Date: Wednesday, July 23, 2014 @ 01:04:53 Author: thestinger Revision: 116122
add hardening-wrapper script Added: hardening-wrapper/ hardening-wrapper/repos/ hardening-wrapper/trunk/ hardening-wrapper/trunk/PKGBUILD hardening-wrapper/trunk/cc-wrapper.sh hardening-wrapper/trunk/path.sh ---------------+ PKGBUILD | 26 +++++++++++++++ cc-wrapper.sh | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ path.sh | 1 3 files changed, 123 insertions(+) Added: hardening-wrapper/trunk/PKGBUILD =================================================================== --- hardening-wrapper/trunk/PKGBUILD (rev 0) +++ hardening-wrapper/trunk/PKGBUILD 2014-07-22 23:04:53 UTC (rev 116122) @@ -0,0 +1,26 @@ +# Maintainer: Daniel Micay <[email protected]> +pkgname=hardening-wrapper +pkgver=1 +pkgrel=1 +pkgdesc='Wrapper script for building hardened executables by default' +arch=(any) +url='https://archlinux.org/' +license=('GPL') +depends=(bash) +source=(cc-wrapper.sh path.sh) +sha1sums=('99d2a33b30790c51e7ea4340dc85368ae65cbdd1' + '1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc') + +package() { + mkdir -p "$pkgdir/usr/lib/hardening-wrapper/bin" + install -m644 path.sh "$pkgdir/usr/lib/hardening-wrapper/path.sh" + install -m755 cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c89" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c99" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/cc" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c++" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang++" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/gcc" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/g++" +} Added: hardening-wrapper/trunk/cc-wrapper.sh =================================================================== --- hardening-wrapper/trunk/cc-wrapper.sh (rev 0) +++ hardening-wrapper/trunk/cc-wrapper.sh 2014-07-22 23:04:53 UTC (rev 116122) @@ -0,0 +1,96 @@ +#!/bin/bash + +set -o nounset + +force_bindnow="${HARDENING_BINDNOW:-1}" +force_fPIE="${HARDENING_PIE:-1}" +force_fortify="${HARDENING_FORTIFY:-2}" +force_pie="${HARDENING_PIE:-1}" +force_relro="${HARDENING_RELRO:-1}" +force_stack_protector="${HARDENING_STACK_PROTECTOR:-2}" + +error() { + echo "$1" + exit 1 +} + +linking=1 +optimizing=0 + +for opt; do + case "$opt" in + -fno-PIC|-fno-pic|-fno-PIE|-fno-pie|-nopie|-static|--static|-shared|--shared|-D__KERNEL__|-nostdlib|-nostartfiles) + force_fPIE=0 + force_pie=0 + ;; + -fPIC|-fpic|-fPIE|-fpie) + force_fPIE=0 + ;; + -c) + linking=0 + ;; + -nostdlib|-ffreestanding) + force_stack_protector=0 + ;; + -D_FORTIFY_SOURCE*) + force_fortify=0 + ;; + -O0) + optimizing=0 + ;; + -O*) + optimizing=1 + ;; + esac +done + +arguments=() + +case "$force_bindnow" in + 0) ;; + 1) (( linking )) && arguments+=(-Wl,-z,now) ;; + *) error 'invalid value for HARDENING_BINDNOW' ;; +esac + +case "$force_fPIE" in + 0) ;; + 1) arguments+=(-fPIE) ;; + *) error 'invalid value for HARDENING_PIE' ;; +esac + +case "$force_fortify" in + 0) ;; + 1|2) (( optimizing )) && arguments+=(-D_FORTIFY_SOURCE=$force_fortify) ;; + *) error 'invalid value for HARDENING_FORTIFY' ;; +esac + +case "$force_pie" in + 0) ;; + 1) (( linking )) && arguments+=(-pie) ;; + *) error 'invalid value for HARDENING_PIE' ;; +esac + +case "$force_relro" in + 0) ;; + 1) (( linking )) && arguments+=(-Wl,-z,relro) ;; + *) error 'invalid value for HARDENING_RELRO' ;; +esac + +case "$force_stack_protector" in + 0) ;; + 1) arguments+=(-fstack-protector) ;; + 2) arguments+=(-fstack-protector-strong) ;; + 3) arguments+=(-fstack-protector-all) ;; + *) error 'invalid value for HARDENING_STACK_PROTECTOR' ;; +esac + +unwrapped=false +IFS=: read -ra path <<< "$PATH"; +for p in "${path[@]}"; do + binary="$p/${0##*/}" + if [[ "$binary" != "$0" && -x "$binary" ]]; then + unwrapped="$binary" + fi +done + +exec "$unwrapped" "${arguments[@]}" "$@" Property changes on: hardening-wrapper/trunk/cc-wrapper.sh ___________________________________________________________________ Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property Added: hardening-wrapper/trunk/path.sh =================================================================== --- hardening-wrapper/trunk/path.sh (rev 0) +++ hardening-wrapper/trunk/path.sh 2014-07-22 23:04:53 UTC (rev 116122) @@ -0,0 +1 @@ +export PATH="/usr/lib/hardening-wrapper/bin:$PATH"
