First work on --buildd.

At the moment only missing hardening flags for old builds (old dpkg-dev)
are ignored.

diff --git a/Build.PL b/Build.PL
index d64a95e9d9660a7a2ff7717a7ced70175ebeb793..3edcfb80e32f44c9a37c8cff307828e020f5ff0d 100644 (file)
--- a/Build.PL
+++ b/Build.PL
@@ -30,6 +30,7 @@ my $build = Module::Build->new(
     requires           => {
                             # Debian specific (for now).
                             'Dpkg::Arch' => 0,
+                            'Dpkg::Version' => 0,
                             # Bundled with perl.
                             'Getopt::Long' => 0,
                             'Pod::Usage' => 0,

diff --git a/MANIFEST b/MANIFEST
index 04219beac36b439636287f17d5f88a400d287c53..7aaca6e8d511e890fdf2997b41d96d8de8d0e60c 100644 (file)
--- a/MANIFEST
+++ b/MANIFEST
@@ -14,6 +14,8 @@ t/logs/bad-cppflags
 t/logs/bad-ldflags
 t/logs/bad-library
 t/logs/bad-multiline
+t/logs/buildd-dpkg-dev
+t/logs/buildd-dpkg-dev-old
 t/logs/c++
 t/logs/cc
 t/logs/configure

diff --git a/bin/blhc b/bin/blhc
index c82e9bc37475987d2bb8610e6c160ec2a9f42fb6..2c439bb0f33003817eb0fd8e1c7be09a33def19a 100755 (executable)
--- a/bin/blhc
+++ b/bin/blhc
@@ -219,6 +219,7 @@ my $option_help    = 0;
 my $option_version = 0;
 my $option_all     = 0;
 my $option_arch    = undef;
+my $option_buildd  = 0;
 if (not Getopt::Long::GetOptions(
             'help|h|?' => \$option_help,
             'version'  => \$option_version,
@@ -228,6 +229,7 @@ if (not Getopt::Long::GetOptions(
             'all'      => \$option_all,
             # Misc.
             'arch'     => \$option_arch,
+            'buildd'   => \$option_buildd,
         )) {
     require Pod::Usage;
     Pod::Usage::pod2usage(2);
@@ -270,6 +272,26 @@ my $start = 0;
 my $continuation = 0;
 my $complete_line = undef;
 while (my $line = <>) {
+    # dpkg-buildflags only provides hardening flags since 1.16.1, don't check
+    # for hardening flags in buildd mode if an older dpkg-dev is used. Default
+    # flags (-g -O2) are still checked.
+    #
+    # Packages which were built before 1.16.1 but used their own hardening
+    # flags are not checked.
+    if ($option_buildd and not $start
+            and $line =~ /^Toolchain package versions: /) {
+        require Dpkg::Version;
+        if ($line !~ /dpkg-dev_(\S+)/
+                or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
+            $harden_format  = 0;
+            $harden_fortify = 0;
+            $harden_stack   = 0;
+            $harden_relro   = 0;
+            $harden_bindnow = 0;
+            $harden_pie     = 0;
+        }
+    }
+
     # We skip over unimportant lines at the beginning to prevent false
     # positives.
     $start = 1 if $line =~ /^dpkg-buildpackage:/;
@@ -492,6 +514,7 @@ B<blhc> [--pie] [--bindnow] [--all]
     --bindnow               force +bindbow check
     --all                   force +all (+pie, +bindnow) check
     --arch                  set architecture (autodetected)
+    --buildd                parser mode for buildds
 
 =head1 DESCRIPTION
 
@@ -529,6 +552,20 @@ Set the specific architecture (e.g. amd64, armel, etc.), automatically
 disables hardening flags not available on this architecture. Is detected
 automatically if dpkg-buildpackage is used.
 
+=item B<--buildd>
+
+Special mode for buildds when automatically parsing log files. The following
+changes are in effect:
+
+=over 2
+
+=item
+
+Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is
+detected).
+
+=back
+
 =back
 
 Auto detection for B<--pie> and B<--bindnow> only works if at least one

diff --git a/t/logs/buildd-dpkg-dev b/t/logs/buildd-dpkg-dev
new file mode 100644 (file)
index 0000000..4cd6530
--- /dev/null
+++ b/t/logs/buildd-dpkg-dev
@@ -0,0 +1,12 @@
+Toolchain package versions: ... dpkg-dev_1.16.1.2 ...
+dpkg-buildpackage: source package test
+
+gcc -g -O2 -c test-a.c
+gcc -g -O2 -c test-b.c
+gcc -g -O2 -c test-c.c
+gcc -o test test-a.o test-b.o test-c.o -ltest
+
+gcc -g -c test-a.c
+gcc -g -c test-b.c
+gcc -g -c test-c.c
+gcc -o test test-a.o test-b.o test-c.o -ltest

diff --git a/t/logs/buildd-dpkg-dev-old b/t/logs/buildd-dpkg-dev-old
new file mode 100644 (file)
index 0000000..0a9d035
--- /dev/null
+++ b/t/logs/buildd-dpkg-dev-old
@@ -0,0 +1,12 @@
+Toolchain package versions: ... dpkg-dev_1.15.8.10 ...
+dpkg-buildpackage: source package test
+
+gcc -g -O2 -c test-a.c
+gcc -g -O2 -c test-b.c
+gcc -g -O2 -c test-c.c
+gcc -o test test-a.o test-b.o test-c.o -ltest
+
+gcc -g -c test-a.c
+gcc -g -c test-b.c
+gcc -g -c test-c.c
+gcc -o test test-a.o test-b.o test-c.o -ltest

diff --git a/t/tests.t b/t/tests.t
index 0cd73f4ec56ff88943c7575b5e05798226bc2dff..3c7e5b8af91a09851b5bc19f818a56ff5fcba4b9 100644 (file)
--- a/t/tests.t
+++ b/t/tests.t
@@ -19,7 +19,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 80;
+use Test::More tests => 84;
 
 
 sub is_blhc {
@@ -50,6 +50,7 @@ Usage:
         --bindnow               force +bindbow check
         --all                   force +all (+pie, +bindnow) check
         --arch                  set architecture (autodetected)
+        --buildd                parser mode for buildds
 
 ';
 
@@ -377,13 +378,6 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,now): gcc-4.6 -Wl,-z,defs test-a.o test-b.o t
 ';
 
 
-# debian
-
-is_blhc 'debian', '', 8,
-        'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
-';
-
-
 # c++
 
 is_blhc 'c++', '--pie --bindnow', 8,
@@ -473,3 +467,36 @@ is_blhc 'arch-mipsel', '', 8,
         'CFLAGS missing (-Werror=format-security): gcc -D_FORTIFY_SOURCE=2 -g -O2 -Wformat -Wformat-security -Wall -c test.c
 LDFLAGS missing (-Wl,-z,relro): gcc -Wl,-z,now -o test test.o
 ';
+
+
+# debian
+
+is_blhc 'debian', '', 8,
+        'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
+';
+
+
+# buildd support
+
+is_blhc 'buildd-dpkg-dev', '--buildd', 8,
+        'CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-a.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-b.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-c.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.o -ltest
+CFLAGS missing (-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -c test-a.c
+CFLAGS missing (-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -c test-b.c
+CFLAGS missing (-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -c test-c.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -c test-c.c
+LDFLAGS missing (-Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.o -ltest
+';
+
+is_blhc 'buildd-dpkg-dev-old', '--buildd', 8,
+        'CFLAGS missing (-O2): gcc -g -c test-a.c
+CFLAGS missing (-O2): gcc -g -c test-b.c
+CFLAGS missing (-O2): gcc -g -c test-c.c
+';