# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012-2022 Simon Ruderich
+# Copyright (C) 2012-2024 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# Expected (hardening) flags. All flags are used as regexps (and compiled to
# real regexps below for better execution speed).
my @def_cflags = (
- '-g',
+ '-g3?',
'-O(?:2|3)', # keep at index 1, search for @def_cflags_debug to change it
);
my @def_cflags_debug = (
# @def_cxxflags_* is the same as @def_cflags_*.
my @def_cppflags = ();
my @def_cppflags_fortify = (
- '-D_FORTIFY_SOURCE=2', # must be first, see cppflags_fortify_broken()
+ '-D_FORTIFY_SOURCE=[23]', # must be first, see cppflags_fortify_broken()
# If you add another flag fix hack below (search for "Hack to fix") and
# $def_cppflags_fortify[0].
);
# Renaming rules for the output so the regex parts are not visible. Also
# stores string values of flag regexps above, see compile_flag_regexp().
my %flag_renames = (
+ '-g3?' => '-g',
'-O(?:2|3)' => '-O2',
'-Wformat(?:=2)?' => '-Wformat',
'--param[= ]ssp-buffer-size=4' => '--param=ssp-buffer-size=4',
+ '-D_FORTIFY_SOURCE=[23]' => '-D_FORTIFY_SOURCE=2',
'-Wl,(?:-z,)?relro' => '-Wl,-z,relro',
'-Wl,(?:-z,)?now' => '-Wl,-z,now',
);
}
if ($option_version) {
print <<"EOF";
-blhc $VERSION Copyright (C) 2012-2022 Simon Ruderich
+blhc $VERSION Copyright (C) 2012-2024 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
\s.+\s
-I\S+/mkspecs/[a-z]+-g\++(?:-64)?
\s}x;
+ # nvcc is not a regular C compiler
+ next if $line =~ m{^\S+/bin/nvcc\s};
# Ignore false positives when the line contains only CC=gcc but no
# other gcc command.
if ($line =~ /(.*)CC=$cc_regex_full(.*)/o) {
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.20.5
- # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
- # copyright Raphaël Hertzog <hertzog@debian.org>, Guillem Jover
- # <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
- # licensed under GPL version 2 or later. Keep it in sync.
+ # The following was partially copied from dpkg-dev 1.22.0
+ # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, set_build_features and
+ # _add_build_flags()), copyright Raphaël Hertzog <hertzog@debian.org>,
+ # Guillem Jover <guillem@debian.org>, Kees Cook <kees@debian.org>,
+ # Canonical, Ltd. licensed under GPL version 2 or later. Keep it in
+ # sync.
require Dpkg::Arch;
my ($os, $cpu);
arm64
armel
armhf
+ hurd-amd64
hurd-i386
i386
kfreebsd-amd64
kfreebsd-i386
mips
- mipsel
+ mips64
mips64el
+ mips64r6
+ mips64r6el
+ mipsel
+ mipsn32
+ mipsn32el
+ mipsn32r6
+ mipsn32r6el
+ mipsr6
+ mipsr6el
powerpc
ppc64
ppc64el
);
# Disable unsupported hardening options.
- if ($os !~ /^(?:linux|kfreebsd|knetbsd|hurd)$/
- or $cpu =~ /^(?:hppa|avr32)$/) {
+ if ($os !~ /^(?:linux|kfreebsd|knetbsd|hurd)$/ or $cpu eq 'hppa') {
$harden_pie = 0;
}
if ($cpu =~ /^(?:ia64|alpha|hppa|nios2)$/ or $arch eq 'arm') {
$harden_stack = 0;
$harden_stack_strong = 0;
}
- if ($cpu =~ /^(?:ia64|hppa|avr32)$/) {
+ if ($cpu =~ /^(?:ia64|hppa)$/) {
$harden_relro = 0;
$harden_bindnow = 0;
}
blhc: ignore-line-regexp: REGEXP
All lines fully matching REGEXP (see B<--ignore-line> for details) will be
-ignored.
+ignored. The string can be embedded multiple times to ignore different
+regexps.
Please use this feature sparingly so that missing flags are not overlooked. If
you find false positives which affect more packages please report a bug.
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012-2022 by Simon Ruderich
+Copyright (C) 2012-2024 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by