[arch-commits] Commit in hardening-wrapper/trunk (3 files)

Sun, 03 Aug 2014 08:57:06 -0700 

    Date: Sunday, August 3, 2014 @ 17:56:10
  Author: thestinger
Revision: 116793

upgpkg: hardening-wrapper 5-1

Added:
  hardening-wrapper/trunk/ld-wrapper.sh
Modified:
  hardening-wrapper/trunk/PKGBUILD
  hardening-wrapper/trunk/cc-wrapper.sh

---------------+
 PKGBUILD      |   13 ++++++++++---
 cc-wrapper.sh |   23 +++--------------------
 ld-wrapper.sh |   33 +++++++++++++++++++++++++++++++++
 3 files changed, 46 insertions(+), 23 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2014-08-03 15:37:09 UTC (rev 116792)
+++ PKGBUILD    2014-08-03 15:56:10 UTC (rev 116793)
@@ -1,6 +1,6 @@
 # Maintainer: Daniel Micay <[email protected]>
 pkgname=hardening-wrapper
-pkgver=4
+pkgver=5
 pkgrel=1
 pkgdesc='Wrapper script for building hardened executables by default'
 arch=(i686 x86_64)
@@ -8,8 +8,10 @@
 license=('GPL')
 depends=(bash)
 backup=(etc/hardening-wrapper.conf)
-source=(cc-wrapper.sh path.sh hardening-wrapper-i686.conf 
hardening-wrapper-x86_64.conf)
-sha1sums=('68dcca1219f56d8578158e18db8f1a39bab46807'
+source=(cc-wrapper.sh ld-wrapper.sh path.sh
+        hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf)
+sha1sums=('996ceb802ace34ad0fbd253edc20bd1376cfe4bc'
+          'cbccd615be70f9f287b0c8a17ad450462bb46eba'
           '1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc'
           '4d7a8f4818c531ce7002e860e0654b42b6147037'
           '50db33c08439393b673c23d542e274beef44fbdd')
@@ -28,4 +30,9 @@
   ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang++"
   ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/gcc"
   ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/g++"
+
+  install -m755 ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper"
+  ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld"
+  ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld.bfd"
+  ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld.gold"
 }

Modified: cc-wrapper.sh
===================================================================
--- cc-wrapper.sh       2014-08-03 15:37:09 UTC (rev 116792)
+++ cc-wrapper.sh       2014-08-03 15:56:10 UTC (rev 116793)
@@ -1,17 +1,13 @@
 #!/bin/bash
 
-set -o nounset
-
 declare -A default
 while IFS== read key value; do
   default["$key"]="$value"
 done < /etc/hardening-wrapper.conf
 
-force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}"
 force_fPIE="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}"
 force_fortify="${HARDENING_FORTIFY:-"${default[HARDENING_FORTIFY]:-2}"}"
 force_pie="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}"
-force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}"
 
force_stack_check="${HARDENING_STACK_CHECK:-"${default[HARDENING_STACK_CHECK]:-0}"}"
 
force_stack_protector="${HARDENING_STACK_PROTECTOR:-${default[HARDENING_STACK_PROTECTOR]:-2}}"
 
@@ -20,7 +16,6 @@
   exit 1
 }
 
-linking=1
 optimizing=0
 
 for opt; do
@@ -33,7 +28,7 @@
       force_fPIE=0
       ;;
     -c)
-      linking=0
+      force_pie=0
       ;;
     -nostdlib|-ffreestanding)
       force_stack_protector=0
@@ -50,14 +45,8 @@
   esac
 done
 
-arguments=()
+arguments=(-B/usr/lib/hardening-wrapper/bin)
 
-case "$force_bindnow" in
-  0) ;;
-  1) (( linking )) && arguments+=(-Wl,-z,now) ;;
-  *) error 'invalid value for HARDENING_BINDNOW' ;;
-esac
-
 case "$force_fPIE" in
   0) ;;
   1) arguments+=(-fPIE) ;;
@@ -72,16 +61,10 @@
 
 case "$force_pie" in
   0) ;;
-  1) (( linking )) && arguments+=(-pie) ;;
+  1) arguments+=(-pie) ;;
   *) error 'invalid value for HARDENING_PIE' ;;
 esac
 
-case "$force_relro" in
-  0) ;;
-  1) (( linking )) && arguments+=(-Wl,-z,relro) ;;
-  *) error 'invalid value for HARDENING_RELRO' ;;
-esac
-
 case "$force_stack_check" in
   0) ;;
   1) arguments+=(-fstack-check) ;;

Added: ld-wrapper.sh
===================================================================
--- ld-wrapper.sh                               (rev 0)
+++ ld-wrapper.sh       2014-08-03 15:56:10 UTC (rev 116793)
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+declare -A default
+while IFS== read key value; do
+  default["$key"]="$value"
+done < /etc/hardening-wrapper.conf
+
+force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}"
+force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}"
+
+case "$force_bindnow" in
+  0) ;;
+  1) arguments+=(-z now) ;;
+  *) error 'invalid value for HARDENING_BINDNOW' ;;
+esac
+
+case "$force_relro" in
+  0) ;;
+  1) arguments+=(-z relro) ;;
+  *) error 'invalid value for HARDENING_RELRO' ;;
+esac
+
+unwrapped=false
+IFS=: read -ra path <<< "$PATH";
+for p in "${path[@]}"; do
+  binary="$p/${0##*/}"
+  if [[ "$binary" != "$0" && -x "$binary" ]]; then
+    unwrapped="$binary"
+    break
+  fi
+done
+
+exec "$unwrapped" "${arguments[@]}" "$@"

Reply via email to