[PATCH 3/3] Dpkg::Vendor::Ubuntu: Handle hardening in DEB_BUILD_OPTIONS

Colin Watson Thu, 20 May 2010 06:36:12 -0700

Handle hardening-wrapper options via DEB_BUILD_OPTIONS.  Originally
contributed by Kees Cook.  This is Ubuntu-specific for now, pending
agreement on a better interface; see #489771 for background.
---
 scripts/Dpkg/Vendor/Ubuntu.pm |   39 +++++++++++++++++++++++++++++++++++++++
 1 files changed, 39 insertions(+), 0 deletions(-)


diff --git a/scripts/Dpkg/Vendor/Ubuntu.pm b/scripts/Dpkg/Vendor/Ubuntu.pm
index fa4b7d0..d9ff1b8 100644
--- a/scripts/Dpkg/Vendor/Ubuntu.pm
+++ b/scripts/Dpkg/Vendor/Ubuntu.pm
@@ -27,6 +27,7 @@ our $VERSION = "0.01";
 use Dpkg::ErrorHandling;
 use Dpkg::Gettext;
 use Dpkg::Control::Types;
+use Dpkg::BuildOptions;
 
 use base 'Dpkg::Vendor::Debian';
 
@@ -95,6 +96,44 @@ sub run_hook {
        # Per https://wiki.ubuntu.com/DistCompilerFlags
        $flags->set('LDFLAGS', '-Wl,-Bsymbolic-functions', 'vendor');
 
+       # Allow control of hardening-wrapper via dpkg-buildpackage 
DEB_BUILD_OPTIONS
+       my $build_opts = Dpkg::BuildOptions->new();
+       my $hardening;
+       if ($build_opts->has("hardening")) {
+           $hardening = $build_opts->get("hardening");
+           $hardening = 1 unless defined $hardening;
+       }
+       if ($build_opts->has("nohardening")) {
+           $hardening = 0;
+       }
+       if (defined $hardening) {
+           my $flag = 'DEB_BUILD_HARDENING';
+           if ($hardening ne "0") {
+               if (! -x '/usr/bin/hardened-cc') {
+                   syserr(_g("'hardening' flag found but 'hardening-wrapper' 
not installed"));
+               }
+               if ($hardening ne "1") {
+                   my @options = split(/,\s*/, $hardening);
+                   $hardening = 1;
+
+                   my @hardopts = ('format', 'fortify', 'stackprotector',
+                                   'pie', 'relro');
+                   foreach my $item (@hardopts) {
+                       my $upitem = uc($item);
+                       foreach my $option (@options) {
+                           if ($option =~ /^(no)?$item$/) {
+                               $flags->set($flag.'_'.$upitem, not defined $1 
or $1 eq "", 'env');
+                           }
+                       }
+                   }
+               }
+           }
+           if (defined $ENV{$flag}) {
+               info(_g("overriding %s in environment: %s"), $flag, $hardening);
+           }
+           $flags->set($flag, $hardening, 'env');
+       }
+
     } else {
         return $self->SUPER::run_hook($hook, @params);
     }
-- 
1.7.1


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]

[PATCH 3/3] Dpkg::Vendor::Ubuntu: Handle hardening in DEB_BUILD_OPTIONS

Reply via email to