[PATCH 3/3] Dpkg::Vendor::Ubuntu: Handle hardening in DEB_BUILD_OPTIONS
Handle hardening-wrapper options via DEB_BUILD_OPTIONS. Originally
contributed by Kees Cook. This is Ubuntu-specific for now, pending
agreement on a better interface; see #489771 for background.
---
scripts/Dpkg/Vendor/Ubuntu.pm | 39 +++++++++++++++++++++++++++++++++++++++
1 files changed, 39 insertions(+), 0 deletions(-)
diff --git a/scripts/Dpkg/Vendor/Ubuntu.pm b/scripts/Dpkg/Vendor/Ubuntu.pm
index fa4b7d0..d9ff1b8 100644
--- a/scripts/Dpkg/Vendor/Ubuntu.pm
+++ b/scripts/Dpkg/Vendor/Ubuntu.pm
@@ -27,6 +27,7 @@ our $VERSION = "0.01";
use Dpkg::ErrorHandling;
use Dpkg::Gettext;
use Dpkg::Control::Types;
+use Dpkg::BuildOptions;
use base 'Dpkg::Vendor::Debian';
@@ -95,6 +96,44 @@ sub run_hook {
# Per https://wiki.ubuntu.com/DistCompilerFlags
$flags->set('LDFLAGS', '-Wl,-Bsymbolic-functions', 'vendor');
+ # Allow control of hardening-wrapper via dpkg-buildpackage DEB_BUILD_OPTIONS
+ my $build_opts = Dpkg::BuildOptions->new();
+ my $hardening;
+ if ($build_opts->has("hardening")) {
+ $hardening = $build_opts->get("hardening");
+ $hardening = 1 unless defined $hardening;
+ }
+ if ($build_opts->has("nohardening")) {
+ $hardening = 0;
+ }
+ if (defined $hardening) {
+ my $flag = 'DEB_BUILD_HARDENING';
+ if ($hardening ne "0") {
+ if (! -x '/usr/bin/hardened-cc') {
+ syserr(_g("'hardening' flag found but 'hardening-wrapper' not installed"));
+ }
+ if ($hardening ne "1") {
+ my @options = split(/,\s*/, $hardening);
+ $hardening = 1;
+
+ my @hardopts = ('format', 'fortify', 'stackprotector',
+ 'pie', 'relro');
+ foreach my $item (@hardopts) {
+ my $upitem = uc($item);
+ foreach my $option (@options) {
+ if ($option =~ /^(no)?$item$/) {
+ $flags->set($flag.'_'.$upitem, not defined $1 or $1 eq "", 'env');
+ }
+ }
+ }
+ }
+ }
+ if (defined $ENV{$flag}) {
+ info(_g("overriding %s in environment: %s"), $flag, $hardening);
+ }
+ $flags->set($flag, $hardening, 'env');
+ }
+
} else {
return $self->SUPER::run_hook($hook, @params);
}
--
1.7.1
Reply to: