Dpkg
view release on metacpan or search on metacpan
lib/Dpkg/Vendor/Debian.pm view on Meta::CPAN
# PIE.
my $use_pie = $flags->get_feature('hardening', 'pie');
my %hardening_builtins = $flags->get_builtins('hardening');
if (defined $use_pie && $use_pie && ! $hardening_builtins{pie}) {
my $flag = "-specs=$Dpkg::DATADIR/pie-compile.specs";
$flags->append($_, $flag) foreach @compile_flags;
$flags->append('LDFLAGS', "-specs=$Dpkg::DATADIR/pie-link.specs");
} elsif (defined $use_pie && ! $use_pie && $hardening_builtins{pie}) {
my $flag = "-specs=$Dpkg::DATADIR/no-pie-compile.specs";
$flags->append($_, $flag) foreach @compile_flags;
$flags->append('LDFLAGS', "-specs=$Dpkg::DATADIR/no-pie-link.specs");
}
# Stack protector.
if ($flags->use_feature('hardening', 'stackprotectorstrong')) {
my $flag = '-fstack-protector-strong';
$flags->append($_, $flag) foreach @compile_flags;
} elsif ($flags->use_feature('hardening', 'stackprotector')) {
my $flag = '-fstack-protector --param=ssp-buffer-size=4';
$flags->append($_, $flag) foreach @compile_flags;
}
# Stack clash.
if ($flags->use_feature('hardening', 'stackclash')) {
my $flag = '-fstack-clash-protection';
$flags->append($_, $flag) foreach @compile_flags;
}
# Fortify Source.
if ($flags->use_feature('hardening', 'fortify')) {
my $fortify_level = $flags->get_option_value('fortify-level');
$flags->append('CPPFLAGS', "-D_FORTIFY_SOURCE=$fortify_level");
}
# Format Security.
if ($flags->use_feature('hardening', 'format')) {
my $flag = '-Wformat -Werror=format-security';
$flags->append('CFLAGS', $flag);
$flags->append('CXXFLAGS', $flag);
$flags->append('OBJCFLAGS', $flag);
$flags->append('OBJCXXFLAGS', $flag);
}
# Read-only Relocations.
if ($flags->use_feature('hardening', 'relro')) {
$flags->append('LDFLAGS', '-Wl,-z,relro');
}
# Bindnow.
if ($flags->use_feature('hardening', 'bindnow')) {
$flags->append('LDFLAGS', '-Wl,-z,now');
}
# Branch protection.
if ($flags->use_feature('hardening', 'branch')) {
my $cpu = $flags->get_option_value('hardening-branch-cpu');
my $flag;
if ($cpu eq 'arm64') {
$flag = '-mbranch-protection=standard';
} elsif ($cpu eq 'amd64') {
# TODO: On GNU/Linux, CET is currently only partially supported
# for the "-fcf-protection" option values:
#
# - For "return", the current version of glibc in Debian does
# not enable support for it. See #1114518.
#
# - For "branch", the compiler injects the ENDBR instructions in
# the function prologues, but the Linux kernel does not currently
# have support to enable IBT support for user-space. And there
# are proposals that could end up changing its ABI.
#
# We leave the current option value with the implicit "full", as
# there is still interest (as of 2025-09) to implement support on
# Linux to enable IBT for user-space, and then it would only need
# a new Linux kernel and a glibc to enable the support. If this
# does not change in a couple of years, we can revisit whether to
# switch to "return".
$flag = '-fcf-protection';
}
# The following should always be true on Debian, but it might not
# be on derivatives.
if (defined $flag) {
$flags->append($_, $flag) foreach @compile_flags;
}
}
# XXX: Handle *_FOR_BUILD flags here until we can properly initialize them.
require Dpkg::Arch;
my $host_arch = Dpkg::Arch::get_host_arch();
my $build_arch = Dpkg::Arch::get_build_arch();
if ($host_arch eq $build_arch) {
foreach my $flag ($flags->list()) {
next if $flag =~ m/_FOR_BUILD$/;
my $value = $flags->get($flag);
$flags->append($flag . '_FOR_BUILD', $value);
}
} else {
$flags->append($_ . '_FOR_BUILD', $default_flags) foreach @compile_flags;
$flags->append('DFLAGS_FOR_BUILD', $default_d_flags);
}
}
sub _build_tainted_by {
my $self = shift;
my %tainted;
require File::Find;
my %usr_local_types = (
configs => [ qw(etc) ],
includes => [ qw(include) ],
programs => [ qw(bin sbin) ],
libraries => [ qw(lib) ],
);
foreach my $type (keys %usr_local_types) {
my $scan_tainted = {
wanted => sub { $tainted{"usr-local-has-$type"} = 1 if -f },
no_chdir => 1,
};
my @dirs_taintable = grep {
( run in 2.382 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )