diff options
Diffstat (limited to 'community/hardening-wrapper')
-rw-r--r-- | community/hardening-wrapper/PKGBUILD | 31 | ||||
-rwxr-xr-x | community/hardening-wrapper/cc-wrapper.sh | 106 | ||||
-rw-r--r-- | community/hardening-wrapper/hardening-wrapper-i686.conf | 6 | ||||
-rw-r--r-- | community/hardening-wrapper/hardening-wrapper-x86_64.conf | 6 | ||||
-rw-r--r-- | community/hardening-wrapper/path.sh | 1 |
5 files changed, 150 insertions, 0 deletions
diff --git a/community/hardening-wrapper/PKGBUILD b/community/hardening-wrapper/PKGBUILD new file mode 100644 index 000000000..a05316b84 --- /dev/null +++ b/community/hardening-wrapper/PKGBUILD @@ -0,0 +1,31 @@ +# Maintainer: Daniel Micay <danielmicay@gmail.com> +pkgname=hardening-wrapper +pkgver=3 +pkgrel=4 +pkgdesc='Wrapper script for building hardened executables by default' +arch=(i686 x86_64) +url='https://archlinux.org/' +license=('GPL') +depends=(bash) +backup=(etc/hardening-wrapper.conf) +source=(cc-wrapper.sh path.sh hardening-wrapper-i686.conf hardening-wrapper-x86_64.conf) +sha1sums=('edddffd8d8bf6c4b57d7a8fa32b65e29020c2a3c' + '1e5f6d9931f01b26bb4b6fbb839e21d34d534cdc' + '658aed4d1039393f0ba08152c1320fca04ce1315' + 'ff104a6624ce898010f277fe22e6f964aeb34300') + +package() { + install -Dm644 hardening-wrapper-${CARCH}.conf "$pkgdir/etc/hardening-wrapper.conf" + install -Dm644 path.sh "$pkgdir/etc/profile.d/hardening-wrapper.sh" + + mkdir -p "$pkgdir/usr/lib/hardening-wrapper/bin" + install -m755 cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c89" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c99" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/cc" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/c++" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/clang++" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/gcc" + ln -s ../cc-wrapper.sh "$pkgdir/usr/lib/hardening-wrapper/bin/g++" +} diff --git a/community/hardening-wrapper/cc-wrapper.sh b/community/hardening-wrapper/cc-wrapper.sh new file mode 100755 index 000000000..4f16bd062 --- /dev/null +++ b/community/hardening-wrapper/cc-wrapper.sh @@ -0,0 +1,106 @@ +#!/bin/bash + +set -o nounset + +declare -A default="($(< /etc/hardening-wrapper.conf))" + +force_bindnow="${HARDENING_BINDNOW:-"${default[HARDENING_BINDNOW]:-1}"}" +force_fPIE="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}" +force_fortify="${HARDENING_FORTIFY:-"${default[HARDENING_FORTIFY]:-2}"}" +force_pie="${HARDENING_PIE:-"${default[HARDENING_PIE]:-1}"}" +force_relro="${HARDENING_RELRO:-"${default[HARDENING_RELRO]:-1}"}" +force_stack_check="${HARDENING_STACK_CHECK:-"${default[HARDENING_STACK_CHECK]:-0}"}" +force_stack_protector="${HARDENING_STACK_PROTECTOR:-${default[HARDENING_STACK_PROTECTOR]:-2}}" + +error() { + echo "$1" >&2 + exit 1 +} + +linking=1 +optimizing=0 + +for opt; do + case "$opt" in + -fno-PIC|-fno-pic|-fno-PIE|-fno-pie|-nopie|-static|--static|-shared|--shared|-D__KERNEL__|-nostdlib|-nostartfiles) + force_fPIE=0 + force_pie=0 + ;; + -fPIC|-fpic|-fPIE|-fpie) + force_fPIE=0 + ;; + -c) + linking=0 + ;; + -nostdlib|-ffreestanding) + force_stack_protector=0 + ;; + -D_FORTIFY_SOURCE*) + force_fortify=0 + ;; + -O0) + optimizing=0 + ;; + -O*) + optimizing=1 + ;; + esac +done + +arguments=() + +case "$force_bindnow" in + 0) ;; + 1) (( linking )) && arguments+=(-Wl,-z,now) ;; + *) error 'invalid value for HARDENING_BINDNOW' ;; +esac + +case "$force_fPIE" in + 0) ;; + 1) arguments+=(-fPIE) ;; + *) error 'invalid value for HARDENING_PIE' ;; +esac + +case "$force_fortify" in + 0) ;; + 1|2) (( optimizing )) && arguments+=(-D_FORTIFY_SOURCE=$force_fortify) ;; + *) error 'invalid value for HARDENING_FORTIFY' ;; +esac + +case "$force_pie" in + 0) ;; + 1) (( linking )) && arguments+=(-pie) ;; + *) error 'invalid value for HARDENING_PIE' ;; +esac + +case "$force_relro" in + 0) ;; + 1) (( linking )) && arguments+=(-Wl,-z,relro) ;; + *) error 'invalid value for HARDENING_RELRO' ;; +esac + +case "$force_stack_check" in + 0) ;; + 1) arguments+=(-fstack-check) ;; + *) error 'invalid value for HARDENING_STACK_CHECK' ;; +esac + +case "$force_stack_protector" in + 0) ;; + 1) arguments+=(-fstack-protector) ;; + 2) arguments+=(-fstack-protector-strong) ;; + 3) arguments+=(-fstack-protector-all) ;; + *) error 'invalid value for HARDENING_STACK_PROTECTOR' ;; +esac + +unwrapped=false +IFS=: read -ra path <<< "$PATH"; +for p in "${path[@]}"; do + binary="$p/${0##*/}" + if [[ "$binary" != "$0" && -x "$binary" ]]; then + unwrapped="$binary" + break + fi +done + +exec "$unwrapped" "${arguments[@]}" "$@" diff --git a/community/hardening-wrapper/hardening-wrapper-i686.conf b/community/hardening-wrapper/hardening-wrapper-i686.conf new file mode 100644 index 000000000..ec1ae26c9 --- /dev/null +++ b/community/hardening-wrapper/hardening-wrapper-i686.conf @@ -0,0 +1,6 @@ +[HARDENING_BINDNOW]=0 +[HARDENING_PIE]=0 +[HARDENING_FORTIFY]=2 +[HARDENING_RELRO]=1 +[HARDENING_STACK_CHECK]=0 +[HARDENING_STACK_PROTECTOR]=2 diff --git a/community/hardening-wrapper/hardening-wrapper-x86_64.conf b/community/hardening-wrapper/hardening-wrapper-x86_64.conf new file mode 100644 index 000000000..2ced2364f --- /dev/null +++ b/community/hardening-wrapper/hardening-wrapper-x86_64.conf @@ -0,0 +1,6 @@ +[HARDENING_BINDNOW]=0 +[HARDENING_PIE]=1 +[HARDENING_FORTIFY]=2 +[HARDENING_RELRO]=1 +[HARDENING_STACK_CHECK]=0 +[HARDENING_STACK_PROTECTOR]=2 diff --git a/community/hardening-wrapper/path.sh b/community/hardening-wrapper/path.sh new file mode 100644 index 000000000..640ab758c --- /dev/null +++ b/community/hardening-wrapper/path.sh @@ -0,0 +1 @@ +export PATH="/usr/lib/hardening-wrapper/bin:$PATH" |