[arch-commits] Commit in hardening-wrapper/trunk (3 files)
Date: Sunday, August 2, 2015 @ 03:30:16
Author: thestinger
Revision: 137679
upgpkg: hardening-wrapper 10-1
Modified:
hardening-wrapper/trunk/PKGBUILD
hardening-wrapper/trunk/hardening-wrapper-i686.conf
hardening-wrapper/trunk/hardening-wrapper-x86_64.conf
---+
PKGBUILD |8
hardening-wrapper-i686.conf |2 +-
hardening-wrapper-x86_64.conf |2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2015-08-02 01:29:25 UTC (rev 137678)
+++ PKGBUILD2015-08-02 01:30:16 UTC (rev 137679)
@@ -1,7 +1,7 @@
# $Id$
# Maintainer: Daniel Micay
pkgname=hardening-wrapper
-pkgver=9
+pkgver=10
pkgrel=1
pkgdesc='Wrapper scripts for building hardened executables by default'
arch=(i686 x86_64)
@@ -11,10 +11,10 @@
backup=(etc/hardening-wrapper.conf)
source=("$pkgname-$pkgver.tar.gz::https://github.com/thestinger/hardening-wrapper/archive/$pkgver.tar.gz";
path.sh hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf)
-sha1sums=('c71a3ea32759c71b779e532c6911d93dba301271'
+sha1sums=('61e8c7e3062e6830cd7b190aa6b81834138a7137'
'1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc'
- '4d7a8f4818c531ce7002e860e0654b42b6147037'
- '50db33c08439393b673c23d542e274beef44fbdd')
+ '6729f0a6d2af72b6def9383e8104d0f763d3f01d'
+ '9453d7984a4a90aa884a51a7bf1bd2c72cbddc9f')
package() {
install -Dm644 hardening-wrapper-${CARCH}.conf
"$pkgdir/etc/hardening-wrapper.conf"
Modified: hardening-wrapper-i686.conf
===
--- hardening-wrapper-i686.conf 2015-08-02 01:29:25 UTC (rev 137678)
+++ hardening-wrapper-i686.conf 2015-08-02 01:30:16 UTC (rev 137679)
@@ -2,5 +2,5 @@
HARDENING_PIE=0
HARDENING_FORTIFY=2
HARDENING_RELRO=1
-HARDENING_STACK_CHECK=0
+HARDENING_STACK_CHECK=1
HARDENING_STACK_PROTECTOR=2
Modified: hardening-wrapper-x86_64.conf
===
--- hardening-wrapper-x86_64.conf 2015-08-02 01:29:25 UTC (rev 137678)
+++ hardening-wrapper-x86_64.conf 2015-08-02 01:30:16 UTC (rev 137679)
@@ -2,5 +2,5 @@
HARDENING_PIE=1
HARDENING_FORTIFY=2
HARDENING_RELRO=1
-HARDENING_STACK_CHECK=0
+HARDENING_STACK_CHECK=1
HARDENING_STACK_PROTECTOR=2
[arch-commits] Commit in hardening-wrapper/trunk (3 files)
Date: Friday, December 26, 2014 @ 02:14:54
Author: thestinger
Revision: 124589
upgpkg: hardening-wrapper 8-1
Deleted:
hardening-wrapper/trunk/cc-wrapper.sh
hardening-wrapper/trunk/common.sh
hardening-wrapper/trunk/ld-wrapper.sh
---+
cc-wrapper.sh | 79
common.sh | 24 -
ld-wrapper.sh | 25 -
3 files changed, 128 deletions(-)
Deleted: cc-wrapper.sh
===
--- cc-wrapper.sh 2014-12-26 01:10:39 UTC (rev 124588)
+++ cc-wrapper.sh 2014-12-26 01:14:54 UTC (rev 124589)
@@ -1,79 +0,0 @@
-#!/bin/bash
-
-. /usr/lib/hardening-wrapper/common.sh
-
-declare -A default
-while IFS== read key value; do
- default["$key"]="$value"
-done < /etc/hardening-wrapper.conf
-
-force_fPIE="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}"
-force_fortify="${HARDENING_FORTIFY:-"${default[HARDENING_FORTIFY]:-2}"}"
-force_pie="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}"
-force_stack_check="${HARDENING_STACK_CHECK:-"${default[HARDENING_STACK_CHECK]:-0}"}"
-force_stack_protector="${HARDENING_STACK_PROTECTOR:-${default[HARDENING_STACK_PROTECTOR]:-2}}"
-
-optimizing=0
-
-for opt; do
- case "$opt" in
-
-fno-PIC|-fno-pic|-fno-PIE|-fno-pie|-nopie|-static|--static|-shared|--shared|-D__KERNEL__|-nostdlib|-nostartfiles)
- force_fPIE=0
- force_pie=0
- ;;
--fPIC|-fpic|-fPIE|-fpie)
- force_fPIE=0
- ;;
--c|-E|-S)
- force_pie=0
- ;;
--nostdlib|-ffreestanding)
- force_stack_protector=0
- ;;
--D_FORTIFY_SOURCE*)
- force_fortify=0
- ;;
--O0)
- optimizing=0
- ;;
--O*)
- optimizing=1
- ;;
- esac
-done
-
-arguments=(-B/usr/lib/hardening-wrapper/bin)
-
-case "$force_fPIE" in
- 0) ;;
- 1) arguments+=(-fPIE) ;;
- *) error 'invalid value for HARDENING_PIE' ;;
-esac
-
-case "$force_fortify" in
- 0) ;;
- 1|2) (( optimizing )) && arguments+=(-D_FORTIFY_SOURCE=$force_fortify) ;;
- *) error 'invalid value for HARDENING_FORTIFY' ;;
-esac
-
-case "$force_pie" in
- 0) ;;
- 1) arguments+=(-pie) ;;
- *) error 'invalid value for HARDENING_PIE' ;;
-esac
-
-case "$force_stack_check" in
- 0) ;;
- 1) arguments+=(-fstack-check) ;;
- *) error 'invalid value for HARDENING_STACK_CHECK' ;;
-esac
-
-case "$force_stack_protector" in
- 0) ;;
- 1) arguments+=(-fstack-protector) ;;
- 2) arguments+=(-fstack-protector-strong) ;;
- 3) arguments+=(-fstack-protector-all) ;;
- *) error 'invalid value for HARDENING_STACK_PROTECTOR' ;;
-esac
-
-run_wrapped_binary "$@"
Deleted: common.sh
===
--- common.sh 2014-12-26 01:10:39 UTC (rev 124588)
+++ common.sh 2014-12-26 01:14:54 UTC (rev 124589)
@@ -1,24 +0,0 @@
-error() {
- printf "%s\n" "$1" >&2
- exit 1
-}
-
-run_wrapped_binary() {
- # search for the wrapped binary in $PATH
- #
- # ignore paths before our own for compatibility with other wrappers
- unwrapped=false
- self=false
- IFS=: read -ra path <<< "$PATH";
- for p in "${path[@]}"; do
-binary="$p/${0##*/}"
-if $self && [[ -x "$binary" ]]; then
- unwrapped="$binary"
- break
-elif [[ "$binary" -ef "$0" ]]; then
- self=true
-fi
- done
-
- exec "$unwrapped" "${arguments[@]}" "$@"
-}
Deleted: ld-wrapper.sh
===
--- ld-wrapper.sh 2014-12-26 01:10:39 UTC (rev 124588)
+++ ld-wrapper.sh 2014-12-26 01:14:54 UTC (rev 124589)
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-. /usr/lib/hardening-wrapper/common.sh
-
-declare -A default
-while IFS== read key value; do
- default["$key"]="$value"
-done < /etc/hardening-wrapper.conf
-
-force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}"
-force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}"
-
-case "$force_bindnow" in
- 0) ;;
- 1) arguments+=(-z now) ;;
- *) error 'invalid value for HARDENING_BINDNOW' ;;
-esac
-
-case "$force_relro" in
- 0) ;;
- 1) arguments+=(-z relro) ;;
- *) error 'invalid value for HARDENING_RELRO' ;;
-esac
-
-run_wrapped_binary "$@"
[arch-commits] Commit in hardening-wrapper/trunk (3 files)
Date: Sunday, August 3, 2014 @ 17:56:10
Author: thestinger
Revision: 116793
upgpkg: hardening-wrapper 5-1
Added:
hardening-wrapper/trunk/ld-wrapper.sh
Modified:
hardening-wrapper/trunk/PKGBUILD
hardening-wrapper/trunk/cc-wrapper.sh
---+
PKGBUILD | 13 ++---
cc-wrapper.sh | 23 +++
ld-wrapper.sh | 33 +
3 files changed, 46 insertions(+), 23 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2014-08-03 15:37:09 UTC (rev 116792)
+++ PKGBUILD2014-08-03 15:56:10 UTC (rev 116793)
@@ -1,6 +1,6 @@
# Maintainer: Daniel Micay
pkgname=hardening-wrapper
-pkgver=4
+pkgver=5
pkgrel=1
pkgdesc='Wrapper script for building hardened executables by default'
arch=(i686 x86_64)
@@ -8,8 +8,10 @@
license=('GPL')
depends=(bash)
backup=(etc/hardening-wrapper.conf)
-source=(cc-wrapper.sh path.sh hardening-wrapper-i686.conf
hardening-wrapper-x86_64.conf)
-sha1sums=('68dcca1219f56d8578158e18db8f1a39bab46807'
+source=(cc-wrapper.sh ld-wrapper.sh path.sh
+hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf)
+sha1sums=('996ceb802ace34ad0fbd253edc20bd1376cfe4bc'
+ 'cbccd615be70f9f287b0c8a17ad450462bb46eba'
'1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc'
'4d7a8f4818c531ce7002e860e0654b42b6147037'
'50db33c08439393b673c23d542e274beef44fbdd')
@@ -28,4 +30,9 @@
ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang++"
ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/gcc"
ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/g++"
+
+ install -m755 ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper"
+ ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld"
+ ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld.bfd"
+ ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld.gold"
}
Modified: cc-wrapper.sh
===
--- cc-wrapper.sh 2014-08-03 15:37:09 UTC (rev 116792)
+++ cc-wrapper.sh 2014-08-03 15:56:10 UTC (rev 116793)
@@ -1,17 +1,13 @@
#!/bin/bash
-set -o nounset
-
declare -A default
while IFS== read key value; do
default["$key"]="$value"
done < /etc/hardening-wrapper.conf
-force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}"
force_fPIE="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}"
force_fortify="${HARDENING_FORTIFY:-"${default[HARDENING_FORTIFY]:-2}"}"
force_pie="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}"
-force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}"
force_stack_check="${HARDENING_STACK_CHECK:-"${default[HARDENING_STACK_CHECK]:-0}"}"
force_stack_protector="${HARDENING_STACK_PROTECTOR:-${default[HARDENING_STACK_PROTECTOR]:-2}}"
@@ -20,7 +16,6 @@
exit 1
}
-linking=1
optimizing=0
for opt; do
@@ -33,7 +28,7 @@
force_fPIE=0
;;
-c)
- linking=0
+ force_pie=0
;;
-nostdlib|-ffreestanding)
force_stack_protector=0
@@ -50,14 +45,8 @@
esac
done
-arguments=()
+arguments=(-B/usr/lib/hardening-wrapper/bin)
-case "$force_bindnow" in
- 0) ;;
- 1) (( linking )) && arguments+=(-Wl,-z,now) ;;
- *) error 'invalid value for HARDENING_BINDNOW' ;;
-esac
-
case "$force_fPIE" in
0) ;;
1) arguments+=(-fPIE) ;;
@@ -72,16 +61,10 @@
case "$force_pie" in
0) ;;
- 1) (( linking )) && arguments+=(-pie) ;;
+ 1) arguments+=(-pie) ;;
*) error 'invalid value for HARDENING_PIE' ;;
esac
-case "$force_relro" in
- 0) ;;
- 1) (( linking )) && arguments+=(-Wl,-z,relro) ;;
- *) error 'invalid value for HARDENING_RELRO' ;;
-esac
-
case "$force_stack_check" in
0) ;;
1) arguments+=(-fstack-check) ;;
Added: ld-wrapper.sh
===
--- ld-wrapper.sh (rev 0)
+++ ld-wrapper.sh 2014-08-03 15:56:10 UTC (rev 116793)
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+declare -A default
+while IFS== read key value; do
+ default["$key"]="$value"
+done < /etc/hardening-wrapper.conf
+
+force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}"
+force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}"
+
+case "$force_bindnow" in
+ 0) ;;
+ 1) arguments+=(-z now) ;;
+ *) error 'invalid value for HARDENING_BINDNOW' ;;
+esac
+
+case "$force_relro" in
+ 0) ;;
+ 1) arguments+=(-z relro) ;;
+ *) error 'invalid value for HARDENING_RELRO' ;;
+esac
+
+unwrapped=false
+IFS=: read -ra path <<< "$PATH";
+for p in "${path[@]}"; do
+ binary="$p/${0##*/}"
+ if [[ "$binary" != "$0" && -x "$binary" ]]; then
+unwrapped="$binary"
+break
+ fi
+done
+
+exec "$unwrapped" "${arguments[@]}" "$@"
