diff options
| author | Colin Watson <cjwatson@ubuntu.com> | 2010-05-20 14:18:14 +0100 |
|---|---|---|
| committer | Raphaƫl Hertzog <hertzog@debian.org> | 2010-05-21 08:21:48 +0200 |
| commit | ff75458da0141bb08a5e928037d3e78d3e3382d7 (patch) | |
| tree | dce7aa7d5a3ab275b170df0b90b9bb20b6fed0c6 /scripts/Dpkg | |
| parent | a69db9e0fb18fe30b5c7910047cacee555345fde (diff) | |
| download | dpkg-ff75458da0141bb08a5e928037d3e78d3e3382d7.tar.gz | |
Dpkg::Vendor::Ubuntu: Handle hardening in DEB_BUILD_OPTIONS
Handle hardening-wrapper options via DEB_BUILD_OPTIONS. Originally
contributed by Kees Cook. This is Ubuntu-specific for now, pending
agreement on a better interface; see #489771 for background.
Diffstat (limited to 'scripts/Dpkg')
| -rw-r--r-- | scripts/Dpkg/Vendor/Ubuntu.pm | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/scripts/Dpkg/Vendor/Ubuntu.pm b/scripts/Dpkg/Vendor/Ubuntu.pm index fa4b7d0aa..d9ff1b8f4 100644 --- a/scripts/Dpkg/Vendor/Ubuntu.pm +++ b/scripts/Dpkg/Vendor/Ubuntu.pm @@ -27,6 +27,7 @@ our $VERSION = "0.01"; use Dpkg::ErrorHandling; use Dpkg::Gettext; use Dpkg::Control::Types; +use Dpkg::BuildOptions; use base 'Dpkg::Vendor::Debian'; @@ -95,6 +96,44 @@ sub run_hook { # Per https://wiki.ubuntu.com/DistCompilerFlags $flags->set('LDFLAGS', '-Wl,-Bsymbolic-functions', 'vendor'); + # Allow control of hardening-wrapper via dpkg-buildpackage DEB_BUILD_OPTIONS + my $build_opts = Dpkg::BuildOptions->new(); + my $hardening; + if ($build_opts->has("hardening")) { + $hardening = $build_opts->get("hardening"); + $hardening = 1 unless defined $hardening; + } + if ($build_opts->has("nohardening")) { + $hardening = 0; + } + if (defined $hardening) { + my $flag = 'DEB_BUILD_HARDENING'; + if ($hardening ne "0") { + if (! -x '/usr/bin/hardened-cc') { + syserr(_g("'hardening' flag found but 'hardening-wrapper' not installed")); + } + if ($hardening ne "1") { + my @options = split(/,\s*/, $hardening); + $hardening = 1; + + my @hardopts = ('format', 'fortify', 'stackprotector', + 'pie', 'relro'); + foreach my $item (@hardopts) { + my $upitem = uc($item); + foreach my $option (@options) { + if ($option =~ /^(no)?$item$/) { + $flags->set($flag.'_'.$upitem, not defined $1 or $1 eq "", 'env'); + } + } + } + } + } + if (defined $ENV{$flag}) { + info(_g("overriding %s in environment: %s"), $flag, $hardening); + } + $flags->set($flag, $hardening, 'env'); + } + } else { return $self->SUPER::run_hook($hook, @params); } |