1
0
Fork 0
mirror of https://github.com/pygos/build.git synced 2024-11-22 11:09:46 +01:00

Set hardening options for packages with custom build system

Signed-off-by: David Oberhollenzer <david.oberhollenzer@tele2.at>
This commit is contained in:
David Oberhollenzer 2018-10-14 18:47:20 +02:00
parent 7b0e1f182c
commit 69aa1d33e9
9 changed files with 50 additions and 9 deletions

View file

@ -12,7 +12,12 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
make CC=${TARGET}-gcc AR=${TARGET}-ar RANLIB=${TARGET}-ranlib -j $NUMJOBS libbz2.a bzip2 bzip2recover local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
make CFLAGS="-Wall -Winline -O2 -D_FILE_OFFSET_BITS=64 $cflags" \
LDFLAGS="$ldflags" CC=${TARGET}-gcc AR=${TARGET}-ar \
RANLIB=${TARGET}-ranlib -j $NUMJOBS libbz2.a bzip2 bzip2recover
} }
deploy() { deploy() {
@ -32,4 +37,4 @@ deploy() {
check_update() { check_update() {
return return
} }

View file

@ -12,6 +12,11 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
CFLAGS="-O2 $cflags" \
LDFLAGS="$ldflags" \
make CC=${TARGET}-gcc PREFIX="/" BINDIR="/bin" -j $NUMJOBS make CC=${TARGET}-gcc PREFIX="/" BINDIR="/bin" -j $NUMJOBS
} }

View file

@ -13,7 +13,12 @@ build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
cp "$SCRIPTDIR/pkg/$PKGNAME/config" "$PKGBUILDDIR/hostapd/.config" cp "$SCRIPTDIR/pkg/$PKGNAME/config" "$PKGBUILDDIR/hostapd/.config"
export PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" \
CFLAGS="-MMD -O2 $cflags" \
LDFLAGS="$ldflags" \
make CC=${TARGET}-gcc -C hostapd -j $NUMJOBS make CC=${TARGET}-gcc -C hostapd -j $NUMJOBS
} }

View file

@ -12,7 +12,12 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
make HOSTCC="gcc" AR="${TARGET}-ar" LD="${TARGET}-ld" CC="${TARGET}-gcc" SYSROOT="$TCDIR/$TARGET" local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
make CCOPTS="-O2 $cflags" LDFLAGS="$ldflags" \
HOSTCC="gcc" AR="${TARGET}-ar" LD="${TARGET}-ld" \
CC="${TARGET}-gcc" SYSROOT="$TCDIR/$TARGET"
} }
deploy() { deploy() {
@ -27,4 +32,4 @@ check_update() {
curl --silent -L $URL | grep -o "iproute2-[0-9.]*tar.xz" | \ curl --silent -L $URL | grep -o "iproute2-[0-9.]*tar.xz" | \
sed 's/iproute2-//g' | sed 's/.tar.xz//g' | \ sed 's/iproute2-//g' | sed 's/.tar.xz//g' | \
verson_find_greatest "$VERSION" verson_find_greatest "$VERSION"
} }

View file

@ -12,7 +12,12 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
export PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
CFLAGS="-O2 $cflags" \
LDFLAGS="$ldflags" \
PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" \
make CC="${TARGET}-gcc" PKG_CONFIG="${TARGET}-pkg-config" PREFIX= \ make CC="${TARGET}-gcc" PKG_CONFIG="${TARGET}-pkg-config" PREFIX= \
SBINDIR=/bin DESTDIR="$2" -j $NUMJOBS SBINDIR=/bin DESTDIR="$2" -j $NUMJOBS
} }

View file

@ -10,6 +10,10 @@ prepare() {
} }
build() { build() {
local cflags="-fPIE -fPIC -fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
CFLAGS="$cflags" LDFLAGS="$ldflags" \
CROSS_COMPILE="${TARGET}-" $1/configure --prefix=/ --target="$TARGET" CROSS_COMPILE="${TARGET}-" $1/configure --prefix=/ --target="$TARGET"
CROSS_COMPILE="${TARGET}-" make -j $NUMJOBS CROSS_COMPILE="${TARGET}-" make -j $NUMJOBS
} }

View file

@ -12,6 +12,9 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
./configure --prefix="" --sbin-path=/bin/nginx \ ./configure --prefix="" --sbin-path=/bin/nginx \
--modules-path=/lib/nginx \ --modules-path=/lib/nginx \
--conf-path=/etc/nginx/nginx.conf \ --conf-path=/etc/nginx/nginx.conf \
@ -23,6 +26,7 @@ build() {
--crossbuild=${TARGET} \ --crossbuild=${TARGET} \
--with-cc=${TCDIR}/bin/${TARGET}-gcc \ --with-cc=${TCDIR}/bin/${TARGET}-gcc \
--with-cpp=${TCDIR}/bin/${TARGET}-cpp \ --with-cpp=${TCDIR}/bin/${TARGET}-cpp \
--with-cc-opt="$cflags" --with-ld-opt="$ldflags" \
--with-poll_module --without-select_module \ --with-poll_module --without-select_module \
--with-threads --with-http_ssl_module \ --with-threads --with-http_ssl_module \
--with-http_sub_module --with-http_gunzip_module \ --with-http_sub_module --with-http_gunzip_module \

View file

@ -10,9 +10,13 @@ prepare() {
} }
build() { build() {
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
$1/Configure --prefix=/ --cross-compile-prefix="${TARGET}-" \ $1/Configure --prefix=/ --cross-compile-prefix="${TARGET}-" \
--openssldir=/etc/ssl --libdir=/lib \ --openssldir=/etc/ssl --libdir=/lib \
-DOPENSSL_NO_HEARTBEATS \ CFLAGS="-DOPENSSL_NO_HEARTBEATS $cflags" \
LDFLAGS="$ldflags" \
threads shared zlib-dynamic no-async $OPENSSL_TARGET threads shared zlib-dynamic no-async $OPENSSL_TARGET
make -j 1 make -j 1
@ -33,4 +37,4 @@ check_update() {
sed 's/>openssl-//g' | sed 's/.tar.gz<//g' | \ sed 's/>openssl-//g' | sed 's/.tar.gz<//g' | \
sed 's/\([[:lower:]]\)/.\1/g' | \ sed 's/\([[:lower:]]\)/.\1/g' | \
verson_find_greatest "$version" verson_find_greatest "$version"
} }

View file

@ -10,6 +10,10 @@ prepare() {
} }
build() { build() {
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
CFLAGS="$cflags" LDFLAGS="$ldflags" \
cmake -DCMAKE_TOOLCHAIN_FILE="$CMAKETCFILE" \ cmake -DCMAKE_TOOLCHAIN_FILE="$CMAKETCFILE" \
-DCMAKE_INSTALL_PREFIX="" "$1" -DCMAKE_INSTALL_PREFIX="" "$1"
@ -28,4 +32,4 @@ check_update() {
curl --silent -L "$URL" | grep -o "xz-[0-9.]*tar.xz" | \ curl --silent -L "$URL" | grep -o "xz-[0-9.]*tar.xz" | \
sed 's/zlib-//g' | sed 's/.tar.xz//g' | \ sed 's/zlib-//g' | sed 's/.tar.xz//g' | \
verson_find_greatest "$VERSION" verson_find_greatest "$VERSION"
} }