← Back to branch summary

~ubuntu-branches/ubuntu/quantal/hardening-wrapper/quantal 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

#! /usr/bin/perl
use strict;
use warnings;
use File::Spec qw(rel2abs);
use File::Basename;

my @args = ();
my $enabled = 0;
my $debug = 0;

# Set up defaults
my %default;
$default{'DEB_BUILD_HARDENING'}=0;
$default{'DEB_BUILD_HARDENING_DEBUG'}=0;

# Architecture settings
# #OS# #ARCH#
$default{'DEB_BUILD_HARDENING_RELRO'}=1;
$default{'DEB_BUILD_HARDENING_BINDNOW'}=1;

# System settings
my $system_conf = '/etc/hardening-wrapper.conf';
if (-r $system_conf) {
    open(CONF,$system_conf) || warn "Cannot read $system_conf\n";
    while (my $line = <CONF>) {
        if ($line =~ /^\s*(DEB_BUILD_HARDENING[_A-Z]*)\s*=\s*(\d)$/) {
            $default{$1}=$2+0;
        }
    }
    close(CONF);
}

# Environment settings
$enabled =        defined($ENV{'DEB_BUILD_HARDENING'}) ?
                          $ENV{'DEB_BUILD_HARDENING'} :
                          $default{'DEB_BUILD_HARDENING'};
$debug =          defined($ENV{'DEB_BUILD_HARDENING_DEBUG'}) ?
                          $ENV{'DEB_BUILD_HARDENING_DEBUG'} :
                          $default{'DEB_BUILD_HARDENING_DEBUG'};
my $force_relro = defined($ENV{'DEB_BUILD_HARDENING_RELRO'}) ?
                          $ENV{'DEB_BUILD_HARDENING_RELRO'} :
                          $default{'DEB_BUILD_HARDENING_RELRO'};
my $force_bindnow = defined($ENV{'DEB_BUILD_HARDENING_BINDNOW'}) ?
                          $ENV{'DEB_BUILD_HARDENING_BINDNOW'} :
                          $default{'DEB_BUILD_HARDENING_BINDNOW'};

if ($enabled) {
    # Scan arguments 
    my $index = 0;
    foreach my $arg (@ARGV) {
        if ($arg eq "relro" && $index>0 && $ARGV[$index-1] eq "-z") {
            $force_relro = 0;
        }
        if ($arg eq "now" && $index>0 && $ARGV[$index-1] eq "-z") {
            $force_bindnow = 0;
        }
        $index++;
    }

    if ($force_relro) {
        push(@args,'-z','relro');
    }
    if ($force_bindnow) {
        push(@args,'-z','now');
    }
}

my $self = "hardened-ld";
my $link = "";
my $tool = $0;
if ($tool =~ /$self$/ || defined($ENV{'HARDENING_USE_USR_BIN'})) {
    $tool = "/usr/bin/ld";
}

sub resolve_link($)
{
    my $origin = $_[0];
    my $link = readlink($origin);
    return File::Spec->rel2abs($link,dirname($origin));
}

while (-l $tool && ($link = resolve_link($tool)) !~ /$self$/) {
    $tool = $link;
}
if (-x "$tool.real") {
    $tool = "$tool.real";
}
my @target = ($tool, @args, @ARGV);

print STDERR join(" ",@target),"\n" if ($debug);

exec @target or die "Unable to exec $target[0]: $!\n";