[arch-commits] Commit in hardening-wrapper/trunk (3 files)
Daniel Micay
thestinger at archlinux.org
Sun Aug 3 15:56:10 UTC 2014
Date: Sunday, August 3, 2014 @ 17:56:10
Author: thestinger
Revision: 116793
upgpkg: hardening-wrapper 5-1
Added:
hardening-wrapper/trunk/ld-wrapper.sh
Modified:
hardening-wrapper/trunk/PKGBUILD
hardening-wrapper/trunk/cc-wrapper.sh
---------------+
PKGBUILD | 13 ++++++++++---
cc-wrapper.sh | 23 +++--------------------
ld-wrapper.sh | 33 +++++++++++++++++++++++++++++++++
3 files changed, 46 insertions(+), 23 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-08-03 15:37:09 UTC (rev 116792)
+++ PKGBUILD 2014-08-03 15:56:10 UTC (rev 116793)
@@ -1,6 +1,6 @@
# Maintainer: Daniel Micay <danielmicay at gmail.com>
pkgname=hardening-wrapper
-pkgver=4
+pkgver=5
pkgrel=1
pkgdesc='Wrapper script for building hardened executables by default'
arch=(i686 x86_64)
@@ -8,8 +8,10 @@
license=('GPL')
depends=(bash)
backup=(etc/hardening-wrapper.conf)
-source=(cc-wrapper.sh path.sh hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf)
-sha1sums=('68dcca1219f56d8578158e18db8f1a39bab46807'
+source=(cc-wrapper.sh ld-wrapper.sh path.sh
+ hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf)
+sha1sums=('996ceb802ace34ad0fbd253edc20bd1376cfe4bc'
+ 'cbccd615be70f9f287b0c8a17ad450462bb46eba'
'1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc'
'4d7a8f4818c531ce7002e860e0654b42b6147037'
'50db33c08439393b673c23d542e274beef44fbdd')
@@ -28,4 +30,9 @@
ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang++"
ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/gcc"
ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/g++"
+
+ install -m755 ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper"
+ ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld"
+ ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld.bfd"
+ ln -s ../ld-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/ld.gold"
}
Modified: cc-wrapper.sh
===================================================================
--- cc-wrapper.sh 2014-08-03 15:37:09 UTC (rev 116792)
+++ cc-wrapper.sh 2014-08-03 15:56:10 UTC (rev 116793)
@@ -1,17 +1,13 @@
#!/bin/bash
-set -o nounset
-
declare -A default
while IFS== read key value; do
default["$key"]="$value"
done < /etc/hardening-wrapper.conf
-force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}"
force_fPIE="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}"
force_fortify="${HARDENING_FORTIFY:-"${default[HARDENING_FORTIFY]:-2}"}"
force_pie="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}"
-force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}"
force_stack_check="${HARDENING_STACK_CHECK:-"${default[HARDENING_STACK_CHECK]:-0}"}"
force_stack_protector="${HARDENING_STACK_PROTECTOR:-${default[HARDENING_STACK_PROTECTOR]:-2}}"
@@ -20,7 +16,6 @@
exit 1
}
-linking=1
optimizing=0
for opt; do
@@ -33,7 +28,7 @@
force_fPIE=0
;;
-c)
- linking=0
+ force_pie=0
;;
-nostdlib|-ffreestanding)
force_stack_protector=0
@@ -50,14 +45,8 @@
esac
done
-arguments=()
+arguments=(-B/usr/lib/hardening-wrapper/bin)
-case "$force_bindnow" in
- 0) ;;
- 1) (( linking )) && arguments+=(-Wl,-z,now) ;;
- *) error 'invalid value for HARDENING_BINDNOW' ;;
-esac
-
case "$force_fPIE" in
0) ;;
1) arguments+=(-fPIE) ;;
@@ -72,16 +61,10 @@
case "$force_pie" in
0) ;;
- 1) (( linking )) && arguments+=(-pie) ;;
+ 1) arguments+=(-pie) ;;
*) error 'invalid value for HARDENING_PIE' ;;
esac
-case "$force_relro" in
- 0) ;;
- 1) (( linking )) && arguments+=(-Wl,-z,relro) ;;
- *) error 'invalid value for HARDENING_RELRO' ;;
-esac
-
case "$force_stack_check" in
0) ;;
1) arguments+=(-fstack-check) ;;
Added: ld-wrapper.sh
===================================================================
--- ld-wrapper.sh (rev 0)
+++ ld-wrapper.sh 2014-08-03 15:56:10 UTC (rev 116793)
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+declare -A default
+while IFS== read key value; do
+ default["$key"]="$value"
+done < /etc/hardening-wrapper.conf
+
+force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}"
+force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}"
+
+case "$force_bindnow" in
+ 0) ;;
+ 1) arguments+=(-z now) ;;
+ *) error 'invalid value for HARDENING_BINDNOW' ;;
+esac
+
+case "$force_relro" in
+ 0) ;;
+ 1) arguments+=(-z relro) ;;
+ *) error 'invalid value for HARDENING_RELRO' ;;
+esac
+
+unwrapped=false
+IFS=: read -ra path <<< "$PATH";
+for p in "${path[@]}"; do
+ binary="$p/${0##*/}"
+ if [[ "$binary" != "$0" && -x "$binary" ]]; then
+ unwrapped="$binary"
+ break
+ fi
+done
+
+exec "$unwrapped" "${arguments[@]}" "$@"
More information about the arch-commits
mailing list