# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012-2013 Simon Ruderich
+# Copyright (C) 2012-2014 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.04';
+our $VERSION = '0.05';
# CONSTANTS/VARIABLES
'-fstack-protector',
'--param[= ]ssp-buffer-size=4',
);
+my @def_cflags_stack_strong = (
+ '-fstack-protector-strong',
+);
my @def_cflags_pie = (
'-fPIE',
);
my @def_cppflags = ();
my @def_cppflags_fortify = (
'-D_FORTIFY_SOURCE=2', # must be first, see cppflags_fortify_broken()
- # If you add another flag fix hack below (search for "Hack to fix").
+ # If you add another flag fix hack below (search for "Hack to fix") and
+ # $def_cppflags_fortify[0].
);
my @def_cppflags_fortify_bad = (
# These flags may overwrite -D_FORTIFY_SOURCE=2.
\@def_cflags_format,
\@def_cflags_fortify,
\@def_cflags_stack,
+ \@def_cflags_stack_strong,
\@def_cflags_pie,
\@def_cxxflags,
\@def_cppflags,
return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/;
# "Compiling" non binary files.
- return 0 if $line =~ /^\s*Compiling \S+\.(?:py|el)['"]?(?:\.\.\.)?$/;
+ return 0 if $line =~ /^\s*Compiling \S+\.(?:py|el)['"]?\s*(?:\.\.\.)?$/;
# "Compiling" with no file name.
if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
# $file_extension_regex may need spaces around the filename.
}
if ($option_version) {
print <<"EOF";
-blhc $VERSION Copyright (C) 2012-2013 Simon Ruderich
+blhc $VERSION Copyright (C) 2012-2014 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
my $harden_format = 1;
my $harden_fortify = 1;
my $harden_stack = 1;
+ my $harden_stack_strong = 1;
my $harden_relro = 1;
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
#
# Packages which were built before 1.16.1 but used their own hardening
# flags are not checked.
+ #
+ # Strong stack protector is used since dpkg 1.17.11.
if ($option_buildd
and index($line, 'Toolchain package versions: ') == 0) {
require Dpkg::Version;
- if (not $line =~ /\bdpkg-dev_(\S+)/
- or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
+
+ my $disable = 1;
+ my $disable_strong = 1;
+
+ if ($line =~ /\bdpkg-dev_(\S+)/) {
+ if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) {
+ $disable = 0;
+ }
+ if (Dpkg::Version::version_compare($1, '1.17.11') >= 0) {
+ $disable_strong = 0;
+ }
+ }
+
+ if ($disable) {
$harden_format = 0;
$harden_fortify = 0;
$harden_stack = 0;
$harden_bindnow = 0;
$harden_pie = 0;
}
+ if ($disable_strong) {
+ $harden_stack_strong = 0;
+ }
}
# The following two versions of CMake in Debian obeyed CPPFLAGS, but
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.17.1
+ # The following was partially copied from dpkg-dev 1.17.11
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, add_hardening_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Kees Cook
# <kees@debian.org>, Canonical, Ltd. licensed under GPL version 2 or
$cpu =~ /^(?:hppa|mips|mipsel|avr32)$/) {
$harden_pie = 0;
}
- if ($cpu =~ /^(?:ia64|alpha|mips|mipsel|hppa|arm64)$/
- or $arch eq 'arm') {
+ if ($cpu =~ /^(?:ia64|alpha|mips|mipsel|hppa)$/ or $arch eq 'arm') {
$harden_stack = 0;
+ $harden_stack_strong = 0;
}
if ($cpu =~ /^(?:ia64|hppa|avr32)$/) {
$harden_relro = 0;
@cxxflags = (@cxxflags, @def_cflags_pie);
@ldflags = (@ldflags, @def_ldflags_pie);
}
- if ($harden_stack) {
+ if ($harden_stack_strong) {
+ @cflags = (@cflags, @def_cflags_stack_strong);
+ @cxxflags = (@cxxflags, @def_cflags_stack_strong);
+ } elsif ($harden_stack) {
@cflags = (@cflags, @def_cflags_stack);
@cxxflags = (@cxxflags, @def_cflags_stack);
}
# for a debug build.
if (any_flags_used($line, @def_cflags_debug)) {
remove_flags([\@cflags], \%flag_renames, $def_cflags[1]);
+ remove_flags([\@cppflags], \%flag_renames, $def_cppflags_fortify[0]);
}
# Check hardening flags.
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012-2013 by Simon Ruderich
+Copyright (C) 2012-2014 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by