[arch-commits] Commit in hardening-wrapper/trunk (3 files)
Date: Sunday, August 2, 2015 @ 03:30:16 Author: thestinger Revision: 137679 upgpkg: hardening-wrapper 10-1 Modified: hardening-wrapper/trunk/PKGBUILD hardening-wrapper/trunk/hardening-wrapper-i686.conf hardening-wrapper/trunk/hardening-wrapper-x86_64.conf ---+ PKGBUILD |8 hardening-wrapper-i686.conf |2 +- hardening-wrapper-x86_64.conf |2 +- 3 files changed, 6 insertions(+), 6 deletions(-) Modified: PKGBUILD === --- PKGBUILD2015-08-02 01:29:25 UTC (rev 137678) +++ PKGBUILD2015-08-02 01:30:16 UTC (rev 137679) @@ -1,7 +1,7 @@ # $Id$ # Maintainer: Daniel Micay pkgname=hardening-wrapper -pkgver=9 +pkgver=10 pkgrel=1 pkgdesc='Wrapper scripts for building hardened executables by default' arch=(i686 x86_64) @@ -11,10 +11,10 @@ backup=(etc/hardening-wrapper.conf) source=("$pkgname-$pkgver.tar.gz::https://github.com/thestinger/hardening-wrapper/archive/$pkgver.tar.gz"; path.sh hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf) -sha1sums=('c71a3ea32759c71b779e532c6911d93dba301271' +sha1sums=('61e8c7e3062e6830cd7b190aa6b81834138a7137' '1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc' - '4d7a8f4818c531ce7002e860e0654b42b6147037' - '50db33c08439393b673c23d542e274beef44fbdd') + '6729f0a6d2af72b6def9383e8104d0f763d3f01d' + '9453d7984a4a90aa884a51a7bf1bd2c72cbddc9f') package() { install -Dm644 hardening-wrapper-${CARCH}.conf "$pkgdir/etc/hardening-wrapper.conf" Modified: hardening-wrapper-i686.conf === --- hardening-wrapper-i686.conf 2015-08-02 01:29:25 UTC (rev 137678) +++ hardening-wrapper-i686.conf 2015-08-02 01:30:16 UTC (rev 137679) @@ -2,5 +2,5 @@ HARDENING_PIE=0 HARDENING_FORTIFY=2 HARDENING_RELRO=1 -HARDENING_STACK_CHECK=0 +HARDENING_STACK_CHECK=1 HARDENING_STACK_PROTECTOR=2 Modified: hardening-wrapper-x86_64.conf === --- hardening-wrapper-x86_64.conf 2015-08-02 01:29:25 UTC (rev 137678) +++ hardening-wrapper-x86_64.conf 2015-08-02 01:30:16 UTC (rev 137679) @@ -2,5 +2,5 @@ HARDENING_PIE=1 HARDENING_FORTIFY=2 HARDENING_RELRO=1 -HARDENING_STACK_CHECK=0 +HARDENING_STACK_CHECK=1 HARDENING_STACK_PROTECTOR=2
[arch-commits] Commit in hardening-wrapper/trunk (3 files)
Date: Friday, December 26, 2014 @ 02:14:54 Author: thestinger Revision: 124589 upgpkg: hardening-wrapper 8-1 Deleted: hardening-wrapper/trunk/cc-wrapper.sh hardening-wrapper/trunk/common.sh hardening-wrapper/trunk/ld-wrapper.sh ---+ cc-wrapper.sh | 79 common.sh | 24 - ld-wrapper.sh | 25 - 3 files changed, 128 deletions(-) Deleted: cc-wrapper.sh === --- cc-wrapper.sh 2014-12-26 01:10:39 UTC (rev 124588) +++ cc-wrapper.sh 2014-12-26 01:14:54 UTC (rev 124589) @@ -1,79 +0,0 @@ -#!/bin/bash - -. /usr/lib/hardening-wrapper/common.sh - -declare -A default -while IFS== read key value; do - default["$key"]="$value" -done < /etc/hardening-wrapper.conf - -force_fPIE="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}" -force_fortify="${HARDENING_FORTIFY:-"${default[HARDENING_FORTIFY]:-2}"}" -force_pie="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}" -force_stack_check="${HARDENING_STACK_CHECK:-"${default[HARDENING_STACK_CHECK]:-0}"}" -force_stack_protector="${HARDENING_STACK_PROTECTOR:-${default[HARDENING_STACK_PROTECTOR]:-2}}" - -optimizing=0 - -for opt; do - case "$opt" in - -fno-PIC|-fno-pic|-fno-PIE|-fno-pie|-nopie|-static|--static|-shared|--shared|-D__KERNEL__|-nostdlib|-nostartfiles) - force_fPIE=0 - force_pie=0 - ;; --fPIC|-fpic|-fPIE|-fpie) - force_fPIE=0 - ;; --c|-E|-S) - force_pie=0 - ;; --nostdlib|-ffreestanding) - force_stack_protector=0 - ;; --D_FORTIFY_SOURCE*) - force_fortify=0 - ;; --O0) - optimizing=0 - ;; --O*) - optimizing=1 - ;; - esac -done - -arguments=(-B/usr/lib/hardening-wrapper/bin) - -case "$force_fPIE" in - 0) ;; - 1) arguments+=(-fPIE) ;; - *) error 'invalid value for HARDENING_PIE' ;; -esac - -case "$force_fortify" in - 0) ;; - 1|2) (( optimizing )) && arguments+=(-D_FORTIFY_SOURCE=$force_fortify) ;; - *) error 'invalid value for HARDENING_FORTIFY' ;; -esac - -case "$force_pie" in - 0) ;; - 1) arguments+=(-pie) ;; - *) error 'invalid value for HARDENING_PIE' ;; -esac - -case "$force_stack_check" in - 0) ;; - 1) arguments+=(-fstack-check) ;; - *) error 'invalid value for HARDENING_STACK_CHECK' ;; -esac - -case "$force_stack_protector" in - 0) ;; - 1) arguments+=(-fstack-protector) ;; - 2) arguments+=(-fstack-protector-strong) ;; - 3) arguments+=(-fstack-protector-all) ;; - *) error 'invalid value for HARDENING_STACK_PROTECTOR' ;; -esac - -run_wrapped_binary "$@" Deleted: common.sh === --- common.sh 2014-12-26 01:10:39 UTC (rev 124588) +++ common.sh 2014-12-26 01:14:54 UTC (rev 124589) @@ -1,24 +0,0 @@ -error() { - printf "%s\n" "$1" >&2 - exit 1 -} - -run_wrapped_binary() { - # search for the wrapped binary in $PATH - # - # ignore paths before our own for compatibility with other wrappers - unwrapped=false - self=false - IFS=: read -ra path <<< "$PATH"; - for p in "${path[@]}"; do -binary="$p/${0##*/}" -if $self && [[ -x "$binary" ]]; then - unwrapped="$binary" - break -elif [[ "$binary" -ef "$0" ]]; then - self=true -fi - done - - exec "$unwrapped" "${arguments[@]}" "$@" -} Deleted: ld-wrapper.sh === --- ld-wrapper.sh 2014-12-26 01:10:39 UTC (rev 124588) +++ ld-wrapper.sh 2014-12-26 01:14:54 UTC (rev 124589) @@ -1,25 +0,0 @@ -#!/bin/bash - -. /usr/lib/hardening-wrapper/common.sh - -declare -A default -while IFS== read key value; do - default["$key"]="$value" -done < /etc/hardening-wrapper.conf - -force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}" -force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}" - -case "$force_bindnow" in - 0) ;; - 1) arguments+=(-z now) ;; - *) error 'invalid value for HARDENING_BINDNOW' ;; -esac - -case "$force_relro" in - 0) ;; - 1) arguments+=(-z relro) ;; - *) error 'invalid value for HARDENING_RELRO' ;; -esac - -run_wrapped_binary "$@"
[arch-commits] Commit in hardening-wrapper/trunk (3 files)
Date: Sunday, August 3, 2014 @ 17:56:10 Author: thestinger Revision: 116793 upgpkg: hardening-wrapper 5-1 Added: hardening-wrapper/trunk/ld-wrapper.sh Modified: hardening-wrapper/trunk/PKGBUILD hardening-wrapper/trunk/cc-wrapper.sh ---+ PKGBUILD | 13 ++--- cc-wrapper.sh | 23 +++ ld-wrapper.sh | 33 + 3 files changed, 46 insertions(+), 23 deletions(-) Modified: PKGBUILD === --- PKGBUILD2014-08-03 15:37:09 UTC (rev 116792) +++ PKGBUILD2014-08-03 15:56:10 UTC (rev 116793) @@ -1,6 +1,6 @@ # Maintainer: Daniel Micay pkgname=hardening-wrapper -pkgver=4 +pkgver=5 pkgrel=1 pkgdesc='Wrapper script for building hardened executables by default' arch=(i686 x86_64) @@ -8,8 +8,10 @@ license=('GPL') depends=(bash) backup=(etc/hardening-wrapper.conf) -source=(cc-wrapper.sh path.sh hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf) -sha1sums=('68dcca1219f56d8578158e18db8f1a39bab46807' +source=(cc-wrapper.sh ld-wrapper.sh path.sh +hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf) +sha1sums=('996ceb802ace34ad0fbd253edc20bd1376cfe4bc' + 'cbccd615be70f9f287b0c8a17ad450462bb46eba' '1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc' '4d7a8f4818c531ce7002e860e0654b42b6147037' '50db33c08439393b673c23d542e274beef44fbdd') @@ -28,4 +30,9 @@ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang++" ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/gcc" ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/g++" + + install -m755 ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper" + ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld" + ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld.bfd" + ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld.gold" } Modified: cc-wrapper.sh === --- cc-wrapper.sh 2014-08-03 15:37:09 UTC (rev 116792) +++ cc-wrapper.sh 2014-08-03 15:56:10 UTC (rev 116793) @@ -1,17 +1,13 @@ #!/bin/bash -set -o nounset - declare -A default while IFS== read key value; do default["$key"]="$value" done < /etc/hardening-wrapper.conf -force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}" force_fPIE="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}" force_fortify="${HARDENING_FORTIFY:-"${default[HARDENING_FORTIFY]:-2}"}" force_pie="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}" -force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}" force_stack_check="${HARDENING_STACK_CHECK:-"${default[HARDENING_STACK_CHECK]:-0}"}" force_stack_protector="${HARDENING_STACK_PROTECTOR:-${default[HARDENING_STACK_PROTECTOR]:-2}}" @@ -20,7 +16,6 @@ exit 1 } -linking=1 optimizing=0 for opt; do @@ -33,7 +28,7 @@ force_fPIE=0 ;; -c) - linking=0 + force_pie=0 ;; -nostdlib|-ffreestanding) force_stack_protector=0 @@ -50,14 +45,8 @@ esac done -arguments=() +arguments=(-B/usr/lib/hardening-wrapper/bin) -case "$force_bindnow" in - 0) ;; - 1) (( linking )) && arguments+=(-Wl,-z,now) ;; - *) error 'invalid value for HARDENING_BINDNOW' ;; -esac - case "$force_fPIE" in 0) ;; 1) arguments+=(-fPIE) ;; @@ -72,16 +61,10 @@ case "$force_pie" in 0) ;; - 1) (( linking )) && arguments+=(-pie) ;; + 1) arguments+=(-pie) ;; *) error 'invalid value for HARDENING_PIE' ;; esac -case "$force_relro" in - 0) ;; - 1) (( linking )) && arguments+=(-Wl,-z,relro) ;; - *) error 'invalid value for HARDENING_RELRO' ;; -esac - case "$force_stack_check" in 0) ;; 1) arguments+=(-fstack-check) ;; Added: ld-wrapper.sh === --- ld-wrapper.sh (rev 0) +++ ld-wrapper.sh 2014-08-03 15:56:10 UTC (rev 116793) @@ -0,0 +1,33 @@ +#!/bin/bash + +declare -A default +while IFS== read key value; do + default["$key"]="$value" +done < /etc/hardening-wrapper.conf + +force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}" +force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}" + +case "$force_bindnow" in + 0) ;; + 1) arguments+=(-z now) ;; + *) error 'invalid value for HARDENING_BINDNOW' ;; +esac + +case "$force_relro" in + 0) ;; + 1) arguments+=(-z relro) ;; + *) error 'invalid value for HARDENING_RELRO' ;; +esac + +unwrapped=false +IFS=: read -ra path <<< "$PATH"; +for p in "${path[@]}"; do + binary="$p/${0##*/}" + if [[ "$binary" != "$0" && -x "$binary" ]]; then +unwrapped="$binary" +break + fi +done + +exec "$unwrapped" "${arguments[@]}" "$@"