On Thu, 08 Dec 2011, Kees Cook wrote:
> This patch adds that ability, and lets the environment correctly adjust it:
>
> $ dpkg-buildflags --features hardening
> -bindnow,+format,+fortify,-pie,+relro,+stackprotector
>
> $ DEB_HOST_ARCH=ia64 dpkg-buildflags --features hardening
> -bindnow,+format,+fortify,-pie,-relro,-stackprotector
This syntax is great for debian/rules because we want to be expressive in
a single line but it's really not great for standardized output.
I would suggest to follow the standard set for "update-alternatives
--query" and to use the well known RFC-2822 header block:
---
$ dpkg-buildflags --query-features hardening
Feature: bindnow
Enabled: no
Feature: format
Enabled: yes
[...]
---
> I'm obviously open to changing how this works, what the output looks
> like, etc. I'm just interested in the behavior to query expected
> hardening features.
The set of features is also adjusted by the maintainer in debian/rules and
this part can't easily be queried.
This limits the usefulness of this query feature.
> --- a/scripts/Dpkg/BuildFlags.pm
> +++ b/scripts/Dpkg/BuildFlags.pm
You're extending the API, please bump the minor number in $VERSION.
> +=item $bf->get_features($area)
> +
> +Return the list of features enabled for the given area.
> +
> +=cut
It's a hash reference that is returned. Keys are features identifiers and
values are booleans indicating whether the feature is enabled or not.
You might want to return a hash so that the caller can't modify the
content of $features.
> +sub get_features {
> + my ($self, $key) = @_;
> + return $self->{'features'}{$key};
> +}
> +
> =item $bf->get_origin($flag)
>
> Return the origin associated to the flag. It might be undef if the
> @@ -318,6 +330,18 @@ sub get_origin {
> return $self->{'origin'}{$key};
> }
>
> +=item $bf->features($area)
> +
> +Returns a list of enabled features for a given area. Currently the
> +only recognized area is "hardening".
> +
> +=cut
Bad description. The function returns true if the $area is known, and false
otherwise.
> +
> +sub features {
> + my ($self, $key) = @_;
> + return exists $self->{'features'}{$key};
> +}
> +
> =item $bf->has($option)
>
> Returns a boolean indicating whether the flags exists in the object.
> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
> index e824d0e..8106c47 100644
> --- a/scripts/Dpkg/Vendor/Debian.pm
> +++ b/scripts/Dpkg/Vendor/Debian.pm
> @@ -122,6 +122,10 @@ sub add_hardening_flags {
> $flags->append("CFLAGS", "-fPIE");
> $flags->append("CXXFLAGS", "-fPIE");
> $flags->append("LDFLAGS", "-fPIE -pie");
> + $flags->{'features'}{'hardening'}{'pie'} = 1;
> + }
> + else {
> + $flags->{'features'}{'hardening'}{'pie'} = 0;
> }
$flags->{'features'}{'hardening'} is mostly the same than %use_feature,
please do not duplicate it but rather modify the code so that it works
that way:
1/ generate %use_feature by directly taking into account the architecture
specificities
2/ record %use_feature with a $flags->set_feature()
3/ do the various $flags->apppend() based on %use_feature (and there must
be no supplementary conditions left in the tests at this point, it's
solely "if ($use_feature{"foo"}) { $flags->append() }" since the
supplementary conditions have been taken into account in 1/ already)
> +} elsif ($action eq "features") {
> + if ($build_flags->features($param)) {
> + my $features = $build_flags->get_features($param);
> + my @report;
> + foreach my $feature (sort keys %{$features}) {
> + my $item = $feature;
> + if ($features->{$feature} == 1) {
> + $item = "+$item";
> + }
> + else {
> + $item = "-$item";
> + }
> + push(@report, $item);
> + }
> + print join(",", @report), "\n";
> + exit(0);
> + }
Please put the "else" on the same line than the preceding closing curly
braces.
if ($foo) {
...
} else {
...
}
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/liberation/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
