Accept `dpkg-buildflags --get *FLAGS` as valid hardening flags.

`...` isn't expanded by make. Assume dpkg-buildflags returns the correct
flags.

diff --git a/bin/blhc b/bin/blhc
index e183027e22886699b7e4c66639ad77c12555034e..3839ec90d296cbecc401e0677a393d81b62a61e8 100755 (executable)
--- a/bin/blhc
+++ b/bin/blhc
@@ -566,17 +566,23 @@ for (my $i = 0; $i < scalar @input; $i++) {
     if ($compile and not all_flags_used($line, \@missing, @cflags)
             # Libraries linked with -fPIC don't have to (and can't) be linked
             # with -fPIE as well. It's no error if only PIE flags are missing.
-            and not pic_pie_conflict($line, $harden_pie, \@missing, @cflags_pie)) {
+            and not pic_pie_conflict($line, $harden_pie, \@missing, @cflags_pie)
+            # Assume dpkg-buildflags returns the correct flags.
+            and not $line =~ /`dpkg-buildflags --get (?:CFLAGS|CXXFLAGS)`/) {
         error_flags('CFLAGS missing', \@missing, \%flag_renames, $line);
         $exit |= 1 << 3;
     }
-    if ($preprocess and not all_flags_used($line, \@missing, @cppflags)) {
+    if ($preprocess and not all_flags_used($line, \@missing, @cppflags)
+            # Assume dpkg-buildflags returns the correct flags.
+            and not $line =~ /`dpkg-buildflags --get CPPFLAGS`/) {
         error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $line);
         $exit |= 1 << 3;
     }
     if ($link and not all_flags_used($line, \@missing, @ldflags)
             # Same here, -fPIC conflicts with -fPIE.
-            and not pic_pie_conflict($line, $harden_pie, \@missing, @ldflags_pie)) {
+            and not pic_pie_conflict($line, $harden_pie, \@missing, @ldflags_pie)
+            # Assume dpkg-buildflags returns the correct flags.
+            and not $line =~ /`dpkg-buildflags --get LDFLAGS`/) {
         error_flags('LDFLAGS missing', \@missing, \%flag_renames, $line);
         $exit |= 1 << 3;
     }

diff --git a/t/logs/debian b/t/logs/debian
index 5161689c0fc9be2a9d177a5e8d7f54b8dab2b1e9..aede2a97cefcbb289beef3f4b16b828de6023e2a 100644 (file)
--- a/t/logs/debian
+++ b/t/logs/debian
@@ -7,3 +7,13 @@ dh_auto_configure -- CFLAGS="-g -O2 -fstack-protector --param=ssp-buffer-size=4
 gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
 
  Depends: libc6 (>= 2.7), gcc
+
+# `...` isn't expanded by the Makefile, assume dpkg-buildflags returns the
+# correct flags.
+gcc -c `dpkg-buildflags --get CFLAGS` test.c
+g++ -c `dpkg-buildflags --get CXXFLAGS` test.cc
+gcc -c `dpkg-buildflags --get LDFLAGS` test.c
+gcc -c `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get CPPFLAGS` test.c
+g++ -c `dpkg-buildflags --get CXXFLAGS` `dpkg-buildflags --get CPPFLAGS` test.cc
+gcc -o test test.o `dpkg-buildflags --get LDFLAGS`
+gcc -o test test.o `dpkg-buildflags --get CFLAGS`

diff --git a/t/tests.t b/t/tests.t
index 2e31fddc1fa49146bd66d092530463386accf278..51bdf3a7dbda63e0429ca72e46585f650257fc14 100644 (file)
--- a/t/tests.t
+++ b/t/tests.t
@@ -533,6 +533,11 @@ LDFLAGS missing (-Wl,-z,relro): gcc -Wl,-z,now -o test test.o
 
 is_blhc 'debian', '', 8,
         'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c `dpkg-buildflags --get CFLAGS` test.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c `dpkg-buildflags --get CXXFLAGS` test.cc
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -c `dpkg-buildflags --get LDFLAGS` test.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c `dpkg-buildflags --get LDFLAGS` test.c
+LDFLAGS missing (-Wl,-z,relro): gcc -o test test.o `dpkg-buildflags --get CFLAGS`
 ';