1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
#! /usr/bin/perl
use strict;
use warnings;
use File::Spec qw(rel2abs);
use File::Basename;
my @args = ();
my $enabled = 0;
my $debug = 0;
# Set up defaults
my %default;
$default{'DEB_BUILD_HARDENING'}=0;
$default{'DEB_BUILD_HARDENING_DEBUG'}=0;
# Architecture settings
# #OS# #CPU#
$default{'DEB_BUILD_HARDENING_RELRO'}=1;
# System settings
my $system_conf = '/etc/hardening-wrapper.conf';
if (-r $system_conf) {
open(CONF,$system_conf) || warn "Cannot read $system_conf\n";
while (my $line = <CONF>) {
if ($line =~ /^\s*(DEB_BUILD_HARDENING[_A-Z]*)\s*=\s*(\d)$/) {
$default{$1}=$2+0;
}
}
close(CONF);
}
# Environment settings
$enabled = defined($ENV{'DEB_BUILD_HARDENING'}) ?
$ENV{'DEB_BUILD_HARDENING'} :
$default{'DEB_BUILD_HARDENING'};
$debug = defined($ENV{'DEB_BUILD_HARDENING_DEBUG'}) ?
$ENV{'DEB_BUILD_HARDENING_DEBUG'} :
$default{'DEB_BUILD_HARDENING_DEBUG'};
my $force_relro = defined($ENV{'DEB_BUILD_HARDENING_RELRO'}) ?
$ENV{'DEB_BUILD_HARDENING_RELRO'} :
$default{'DEB_BUILD_HARDENING_RELRO'};
if ($enabled) {
# Scan arguments
my $index = 0;
foreach my $arg (@ARGV) {
if ($arg eq "relro" && $index>0 && $ARGV[$index-1] eq "-z") {
$force_relro = 0;
}
$index++;
}
if ($force_relro) {
push(@args,'-z','relro');
}
}
my $self = "hardened-ld";
my $link = "";
my $tool = $0;
if ($tool =~ /$self$/ || defined($ENV{'HARDENING_USE_USR_BIN'})) {
$tool = "/usr/bin/ld";
}
sub resolve_link($)
{
my $origin = $_[0];
my $link = readlink($origin);
return File::Spec->rel2abs($link,dirname($origin));
}
while (-l $tool && ($link = resolve_link($tool)) !~ /$self$/) {
$tool = $link;
}
if (-x "$tool.real") {
$tool = "$tool.real";
}
my @target = ($tool, @args, @ARGV);
print STDERR join(" ",@target),"\n" if ($debug);
exec @target or die "Unable to exec $target[0]: $!\n";
|