From: Simon Ruderich Date: Wed, 21 Mar 2012 23:49:20 +0000 (+0100) Subject: Accept `dpkg-buildflags --get *FLAGS` as valid hardening flags. X-Git-Tag: 0.01~79 X-Git-Url: https://ruderich.org/simon/gitweb/?p=blhc%2Fblhc.git;a=commitdiff_plain;h=bd2f117db6034fc6b1ad2a95ba8009c2915978d5 Accept `dpkg-buildflags --get *FLAGS` as valid hardening flags. `...` isn't expanded by make. Assume dpkg-buildflags returns the correct flags. --- diff --git a/bin/blhc b/bin/blhc index e183027..3839ec9 100755 --- a/bin/blhc +++ b/bin/blhc @@ -566,17 +566,23 @@ for (my $i = 0; $i < scalar @input; $i++) { if ($compile and not all_flags_used($line, \@missing, @cflags) # Libraries linked with -fPIC don't have to (and can't) be linked # with -fPIE as well. It's no error if only PIE flags are missing. - and not pic_pie_conflict($line, $harden_pie, \@missing, @cflags_pie)) { + and not pic_pie_conflict($line, $harden_pie, \@missing, @cflags_pie) + # Assume dpkg-buildflags returns the correct flags. + and not $line =~ /`dpkg-buildflags --get (?:CFLAGS|CXXFLAGS)`/) { error_flags('CFLAGS missing', \@missing, \%flag_renames, $line); $exit |= 1 << 3; } - if ($preprocess and not all_flags_used($line, \@missing, @cppflags)) { + if ($preprocess and not all_flags_used($line, \@missing, @cppflags) + # Assume dpkg-buildflags returns the correct flags. + and not $line =~ /`dpkg-buildflags --get CPPFLAGS`/) { error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $line); $exit |= 1 << 3; } if ($link and not all_flags_used($line, \@missing, @ldflags) # Same here, -fPIC conflicts with -fPIE. - and not pic_pie_conflict($line, $harden_pie, \@missing, @ldflags_pie)) { + and not pic_pie_conflict($line, $harden_pie, \@missing, @ldflags_pie) + # Assume dpkg-buildflags returns the correct flags. + and not $line =~ /`dpkg-buildflags --get LDFLAGS`/) { error_flags('LDFLAGS missing', \@missing, \%flag_renames, $line); $exit |= 1 << 3; } diff --git a/t/logs/debian b/t/logs/debian index 5161689..aede2a9 100644 --- a/t/logs/debian +++ b/t/logs/debian @@ -7,3 +7,13 @@ dh_auto_configure -- CFLAGS="-g -O2 -fstack-protector --param=ssp-buffer-size=4 gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c Depends: libc6 (>= 2.7), gcc + +# `...` isn't expanded by the Makefile, assume dpkg-buildflags returns the +# correct flags. +gcc -c `dpkg-buildflags --get CFLAGS` test.c +g++ -c `dpkg-buildflags --get CXXFLAGS` test.cc +gcc -c `dpkg-buildflags --get LDFLAGS` test.c +gcc -c `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get CPPFLAGS` test.c +g++ -c `dpkg-buildflags --get CXXFLAGS` `dpkg-buildflags --get CPPFLAGS` test.cc +gcc -o test test.o `dpkg-buildflags --get LDFLAGS` +gcc -o test test.o `dpkg-buildflags --get CFLAGS` diff --git a/t/tests.t b/t/tests.t index 2e31fdd..51bdf3a 100644 --- a/t/tests.t +++ b/t/tests.t @@ -533,6 +533,11 @@ LDFLAGS missing (-Wl,-z,relro): gcc -Wl,-z,now -o test test.o is_blhc 'debian', '', 8, 'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c `dpkg-buildflags --get CFLAGS` test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c `dpkg-buildflags --get CXXFLAGS` test.cc +CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -c `dpkg-buildflags --get LDFLAGS` test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c `dpkg-buildflags --get LDFLAGS` test.c +LDFLAGS missing (-Wl,-z,relro): gcc -o test test.o `dpkg-buildflags --get CFLAGS` ';