X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;ds=sidebyside;f=bin%2Fblhc;h=666c2afc207ddbb6bbacb4d997c107d9306a0df9;hb=5d47f4a04c4a45b6cacca330725539822b99a276;hp=e602106b5fd8f6d0140634cf517f21e67471a6f8;hpb=7e0037c0788371d6911d2dae5e919bd1b963aedb;p=blhc%2Fblhc.git

diff --git a/bin/blhc b/bin/blhc
index e602106..666c2af 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -31,7 +31,7 @@ our $VERSION = '0.01';
 # CONSTANTS/VARIABLES
 
 # Regex to catch compiler commands.
-my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux|kfreebsd)-gnu(?:eabi|eabihf)?-)?
+my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
                   (?:(?<!\.)cc|gcc|g\+\+|c\+\+)
                   (?:-[\d.]+)?/x;
 # Regex to catch (GCC) compiler warnings.
@@ -180,6 +180,12 @@ sub error_non_verbose_build {
            error_color(':', 'yellow'),
            $line;
 }
+sub error_hardening_wrapper {
+    printf "%s%s %s\n",
+            error_color('HARDENING WRAPPER', 'red'),
+            error_color(':', 'yellow'),
+            'no checks possible, aborting';
+}
 sub error_color {
     my ($message, $color) = @_;
 
@@ -366,6 +372,14 @@ while (my $line = <>) {
         }
     }
 
+    # If hardening wrapper is used (wraps calls to gcc and adds hardening
+    # flags automatically) we can't perform any checks, abort.
+    if (not $start and $line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
+        error_hardening_wrapper();
+        $exit |= 1 << 4;
+        exit $exit;
+    }
+
     # We skip over unimportant lines at the beginning of the log to prevent
     # false positives.
     $start = 1 if $line =~ /^dpkg-buildpackage:/;
@@ -451,6 +465,10 @@ while (my $line = <>) {
             next if $line =~ /^\s*Depends: .*?$cc_regex.*?$/
                     and $line !~ /\s-./; # option, prevent false negatives
 
+            # Check if additional hardening options were used. Used to ensure
+            # they are used for the complete build.
+            $harden_pie     = 1 if any_flags_used($line, @cflags_pie, @ldflags_pie);
+            $harden_bindnow = 1 if any_flags_used($line, @ldflags_bindnow);
 
             push @input, $line;
         }
@@ -484,13 +502,6 @@ if ($option_arch) {
     }
 }
 
-# Check if additional hardening options were used. Used to ensure they are
-# used for the complete build.
-foreach my $line (@input) {
-    $harden_pie     = 1 if any_flags_used($line, @cflags_pie, @ldflags_pie);
-    $harden_bindnow = 1 if any_flags_used($line, @ldflags_bindnow);
-}
-
 # Check the specified hardening options, same order as dpkg-buildflags.
 if ($harden_pie) {
     @cflags  = (@cflags,  @cflags_pie);
@@ -698,6 +709,10 @@ Non verbose build.
 
 Missing hardening flags.
 
+=item B<16>
+
+Hardening wrapper detected, no tests performed.
+
 =back
 
 =head1 AUTHOR