|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
1 |
#! /usr/bin/perl
|
2 |
use strict; |
|
3 |
use warnings; |
|
|
8
by Kees Cook
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). |
4 |
use File::Spec qw(rel2abs); |
5 |
use File::Basename; |
|
|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
6 |
|
7 |
my @args = (); |
|
|
8
by Kees Cook
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). |
8 |
my $enabled = 0; |
|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
9 |
my $debug = 0; |
10 |
||
|
8
by Kees Cook
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). |
11 |
# Set up defaults
|
12 |
my %default; |
|
13 |
$default{'DEB_BUILD_HARDENING'}=0; |
|
14 |
$default{'DEB_BUILD_HARDENING_DEBUG'}=0; |
|
15 |
||
16 |
# Architecture settings
|
|
|
26
by Kees Cook
* debian/control: update VCS tags for bzr. |
17 |
# #OS# #ARCH#
|
|
8
by Kees Cook
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). |
18 |
$default{'DEB_BUILD_HARDENING_RELRO'}=1; |
|
10
by Kees Cook
* hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings. |
19 |
$default{'DEB_BUILD_HARDENING_BINDNOW'}=1; |
|
8
by Kees Cook
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). |
20 |
|
21 |
# System settings
|
|
22 |
my $system_conf = '/etc/hardening-wrapper.conf'; |
|
23 |
if (-r $system_conf) { |
|
24 |
open(CONF,$system_conf) || warn "Cannot read $system_conf\n"; |
|
25 |
while (my $line = <CONF>) { |
|
26 |
if ($line =~ /^\s*(DEB_BUILD_HARDENING[_A-Z]*)\s*=\s*(\d)$/) { |
|
27 |
$default{$1}=$2+0; |
|
28 |
}
|
|
29 |
}
|
|
30 |
close(CONF); |
|
31 |
}
|
|
32 |
||
33 |
# Environment settings
|
|
34 |
$enabled = defined($ENV{'DEB_BUILD_HARDENING'}) ? |
|
35 |
$ENV{'DEB_BUILD_HARDENING'} : |
|
36 |
$default{'DEB_BUILD_HARDENING'}; |
|
37 |
$debug = defined($ENV{'DEB_BUILD_HARDENING_DEBUG'}) ? |
|
38 |
$ENV{'DEB_BUILD_HARDENING_DEBUG'} : |
|
39 |
$default{'DEB_BUILD_HARDENING_DEBUG'}; |
|
40 |
my $force_relro = defined($ENV{'DEB_BUILD_HARDENING_RELRO'}) ? |
|
41 |
$ENV{'DEB_BUILD_HARDENING_RELRO'} : |
|
42 |
$default{'DEB_BUILD_HARDENING_RELRO'}; |
|
|
10
by Kees Cook
* hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings. |
43 |
my $force_bindnow = defined($ENV{'DEB_BUILD_HARDENING_BINDNOW'}) ? |
44 |
$ENV{'DEB_BUILD_HARDENING_BINDNOW'} : |
|
45 |
$default{'DEB_BUILD_HARDENING_BINDNOW'}; |
|
|
8
by Kees Cook
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). |
46 |
|
47 |
if ($enabled) { |
|
48 |
# Scan arguments
|
|
|
7
by Kees Cook
* hardened-ld: disable PIE logic -- gcc should be the only part of the |
49 |
my $index = 0; |
|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
50 |
foreach my $arg (@ARGV) { |
|
7
by Kees Cook
* hardened-ld: disable PIE logic -- gcc should be the only part of the |
51 |
if ($arg eq "relro" && $index>0 && $ARGV[$index-1] eq "-z") { |
52 |
$force_relro = 0; |
|
|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
53 |
}
|
|
10
by Kees Cook
* hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings. |
54 |
if ($arg eq "now" && $index>0 && $ARGV[$index-1] eq "-z") { |
55 |
$force_bindnow = 0; |
|
56 |
}
|
|
|
7
by Kees Cook
* hardened-ld: disable PIE logic -- gcc should be the only part of the |
57 |
$index++; |
58 |
}
|
|
59 |
||
60 |
if ($force_relro) { |
|
61 |
push(@args,'-z','relro'); |
|
62 |
}
|
|
|
10
by Kees Cook
* hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings. |
63 |
if ($force_bindnow) { |
64 |
push(@args,'-z','now'); |
|
65 |
}
|
|
|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
66 |
}
|
67 |
||
68 |
my $self = "hardened-ld"; |
|
69 |
my $link = ""; |
|
70 |
my $tool = $0; |
|
|
7
by Kees Cook
* hardened-ld: disable PIE logic -- gcc should be the only part of the |
71 |
if ($tool =~ /$self$/ || defined($ENV{'HARDENING_USE_USR_BIN'})) { |
|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
72 |
$tool = "/usr/bin/ld"; |
73 |
}
|
|
|
8
by Kees Cook
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). |
74 |
|
75 |
sub resolve_link($) |
|
76 |
{
|
|
77 |
my $origin = $_[0]; |
|
78 |
my $link = readlink($origin); |
|
79 |
return File::Spec->rel2abs($link,dirname($origin)); |
|
80 |
}
|
|
81 |
||
82 |
while (-l $tool && ($link = resolve_link($tool)) !~ /$self$/) { |
|
|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
83 |
$tool = $link; |
84 |
}
|
|
|
6
by Kees Cook
debian/rules: disable stack protector on ia64 and alpha. |
85 |
if (-x "$tool.real") { |
86 |
$tool = "$tool.real"; |
|
87 |
}
|
|
88 |
my @target = ($tool, @args, @ARGV); |
|
|
2
by Kees Cook
* Move away from generic "builder" prefix to "hardened". |
89 |
|
90 |
print STDERR join(" ",@target),"\n" if ($debug); |
|
91 |
||
92 |
exec @target or die "Unable to exec $target[0]: $!\n"; |