[arch-commits] Commit in (6 files)
Daniel Micay
thestinger at archlinux.org
Tue Jul 22 23:04:54 UTC 2014
Date: Wednesday, July 23, 2014 @ 01:04:53
Author: thestinger
Revision: 116122
add hardening-wrapper script
Added:
hardening-wrapper/
hardening-wrapper/repos/
hardening-wrapper/trunk/
hardening-wrapper/trunk/PKGBUILD
hardening-wrapper/trunk/cc-wrapper.sh
hardening-wrapper/trunk/path.sh
---------------+
PKGBUILD | 26 +++++++++++++++
cc-wrapper.sh | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
path.sh | 1
3 files changed, 123 insertions(+)
Added: hardening-wrapper/trunk/PKGBUILD
===================================================================
--- hardening-wrapper/trunk/PKGBUILD (rev 0)
+++ hardening-wrapper/trunk/PKGBUILD 2014-07-22 23:04:53 UTC (rev 116122)
@@ -0,0 +1,26 @@
+# Maintainer: Daniel Micay <danielmicay at gmail.com>
+pkgname=hardening-wrapper
+pkgver=1
+pkgrel=1
+pkgdesc='Wrapper script for building hardened executables by default'
+arch=(any)
+url='https://archlinux.org/'
+license=('GPL')
+depends=(bash)
+source=(cc-wrapper.sh path.sh)
+sha1sums=('99d2a33b30790c51e7ea4340dc85368ae65cbdd1'
+ '1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc')
+
+package() {
+ mkdir -p "$pkgdir/usr/lib/hardening-wrapper/bin"
+ install -m644 path.sh "$pkgdir/usr/lib/hardening-wrapper/path.sh"
+ install -m755 cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper"
+ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c89"
+ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c99"
+ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/cc"
+ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c++"
+ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang"
+ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang++"
+ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/gcc"
+ ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/g++"
+}
Added: hardening-wrapper/trunk/cc-wrapper.sh
===================================================================
--- hardening-wrapper/trunk/cc-wrapper.sh (rev 0)
+++ hardening-wrapper/trunk/cc-wrapper.sh 2014-07-22 23:04:53 UTC (rev 116122)
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+set -o nounset
+
+force_bindnow="${HARDENING_BINDNOW:-1}"
+force_fPIE="${HARDENING_PIE:-1}"
+force_fortify="${HARDENING_FORTIFY:-2}"
+force_pie="${HARDENING_PIE:-1}"
+force_relro="${HARDENING_RELRO:-1}"
+force_stack_protector="${HARDENING_STACK_PROTECTOR:-2}"
+
+error() {
+ echo "$1"
+ exit 1
+}
+
+linking=1
+optimizing=0
+
+for opt; do
+ case "$opt" in
+ -fno-PIC|-fno-pic|-fno-PIE|-fno-pie|-nopie|-static|--static|-shared|--shared|-D__KERNEL__|-nostdlib|-nostartfiles)
+ force_fPIE=0
+ force_pie=0
+ ;;
+ -fPIC|-fpic|-fPIE|-fpie)
+ force_fPIE=0
+ ;;
+ -c)
+ linking=0
+ ;;
+ -nostdlib|-ffreestanding)
+ force_stack_protector=0
+ ;;
+ -D_FORTIFY_SOURCE*)
+ force_fortify=0
+ ;;
+ -O0)
+ optimizing=0
+ ;;
+ -O*)
+ optimizing=1
+ ;;
+ esac
+done
+
+arguments=()
+
+case "$force_bindnow" in
+ 0) ;;
+ 1) (( linking )) && arguments+=(-Wl,-z,now) ;;
+ *) error 'invalid value for HARDENING_BINDNOW' ;;
+esac
+
+case "$force_fPIE" in
+ 0) ;;
+ 1) arguments+=(-fPIE) ;;
+ *) error 'invalid value for HARDENING_PIE' ;;
+esac
+
+case "$force_fortify" in
+ 0) ;;
+ 1|2) (( optimizing )) && arguments+=(-D_FORTIFY_SOURCE=$force_fortify) ;;
+ *) error 'invalid value for HARDENING_FORTIFY' ;;
+esac
+
+case "$force_pie" in
+ 0) ;;
+ 1) (( linking )) && arguments+=(-pie) ;;
+ *) error 'invalid value for HARDENING_PIE' ;;
+esac
+
+case "$force_relro" in
+ 0) ;;
+ 1) (( linking )) && arguments+=(-Wl,-z,relro) ;;
+ *) error 'invalid value for HARDENING_RELRO' ;;
+esac
+
+case "$force_stack_protector" in
+ 0) ;;
+ 1) arguments+=(-fstack-protector) ;;
+ 2) arguments+=(-fstack-protector-strong) ;;
+ 3) arguments+=(-fstack-protector-all) ;;
+ *) error 'invalid value for HARDENING_STACK_PROTECTOR' ;;
+esac
+
+unwrapped=false
+IFS=: read -ra path <<< "$PATH";
+for p in "${path[@]}"; do
+ binary="$p/${0##*/}"
+ if [[ "$binary" != "$0" && -x "$binary" ]]; then
+ unwrapped="$binary"
+ fi
+done
+
+exec "$unwrapped" "${arguments[@]}" "$@"
Property changes on: hardening-wrapper/trunk/cc-wrapper.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: hardening-wrapper/trunk/path.sh
===================================================================
--- hardening-wrapper/trunk/path.sh (rev 0)
+++ hardening-wrapper/trunk/path.sh 2014-07-22 23:04:53 UTC (rev 116122)
@@ -0,0 +1 @@
+export PATH="/usr/lib/hardening-wrapper/bin:$PATH"
More information about the arch-commits
mailing list