From c1986ecb6fc68427db7579d409929939117e45ff Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Wed, 13 Jun 2012 15:29:13 -0400 Subject: [PATCH] Fix blhc (Build Log Hardening Check) warnings The Build Log Hardening Check is a debian tool which scans the output of a package build making sure that the security hardening flags are used when compiling and linking all of binaries in a package. For the most part we were passing CFLAGS, CPPFLAGS, and LDFLAGS down to the compiler and link commands, but there there were one or two exceptions. In addition, there where a few places in "make install" where the V=1 option was not being honored, which triggered blhc warnings since it couldn't analyze those commands. The e2fsck.static was the only binary that was not getting built and packaged with the hardening flags, but I've fixed all of the blhc warnings so in the future it will be obvious if we regress. Signed-off-by: "Theodore Ts'o" --- MCONFIG.in | 4 ++++ configure | 7 ++++++- configure.in | 6 +++++- debian/rules | 31 ++++++++++++++++++------------- e2fsck/Makefile.in | 14 +++++++------- lib/ext2fs/Makefile.in | 2 +- lib/uuid/Makefile.in | 4 ++-- misc/Makefile.in | 32 ++++++++++++++++---------------- 8 files changed, 59 insertions(+), 41 deletions(-) diff --git a/MCONFIG.in b/MCONFIG.in index 0c74522..fa2b03e 100644 --- a/MCONFIG.in +++ b/MCONFIG.in @@ -35,15 +35,19 @@ datadir = @datadir@ @ifGNUmake@ V = @ifGNUmake@ ifeq ($(strip $(V)),) @ifGNUmake@ # E = @echo +@ifGNUmake@ # ES = echo @ifGNUmake@ # Q = @ @ifGNUmake@ E = @E@ +@ifGNUmake@ ES = @ES@ @ifGNUmake@ Q = @Q@ @ifGNUmake@ else @ifGNUmake@ E = @\# +@ifGNUmake@ ES = \# @ifGNUmake@ Q = @ifGNUmake@ endif @ifNotGNUmake@ E = @E@ +@ifNotGNUmake@ ES = @ES@ @ifNotGNUmake@ Q = @Q@ CC = @CC@ diff --git a/configure b/configure index b741112..732119e 100755 --- a/configure +++ b/configure @@ -713,6 +713,7 @@ BSDLIB_CMT ELF_CMT HTREE_CMT Q +ES E LINK_BUILD_FLAGS SYMLINK_RELATIVE @@ -4434,11 +4435,13 @@ then { $as_echo "$as_me:${as_lineno-$LINENO}: result: Disabling verbose make commands" >&5 $as_echo "Disabling verbose make commands" >&6; } E=@echo + ES=echo Q=@ else { $as_echo "$as_me:${as_lineno-$LINENO}: result: Enabling verbose make commands" >&5 $as_echo "Enabling verbose make commands" >&6; } E=@\\# + ES=\\# Q= fi @@ -4446,12 +4449,14 @@ else { $as_echo "$as_me:${as_lineno-$LINENO}: result: Disabling verbose make commands" >&5 $as_echo "Disabling verbose make commands" >&6; } E=@echo +ES=echo Q=@ fi + # Check whether --enable-compression was given. if test "${enable_compression+set}" = set; then : enableval=$enable_compression; if test "$enableval" = "no" @@ -11304,7 +11309,7 @@ if test "$USE_INCLUDED_LIBINTL" = "yes" ; then fi if test $cross_compiling = no; then - BUILD_CFLAGS="$CFLAGS" + BUILD_CFLAGS="$CFLAGS $CPPFLAGS" BUILD_LDFLAGS="$LDFLAGS" else BUILD_CFLAGS= diff --git a/configure.in b/configure.in index aa4c777..7373e8e 100644 --- a/configure.in +++ b/configure.in @@ -212,18 +212,22 @@ if test "$enableval" = "no" then AC_MSG_RESULT([Disabling verbose make commands]) E=@echo + ES=echo Q=@ else AC_MSG_RESULT([Enabling verbose make commands]) E=@\\# + ES=\\# Q= fi , AC_MSG_RESULT([Disabling verbose make commands]) E=@echo +ES=echo Q=@ ) AC_SUBST(E) +AC_SUBST(ES) AC_SUBST(Q) dnl dnl handle --enable-compression @@ -1230,7 +1234,7 @@ dnl dnl Build CFLAGS dnl if test $cross_compiling = no; then - BUILD_CFLAGS="$CFLAGS" + BUILD_CFLAGS="$CFLAGS $CPPFLAGS" BUILD_LDFLAGS="$LDFLAGS" else BUILD_CFLAGS= diff --git a/debian/rules b/debian/rules index 1f6e7b4..cf8e070 100755 --- a/debian/rules +++ b/debian/rules @@ -258,9 +258,11 @@ endif ifneq ($(ismips),) mkdir -p ${mipsbuilddir} ${mipsbuilddir64} cd ${mipsbuilddir} && AWK=/usr/bin/awk \ - ${topdir}/configure ${MIPS_NOPIC_CONF_FLAGS} CFLAGS="${CFLAGS}" + ${topdir}/configure ${MIPS_NOPIC_CONF_FLAGS} \ + CFLAGS="${CFLAGS}" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" cd ${mipsbuilddir64} && AWK=/usr/bin/awk \ - ${topdir}/configure ${MIPS_NOPIC_CONF_FLAGS} CFLAGS="${CFLAGS}" + ${topdir}/configure ${MIPS_NOPIC_CONF_FLAGS} \ + CFLAGS="${CFLAGS}" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" endif mkdir -p ${STAMPSDIR} @@ -293,11 +295,13 @@ ifeq ($(DEB_BUILD_ARCH),$(DEB_HOST_ARCH)) if type diet > /dev/null 2>&1 ; then \ cd ${staticbuilddir} && AWK=/usr/bin/awk \ ${topdir}/configure ${STATIC_CONF_FLAGS} \ - ${WITH_DIET_LIBC} CFLAGS="${CFLAGS}"; \ + ${WITH_DIET_LIBC} CFLAGS="${CFLAGS}" \ + CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)"; \ else \ cd ${staticbuilddir} && AWK=/usr/bin/awk \ ${topdir}/configure ${STATIC_CONF_FLAGS} \ - CFLAGS="${CFLAGS}"; \ + CFLAGS="${CFLAGS}" CPPFLAGS="$(CPPFLAGS)" \ + LDFLAGS="$(LDFLAGS)"; \ fi else cd ${staticbuilddir} && AWK=/usr/bin/awk CC="${DEB_HOST_GNU_TYPE}-gcc" \ @@ -342,6 +346,7 @@ ${BUILDBFSTAMP}: ${CFGBFSTAMP} $(MAKE) -C ${bfbuilddir} V=1 libs $(MAKE) -C ${bfbuilddir}/e2fsck V=1 all $(MAKE) -C ${bfbuilddir}/misc V=1 all + $(MAKE) -C ${bfbuilddir}/resize V=1 all touch ${BUILDBFSTAMP} build-static: ${BUILDSTATICSTAMP} @@ -354,9 +359,9 @@ ${BUILDSTATICSTAMP}: ${CFGSTATICSTAMP} clean: dh_testdir rm -rf ${STAMPSDIR} - [ ! -f ${stdbuilddir}/Makefile ] || $(MAKE) -C ${stdbuilddir} distclean - [ ! -f ${bfbuilddir}/Makefile ] || $(MAKE) -C ${bfbuilddir} distclean - [ ! -f ${staticbuilddir}/Makefile ] || $(MAKE) -C ${staticbuilddir} distclean + [ ! -f ${stdbuilddir}/Makefile ] || $(MAKE) -C ${stdbuilddir} V=1 distclean + [ ! -f ${bfbuilddir}/Makefile ] || $(MAKE) -C ${bfbuilddir} V=1 distclean + [ ! -f ${staticbuilddir}/Makefile ] || $(MAKE) -C ${staticbuilddir} V=1 distclean rm -rf ${stdbuilddir} ${bfbuilddir} ${staticbuilddir} ${mipsbuilddir} ${mipsbuilddir64} rm -f debian/*.substvars dh_clean @@ -378,10 +383,10 @@ install-std: build dh_installdirs mkdir -p ${tmpdir}/sbin - $(MAKE) -C ${stdbuilddir} install DESTDIR=${tmpdir} \ + $(MAKE) -C ${stdbuilddir} V=1 install DESTDIR=${tmpdir} \ INSTALL_PROGRAM="${INSTALL_PROGRAM}" LDCONFIG=true # static libs and .h files - $(MAKE) -C ${stdbuilddir} install-libs DESTDIR=${tmpdir} LDCONFIG=true + $(MAKE) -C ${stdbuilddir} V=1 install-libs DESTDIR=${tmpdir} LDCONFIG=true # statically-linked fsck ${INSTALL_PROGRAM} $(E2FSCK_STATIC) ${tmpdir}/sbin @@ -410,13 +415,13 @@ install-udeb: build dh_testdir dh_testroot - $(MAKE) -C ${bfbuilddir} install-shlibs-libs-recursive DESTDIR=${udebdir} \ + $(MAKE) -C ${bfbuilddir} V=1 install-shlibs-libs-recursive DESTDIR=${udebdir} \ INSTALL_PROGRAM="${INSTALL_PROGRAM}" LDCONFIG=true - $(MAKE) -C ${bfbuilddir}/e2fsck install DESTDIR=${udebdir} \ + $(MAKE) -C ${bfbuilddir}/e2fsck V=1 install DESTDIR=${udebdir} \ INSTALL_PROGRAM="${INSTALL_PROGRAM}" LDCONFIG=true - $(MAKE) -C ${bfbuilddir}/misc install DESTDIR=${udebdir} \ + $(MAKE) -C ${bfbuilddir}/misc V=1 install DESTDIR=${udebdir} \ INSTALL_PROGRAM="${INSTALL_PROGRAM}" LDCONFIG=true - $(MAKE) -C ${bfbuilddir}/resize install DESTDIR=${udebdir} \ + $(MAKE) -C ${bfbuilddir}/resize V=1 install DESTDIR=${udebdir} \ INSTALL_PROGRAM="${INSTALL_PROGRAM}" LDCONFIG=true rm -rf ${udebdir}/usr diff --git a/e2fsck/Makefile.in b/e2fsck/Makefile.in index c51bfdb..a52bbe1 100644 --- a/e2fsck/Makefile.in +++ b/e2fsck/Makefile.in @@ -136,7 +136,7 @@ e2fsck.profiled: $(PROFILED_OBJS) $(PROFILED_DEPLIBS) gen_crc32table: $(srcdir)/gen_crc32table.c $(E) " CC $@" - $(Q) $(BUILD_CC) $(BUILD_CFLAGS) -o gen_crc32table \ + $(Q) $(BUILD_CC) $(BUILD_CFLAGS) $(BUILD_LDFLAGS) -o gen_crc32table \ $(srcdir)/gen_crc32table.c crc32table.h: gen_crc32table @@ -216,11 +216,11 @@ installdirs: install: $(PROGS) $(MANPAGES) $(FMANPAGES) installdirs $(Q) for i in $(PROGS); do \ - echo " INSTALL $(root_sbindir)/$$i"; \ + $(ES) " INSTALL $(root_sbindir)/$$i"; \ $(INSTALL_PROGRAM) $$i $(DESTDIR)$(root_sbindir)/$$i; \ done $(Q) for i in ext2 ext3 ext4 ext4dev; do \ - echo " LINK $(root_sbindir)/fsck.$$i"; \ + $(ES) " LINK $(root_sbindir)/fsck.$$i"; \ (cd $(DESTDIR)$(root_sbindir); \ $(LN) $(LINK_INSTALL_FLAGS) e2fsck fsck.$$i); \ done @@ -228,25 +228,25 @@ install: $(PROGS) $(MANPAGES) $(FMANPAGES) installdirs for j in $(COMPRESS_EXT); do \ $(RM) -f $(DESTDIR)$(man8dir)/$$i.$$j; \ done; \ - echo " INSTALL_DATA $(man8dir)/$$i"; \ + $(ES) " INSTALL_DATA $(man8dir)/$$i"; \ $(INSTALL_DATA) $$i $(DESTDIR)$(man8dir)/$$i; \ done $(Q) for i in $(FMANPAGES); do \ for j in $(COMPRESS_EXT); do \ $(RM) -f $(DESTDIR)$(man5dir)/$$i.$$j; \ done; \ - echo " INSTALL_DATA $(man5dir)/$$i"; \ + $(ES) " INSTALL_DATA $(man5dir)/$$i"; \ $(INSTALL_DATA) $$i $(DESTDIR)$(man5dir)/$$i; \ done $(Q) for i in ext2 ext3 ext4 ext4dev; do \ - echo " LINK $(man8dir)/fsck.$$i.8"; \ + $(ES) " LINK $(man8dir)/fsck.$$i.8"; \ (cd $(DESTDIR)$(man8dir); \ $(LN) $(LINK_INSTALL_FLAGS) e2fsck.8 fsck.$$i.8); \ done install-strip: install $(Q) for i in $(PROGS); do \ - echo " STRIP $(root_sbindir)/$$i"; \ + $(ES) " STRIP $(root_sbindir)/$$i"; \ $(STRIP) $(DESTDIR)$(root_sbindir)/$$i; \ done diff --git a/lib/ext2fs/Makefile.in b/lib/ext2fs/Makefile.in index f9200fa..0d9ac21 100644 --- a/lib/ext2fs/Makefile.in +++ b/lib/ext2fs/Makefile.in @@ -463,7 +463,7 @@ $(OBJS): subdirs gen_crc32ctable: $(srcdir)/gen_crc32ctable.c $(E) " CC $@" - $(Q) $(BUILD_CC) $(BUILD_CFLAGS) -o gen_crc32ctable \ + $(Q) $(BUILD_CC) $(BUILD_CFLAGS) $(BUILD_LDFLAGS) -o gen_crc32ctable \ $(srcdir)/gen_crc32ctable.c crc32c_table.h: gen_crc32ctable diff --git a/lib/uuid/Makefile.in b/lib/uuid/Makefile.in index caa13f7..7329467 100644 --- a/lib/uuid/Makefile.in +++ b/lib/uuid/Makefile.in @@ -86,8 +86,8 @@ tst_uuid: tst_uuid.o $(DEPSTATIC_LIBUUID) uuid_time: $(srcdir)/uuid_time.c $(DEPLIBUUID) $(E) " LD $@" - $(Q) $(CC) $(ALL_CFLAGS) -DDEBUG -o uuid_time $(srcdir)/uuid_time.c \ - $(LIBUUID) + $(Q) $(CC) $(ALL_CFLAGS) $(LDFLAGS) -DDEBUG -o uuid_time \ + $(srcdir)/uuid_time.c $(LIBUUID) uuid.3: $(DEP_SUBSTITUTE) $(srcdir)/uuid.3.in $(E) " SUBST $@" diff --git a/misc/Makefile.in b/misc/Makefile.in index cc0b939..0692126 100644 --- a/misc/Makefile.in +++ b/misc/Makefile.in @@ -410,7 +410,7 @@ blkid.1: $(DEP_SUBSTITUTE) $(srcdir)/blkid.1.in $(Q) $(SUBSTITUTE_UPTIME) $(srcdir)/blkid.1.in blkid.1 e2freefrag.8: $(DEP_SUBSTITUTE) $(srcdir)/e2freefrag.8.in - @echo " SUBST $@" + $(E) " SUBST $@" @$(SUBSTITUTE_UPTIME) $(srcdir)/e2freefrag.8.in e2freefrag.8 filefrag.8: $(DEP_SUBSTITUTE) $(srcdir)/filefrag.8.in @@ -427,44 +427,44 @@ installdirs: install: all $(SMANPAGES) $(UMANPAGES) installdirs $(Q) for i in $(SPROGS); do \ - echo " INSTALL $(root_sbindir)/$$i"; \ + $(ES) " INSTALL $(root_sbindir)/$$i"; \ $(INSTALL_PROGRAM) $$i $(DESTDIR)$(root_sbindir)/$$i; \ done $(Q) for i in $(USPROGS); do \ - echo " INSTALL $(sbindir)/$$i"; \ + $(ES) " INSTALL $(sbindir)/$$i"; \ $(INSTALL_PROGRAM) $$i $(DESTDIR)$(sbindir)/$$i; \ done $(Q) for i in ext2 ext3 ext4 ext4dev; do \ - echo " LINK $(root_sbindir)/mkfs.$$i"; \ + $(ES) " LINK $(root_sbindir)/mkfs.$$i"; \ (cd $(DESTDIR)$(root_sbindir); \ $(LN) $(LINK_INSTALL_FLAGS) mke2fs mkfs.$$i); \ done $(Q) (cd $(DESTDIR)$(root_sbindir); \ $(LN) $(LINK_INSTALL_FLAGS) tune2fs e2label) $(Q) if test -n "$(FINDFS_LINK)"; then \ - echo " LINK $(root_sbindir)/findfs"; \ + $(ES) " LINK $(root_sbindir)/findfs"; \ (cd $(DESTDIR)$(root_sbindir); \ $(LN) $(LINK_INSTALL_FLAGS) tune2fs $(FINDFS_LINK)); \ fi $(Q) for i in $(UPROGS); do \ - echo " INSTALL $(bindir)/$$i"; \ + $(ES) " INSTALL $(bindir)/$$i"; \ $(INSTALL_PROGRAM) $$i $(DESTDIR)$(bindir)/$$i; \ done $(Q) for i in $(LPROGS); do \ - echo " INSTALL $(libdir)/$$i"; \ + $(ES) " INSTALL $(libdir)/$$i"; \ $(INSTALL_PROGRAM) $$i $(DESTDIR)$(libdir)/$$i; \ done $(Q) for i in $(SMANPAGES); do \ for j in $(COMPRESS_EXT); do \ $(RM) -f $(DESTDIR)$(man8dir)/$$i.$$j; \ done; \ - echo " INSTALL_DATA $(man8dir)/$$i"; \ + $(ES) " INSTALL_DATA $(man8dir)/$$i"; \ $(INSTALL_DATA) $$i $(DESTDIR)$(man8dir)/$$i; \ done $(Q) $(RM) -f $(DESTDIR)$(man8dir)/mkfs.ext2.8.gz \ $(DESTDIR)$(man8dir)/mkfs.ext3.8.gz $(Q) for i in ext2 ext3 ext4 ext4dev; do \ - echo " LINK mkfs.$$i.8"; \ + $(ES) " LINK mkfs.$$i.8"; \ (cd $(DESTDIR)$(man8dir); \ $(LN) $(LINK_INSTALL_FLAGS) mke2fs.8 mkfs.$$i.8); \ done @@ -472,14 +472,14 @@ install: all $(SMANPAGES) $(UMANPAGES) installdirs for j in $(COMPRESS_EXT); do \ $(RM) -f $(DESTDIR)$(man1dir)/$$i.$$j; \ done; \ - echo " INSTALL_DATA $(man1dir)/$$i"; \ + $(ES) " INSTALL_DATA $(man1dir)/$$i"; \ $(INSTALL_DATA) $$i $(DESTDIR)$(man1dir)/$$i; \ done $(Q) for i in $(FMANPAGES); do \ for j in $(COMPRESS_EXT); do \ $(RM) -f $(DESTDIR)$(man5dir)/$$i.$$j; \ done; \ - echo " INSTALL_DATA $(man5dir)/$$i"; \ + $(ES) " INSTALL_DATA $(man5dir)/$$i"; \ $(INSTALL_DATA) $$i $(DESTDIR)$(man5dir)/$$i; \ done $(Q) if test -f $(DESTDIR)$(root_sysconfdir)/mke2fs.conf; then \ @@ -488,13 +488,13 @@ install: all $(SMANPAGES) $(UMANPAGES) installdirs true; \ else \ if grep -q ext4dev $(DESTDIR)$(root_sysconfdir)/mke2fs.conf ; then \ - echo " INSTALL_DATA $(root_sysconfdir)/mke2fs.conf.e2fsprogs-new"; \ + $(ES) " INSTALL_DATA $(root_sysconfdir)/mke2fs.conf.e2fsprogs-new"; \ $(INSTALL_DATA) mke2fs.conf \ $(DESTDIR)$(root_sysconfdir)/mke2fs.conf.e2fsprogs-new; \ echo "Warning: installing mke2fs.conf in $(DESTDIR)$(root_sysconfdir)/mke2fs.conf.e2fsprogs-new"; \ echo "Check to see if you need to update your $(root_sysconfdir)/mke2fs.conf"; \ else \ - echo " INSTALL_DATA $(root_sysconfdir)/mke2fs.conf"; \ + $(ES) " INSTALL_DATA $(root_sysconfdir)/mke2fs.conf"; \ mv $(DESTDIR)$(root_sysconfdir)/mke2fs.conf \ $(DESTDIR)$(root_sysconfdir)/mke2fs.conf.e2fsprogs-old; \ $(INSTALL_DATA) mke2fs.conf \ @@ -506,18 +506,18 @@ install: all $(SMANPAGES) $(UMANPAGES) installdirs echo " "; \ fi; \ else \ - echo " INSTALL_DATA $(root_sysconfdir)/mke2fs.conf"; \ + $(ES) " INSTALL_DATA $(root_sysconfdir)/mke2fs.conf"; \ $(INSTALL_DATA) mke2fs.conf \ $(DESTDIR)$(root_sysconfdir)/mke2fs.conf; \ fi install-strip: install $(Q) for i in $(SPROGS); do \ - echo " STRIP $(root_sbindir)/$$i"; \ + $(E) " STRIP $(root_sbindir)/$$i"; \ $(STRIP) $(DESTDIR)$(root_sbindir)/$$i; \ done $(Q) for i in $(USPROGS); do \ - echo " STRIP $(sbindir)/$$i"; \ + $(E) " STRIP $(sbindir)/$$i"; \ $(STRIP) $(DESTDIR)$(sbindir)/$$i; \ done -- 1.8.3.1