use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.13';
+our $VERSION = '0.14';
# CONSTANTS/VARIABLES
'-fno-stack-protector-all',
'-fno-stack-protector-strong',
);
+my @def_cflags_stack_clash = (
+ '-fstack-clash-protection',
+);
my @def_cflags_pie = (
'-fPIE',
);
+my @def_cflags_branch_amd64 = (
+ '-fcf-protection',
+);
+my @def_cflags_branch_arm64 = (
+ '-mbranch-protection=standard',
+);
my @def_cxxflags = (
@def_cflags,
);
\@def_cflags_stack,
\@def_cflags_stack_strong,
\@def_cflags_stack_bad,
+ \@def_cflags_stack_clash,
\@def_cflags_pie,
+ \@def_cflags_branch_amd64,
+ \@def_cflags_branch_arm64,
\@def_cxxflags,
\@def_cppflags,
\@def_cppflags_fortify,
# C++ compiler setting.
return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/;
+ return 0 if $line =~ /^\s*CXX\s*:\s*g\+\+\s*$/;
# "Compiling" non binary files.
return 0 if $line =~ /^\s*Compiling \S+\.(?:py|pyx|el)['"]?\s*(?:\.\.\.|because it changed\.)?$/;
return 0 if $line =~ /^\s*[Cc]ompiling catalog \S+\.po\b/;
# cargo build
- return 0 if $cargo and $line =~ m{^\s*Compiling\s+\S+\s+v\S+(?:\s+\(/<<PKGBUILDDIR>>\))?$};
+ return 0 if $cargo and $line =~ m{^\s*Compiling\s+\S+\s+v\S+(?:\s+\(/(?:<<PKGBUILDDIR>>|builds/\S+)\))?$};
# "Compiling" with no file name.
if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
# $file_extension_regex may need spaces around the filename.
my $harden_fortify = 1;
my $harden_stack = 1;
my $harden_stack_strong = 1;
+ my $harden_stack_clash = 1;
+ my $harden_branch = 1;
my $harden_relro = 1;
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
my $disable = 1;
my $disable_strong = 1;
+ my $disable_clash = 1;
+ my $disable_branch = 1;
if ($line =~ /\bdpkg-dev_(\S+)/) {
if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) {
if (Dpkg::Version::version_compare($1, '1.18.15') >= 0) {
$disable_harden_pie = 1;
}
+ if (Dpkg::Version::version_compare($1, '1.22.0') >= 0) {
+ $disable_clash = 0;
+ $disable_branch = 0;
+ }
}
if ($disable) {
if ($disable_strong) {
$harden_stack_strong = 0;
}
+ if ($disable_clash) {
+ $harden_stack_clash = 0;
+ }
+ if ($disable_branch) {
+ $harden_branch = 0;
+ }
}
# The following two versions of CMake in Debian obeyed CPPFLAGS, but
}
if (scalar @input == 0) {
- if (not $option_buildd) {
- print "No compiler commands!\n";
- $exit |= $exit_code{no_compiler_commands};
- } else {
- print "$buildd_tag{no_compiler_commands}||\n";
+ if (not $cargo) {
+ if (not $option_buildd) {
+ print "No compiler commands!\n";
+ $exit |= $exit_code{no_compiler_commands};
+ } else {
+ print "$buildd_tag{no_compiler_commands}||\n";
+ }
}
next FILE;
}
}
# Option or auto detected.
+ my @harden_branch_flags;
if ($arch) {
# The following was partially copied from dpkg-dev 1.22.0
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, set_build_features and
i386
kfreebsd-amd64
kfreebsd-i386
+ loong64
mips
mips64
mips64el
);
# Disable unsupported hardening options.
- if ($os !~ /^(?:linux|kfreebsd|knetbsd|hurd)$/ or $cpu eq 'hppa') {
+ if ($disable_harden_pie and exists $builtin_pie_arch{$arch}) {
+ $harden_pie = 0;
+ }
+ if ($os !~ /^(?:linux|kfreebsd|hurd)$/
+ or $cpu =~ /^(?:alpha|hppa|ia64)$/) {
$harden_pie = 0;
}
if ($cpu =~ /^(?:ia64|alpha|hppa|nios2)$/ or $arch eq 'arm') {
$harden_stack = 0;
$harden_stack_strong = 0;
}
+ if ($arch !~ /^(?:amd64|arm64|armhf|armel)$/) {
+ $harden_stack_clash = 0;
+ }
if ($cpu =~ /^(?:ia64|hppa)$/) {
$harden_relro = 0;
$harden_bindnow = 0;
}
-
- if ($disable_harden_pie and exists $builtin_pie_arch{$arch}) {
- $harden_pie = 0;
+ if ($cpu eq 'amd64') {
+ @harden_branch_flags = @def_cflags_branch_amd64;
+ } elsif ($cpu eq 'arm64') {
+ @harden_branch_flags = @def_cflags_branch_arm64;
}
}
@cflags = (@cflags, @def_cflags_stack);
@cxxflags = (@cxxflags, @def_cflags_stack);
}
+ if ($harden_stack_clash) {
+ @cflags = (@cflags, @def_cflags_stack_clash);
+ @cxxflags = (@cxxflags, @def_cflags_stack_clash);
+ }
if ($harden_fortify) {
@cflags = (@cflags, @def_cflags_fortify);
@cxxflags = (@cxxflags, @def_cflags_fortify);
@cflags = (@cflags, @def_cflags_format);
@cxxflags = (@cxxflags, @def_cflags_format);
}
+ if ($harden_branch and @harden_branch_flags) {
+ @cflags = (@cflags, @harden_branch_flags);
+ @cxxflags = (@cxxflags, @harden_branch_flags);
+ }
if ($harden_relro) {
@ldflags = (@ldflags, @def_ldflags_relro);
}
ruderich.org/simon / blhc / blhc.git / blobdiff