option_buildd and $line =~ /^Toolchain package versions: /) {
require Dpkg::Version;
- if ($line !~ /dpkg-dev_(\S+)/
+ if ($line !~ /\bdpkg-dev_(\S+)/
or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
$harden_format = 0;
$harden_fortify = 0;
}
}
+ # The following two versions of CMake in Debian obeyed CPPFLAGS, but
+ # this was later dropped because upstream rejected the patch. Thus
+ # build logs with these versions will have fortify hardening flags
+ # enabled, even though they may be not correctly set and are missing
+ # when build with later CMake versions. Thanks to Aron Xu for letting
+ # me know.
+ if ($line =~ /^Package versions: /
+ and $line =~ /\bcmake_(\S+)/
+ and ($1 eq '2.8.7-1' or $1 eq '2.8.7-2')) {
+ if (not $option_buildd) {
+ error_invalid_cmake($1);
+ } else {
+ print "W-invalid-cmake-used $1\n";
+ }
+ $exit |= $exit_code{invalid_cmake};
+ }
+
# If hardening wrapper is used (wraps calls to gcc and adds hardening
# flags automatically) we can't perform any checks, abort.
if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
} else {
print "I-hardening-wrapper-used\n";
}
- $exit |= 1 << 4;
+ $exit |= $exit_code{hardening_wrapper};
next FILE;
}
last if $line =~ /^Build finished at \d{8}-\d{4}$/;
# Detect architecture automatically unless overridden.
- if (not $option_arch
+ if (not $arch
and $line =~ /^dpkg-buildpackage: host architecture (.+)$/) {
- $option_arch = $1;
+ $arch = $1;
}
# Ignore compiler warnings for now.
} else {
print "W-no-compiler-commands\n";
}
- $exit |= 1;
+ $exit |= $exit_code{no_compiler_commands};
next FILE;
}
}
# Option or auto detected.
- if ($option_arch) {
+ if ($arch) {
# The following was partially copied from dpkg-dev 1.16.1.2
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, add_hardening_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Kees Cook
# later. Keep it in sync.
require Dpkg::Arch;
- my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($option_arch);
+ my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($arch);
# Disable unsupported hardening options.
- if ($cpu =~ /^(ia64|alpha|mips|mipsel|hppa)$/ or $option_arch eq 'arm') {
+ if ($cpu =~ /^(ia64|alpha|mips|mipsel|hppa)$/ or $arch eq 'arm') {
$harden_stack = 0;
}
if ($cpu =~ /^(ia64|hppa|avr32)$/) {
} else {
$statistics{commands_nonverbose}++;
}
- $exit |= 1 << 2;
+ $exit |= $exit_code{non_verbose_build};
next;
}
# Even if it's a verbose build, we might have to skip this line.
} else {
$statistics{compile_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
} elsif ($compile_cpp and not all_flags_used($line, \@missing, @cflags)
# Libraries linked with -fPIC don't have to (and can't) be
# linked with -fPIE as well. It's no error if only PIE flags
} else {
$statistics{compile_cpp_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
if ($preprocess and not all_flags_used($line, \@missing, @cppflags)
# Assume dpkg-buildflags returns the correct flags.
} else {
$statistics{preprocess_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
if ($link and not all_flags_used($line, \@missing, @ldflags)
# Same here, -fPIC conflicts with -fPIE.
} else {
$statistics{link_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
}
}
ruderich.org/simon / blhc / blhc.git / blobdiff