From 857201b76b03845c282f393e47ef76a5b6835d10 Mon Sep 17 00:00:00 2001 From: Shinwell Hu Date: Mon, 19 Jul 2021 13:44:59 +0000 Subject: [PATCH] reorg everything --- gcc_secure.spec | 178 ++++++++--------------------------- openeuler_c++_secure_wrapper | 28 ++++++ openeuler_g++_secure_wrapper | 32 +++++++ openeuler_gcc_secure.opt.fs | 1 + openeuler_gcc_secure.opt.ld | 1 + openeuler_gcc_secure.opt.pie | 1 + openeuler_gcc_secure_wrapper | 38 ++++++++ 7 files changed, 139 insertions(+), 140 deletions(-) create mode 100755 openeuler_c++_secure_wrapper create mode 100755 openeuler_g++_secure_wrapper create mode 100644 openeuler_gcc_secure.opt.fs create mode 100644 openeuler_gcc_secure.opt.ld create mode 100644 openeuler_gcc_secure.opt.pie create mode 100755 openeuler_gcc_secure_wrapper diff --git a/gcc_secure.spec b/gcc_secure.spec index d476c27..608911f 100644 --- a/gcc_secure.spec +++ b/gcc_secure.spec @@ -1,169 +1,64 @@ Name: gcc_secure -Summary: Build with gcov +Summary: Enforcing secure compile options for abuild License: GPL -Group: System/Management -Version: 1.0 -Release: 0.8 +Group: Development/Tools +Version: 2.0 +Release: 1 BuildRoot: %{_tmppath}/%{name}-%{version} -#Source: %{name}-%{version}.tar.bz2 +BuildArch: noarch + +Source0: openeuler_gcc_secure_wrapper +Source1: openeuler_g++_secure_wrapper +Source2: openeuler_c++_secure_wrapper +Source3: openeuler_gcc_secure.opt.fs +Source4: openeuler_gcc_secure.opt.pie +Source5: openeuler_gcc_secure.opt.ld BuildRequires: util-linux coreutils -BuildRequires: -custom_build_tool-nocheck -BuildRequires: -obs-env -BuildRequires: -gcc_secure -BuildRequires: -custom_build_tool-sign -BuildRequires: -bep-env +#BuildRequires: -custom_build_tool-nocheck +#BuildRequires: -obs-env +#BuildRequires: -gcc_secure +#BuildRequires: -custom_build_tool-sign +#BuildRequires: -bep-env -Requires: util-linux rpm grep binutils gcc coreutils rpm-build +Requires: util-linux rpm grep binutils gcc coreutils rpm-build chkconfig #expect grep sudo kernel-default kernel-default-base openssh %description -Build with gcov +Enforcing secure compile options for abuild %prep #%setup -cT %install -mkdir -p %{buildroot}/opt/needgcov +mkdir -p %{buildroot}/usr/bin/ +install -m755 %{SOURCE0} %{buildroot}/usr/bin/ +install -m755 %{SOURCE1} %{buildroot}/usr/bin/ +install -m755 %{SOURCE2} %{buildroot}/usr/bin/ +mkdir -p %{buildroot}/usr/share/gcc_secure +install -m644 %{SOURCE3} %{buildroot}/usr/share/gcc_secure +install -m644 %{SOURCE4} %{buildroot}/usr/share/gcc_secure +install -m644 %{SOURCE5} %{buildroot}/usr/share/gcc_secure %pre %post -echo -e '*cc1_options:\n+ %{!D__KERNEL__:%{!nostdlib:%{!nodefaultlibs:%{!fno-stack-protector:%{!fstack-protector-all:-fstack-protector-strong}}}}}' >/tmp/gcc-specs-fs-cc1 - -echo -e '*cc1_options:\n+ %{!r:%{!D__KERNEL__:%{!pie:%{!fpic:%{!fPIC:%{!fpie:%{!fPIE:%{!fno-pic:%{!fno-PIC:%{!fno-pie:%{!fno-PIE:%{!shared:%{!static:%{!nostdlib:%{!nostartfiles:-fPIE}}}}}}}}}}}}}}}' >/tmp/gcc-specs-pie-cc1 - -echo -e '*self_spec:\n+ %{!D__KERNEL__:%{!pie:%{!A:%{!fno-pie:%{!fno-PIE:%{!fno-pic:%{!fno-PIC:%{!shared:%{!static:%{!r:%{!nostdlib:%{!nostartfiles:-pie}}}}}}}}}}}}' >/tmp/gcc-specs-pie-ld - -old_gcc=/usr/bin/gcc -mv $old_gcc $old_gcc"_old" -cat < $old_gcc -#!/bin/sh -gcc_secure_exclude=\`rpm --eval %{gcc_secure_exclude}\` -if ! cat /.build.command | egrep "\$gcc_secure_exclude" &>/dev/null; then - sec_opt='-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -fsigned-char' - fs_opt='' - - if [[ "\$@" =~ "-O0" ]]; then - #openjdk set O0 can not use FS - sec_opt=\`echo \$sec_opt | sed 's/ -D_FORTIFY_SOURCE=2 -O2 / /'\` - fi - - if [ -d '/home/abuild/rpmbuild/SOURCES' ]; then - configfile=/home/abuild/rpmbuild/SOURCES/config_for_secure - else - configfile=/root/rpmbuild/SOURCES/config_for_secure - fi - - if [ -f \$configfile ]; then - rpm_name=\`cat \$configfile| grep rpm_name| awk -F: '{print \$NF}'\` - sec_opt=\`cat \$configfile| grep sec_opt| awk -F: '{print \$NF}'\` - fs_opt=\`cat \$configfile| grep fs_opt| awk -F: '{print \$NF}'\` - fi - - if [[ x\$rpm_name = "xnumactl" ]] && [[ "\$@" =~ "-march=x86-64" ]];then - #numactl i686 use asm can't add -fPIC - sec_opt=\`echo \$sec_opt | sed 's/-fPIC / /'\` - fi - - if [[ x\$rpm_name = "xglibc" ]] || [[ x\$rpm_name = "xcompat-glibc" ]];then - #glibc supply fs define, can not add fs for glibc self - /usr/bin/gcc_old \$sec_opt "\$@" \$fs_opt --specs=/tmp/gcc-specs-pie-cc1 --specs=/tmp/gcc-specs-pie-ld - else - /usr/bin/gcc_old \$sec_opt "\$@" \$fs_opt --specs=/tmp/gcc-specs-pie-cc1 --specs=/tmp/gcc-specs-pie-ld --specs=/tmp/gcc-specs-fs-cc1 - fi - -else - $old_gcc"_old" "\$@" -fi -END1 -chmod 755 $old_gcc $old_gcc"_old" - -old_gplus=/usr/bin/g++ -if [ -f $old_gplus ]; then -mv $old_gplus $old_gplus"_old" -cat < $old_gplus -#!/bin/sh -gcc_secure_exclude=\`rpm --eval %{gcc_secure_exclude}\` -if ! cat /.build.command | egrep "\$gcc_secure_exclude" &>/dev/null; then - sec_opt='-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines' - fs_opt='' - - if [[ "\$@" =~ "-O0" ]]; then - #openjdk set O0 can not use FS - sec_opt=\`echo \$sec_opt | sed 's/ -D_FORTIFY_SOURCE=2 -O2 / /'\` - fi - - if [ -d '/home/abuild/rpmbuild/SOURCES' ]; then - configfile=/home/abuild/rpmbuild/SOURCES/config_for_secure_g++ - else - configfile=/root/rpmbuild/SOURCES/config_for_secure_g++ - fi - - if [ -f \$configfile ]; then - rpm_name=\`cat \$configfile| grep rpm_name| awk -F: '{print \$NF}'\` - sec_opt=\`cat \$configfile| grep sec_opt| awk -F: '{print \$NF}'\` - fs_opt=\`cat \$configfile| grep fs_opt| awk -F: '{print \$NF}'\` - fi - - if [[ x"\$@" = "x-v" ]];then - #libtool use g++ -v for test compile env,if add Wl opt, it will make g++ -v fail - $old_gplus"_old" "\$@" - else - /usr/bin/g++_old \$sec_opt "\$@" \$fs_opt --specs=/tmp/gcc-specs-pie-cc1 --specs=/tmp/gcc-specs-pie-ld --specs=/tmp/gcc-specs-fs-cc1 - fi -else - $old_gplus"_old" "\$@" -fi -END1 -chmod 755 $old_gplus $old_gplus"_old" -fi - -old_cpp=/usr/bin/c++ -if [ -f $old_cpp ]; then -mv $old_cpp $old_cpp"_old" -cat < $old_cpp -#!/bin/sh -gcc_secure_exclude=\`rpm --eval %{gcc_secure_exclude}\` -if ! cat /.build.command | egrep "\$gcc_secure_exclude" &>/dev/null; then - sec_opt='-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines' - fs_opt='' - - if [[ "\$@" =~ "-O0" ]]; then - #openjdk set O0 can not use FS - sec_opt=\`echo \$sec_opt | sed 's/ -D_FORTIFY_SOURCE=2 -O2 / /'\` - fi - - if [ -d '/home/abuild/rpmbuild/SOURCES' ]; then - configfile=/home/abuild/rpmbuild/SOURCES/config_for_secure_c++ - else - configfile=/root/rpmbuild/SOURCES/config_for_secure_c++ - fi - - if [ -f \$configfile ]; then - rpm_name=\`cat \$configfile| grep rpm_name| awk -F: '{print \$NF}'\` - sec_opt=\`cat \$configfile| grep sec_opt| awk -F: '{print \$NF}'\` - fs_opt=\`cat \$configfile| grep fs_opt| awk -F: '{print \$NF}'\` - fi - - /usr/bin/c++_old \$sec_opt "\$@" \$fs_opt --specs=/tmp/gcc-specs-pie-cc1 --specs=/tmp/gcc-specs-pie-ld --specs=/tmp/gcc-specs-fs-cc1 - -else - $old_cpp"_old" "\$@" -fi -END1 -chmod 755 $old_cpp $old_cpp"_old" -fi +/usr/sbin/alternatives --install /usr/bin/gcc gcc /usr/bin/openeuler_gcc_secure_wrapper 1 +/usr/sbin/alternatives --install /usr/bin/g++ g++ /usr/bin/openeuler_g++_secure_wrapper 1 +/usr/sbin/alternatives --install /usr/bin/c++ c++ /usr/bin/openeuler_c++_secure_wrapper 1 %preun %postun +/usr/sbin/alternatives --remove gcc /usr/bin/openeuler_gcc_secure_wrapper +/usr/sbin/alternatives --remove g++ /usr/bin/openeuler_g++_secure_wrapper +/usr/sbin/alternatives --remove c++ /usr/bin/openeuler_c++_secure_wrapper %files %defattr(-,root,root) -%dir /opt/needgcov - +/usr/bin/* +/usr/share/gcc_secure/ %clean @@ -172,6 +67,9 @@ rm -rf %{_tmppath}/%{name}-%{version} rm -rf $RPM_BUILD_DIR/%{name}-%{version} %changelog +* Mon Jul 19 2021 Shinwell Hu - 2.0 +- Re-org gcc_secure + * Mon Jul 12 2021 shenyangyang - 1.0-0.8 - Type:enhancement - ID:NA diff --git a/openeuler_c++_secure_wrapper b/openeuler_c++_secure_wrapper new file mode 100755 index 0000000..40298b4 --- /dev/null +++ b/openeuler_c++_secure_wrapper @@ -0,0 +1,28 @@ +#!/bin/sh +gcc_secure_exclude=\`rpm --eval %{gcc_secure_exclude}\` +if ! cat /.build.command | egrep "\$gcc_secure_exclude" &>/dev/null; then + sec_opt='-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines' + fs_opt='' + + if [[ "\$@" =~ "-O0" ]]; then + #openjdk set O0 can not use FS + sec_opt=\`echo \$sec_opt | sed 's/ -D_FORTIFY_SOURCE=2 -O2 / /'\` + fi + + if [ -d '/home/abuild/rpmbuild/SOURCES' ]; then + configfile=/home/abuild/rpmbuild/SOURCES/config_for_secure_c++ + else + configfile=/root/rpmbuild/SOURCES/config_for_secure_c++ + fi + + if [ -f \$configfile ]; then + rpm_name=\`cat \$configfile| grep rpm_name| awk -F: '{print \$NF}'\` + sec_opt=\`cat \$configfile| grep sec_opt| awk -F: '{print \$NF}'\` + fs_opt=\`cat \$configfile| grep fs_opt| awk -F: '{print \$NF}'\` + fi + + /usr/bin/c++_normal \$sec_opt "\$@" \$fs_opt --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.pie --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.ld --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.fs + +else + /usr/bin/c++_normal "\$@" +fi diff --git a/openeuler_g++_secure_wrapper b/openeuler_g++_secure_wrapper new file mode 100755 index 0000000..fb2cd01 --- /dev/null +++ b/openeuler_g++_secure_wrapper @@ -0,0 +1,32 @@ +#!/bin/sh +gcc_secure_exclude=\`rpm --eval %{gcc_secure_exclude}\` +if ! cat /.build.command | egrep "\$gcc_secure_exclude" &>/dev/null; then + sec_opt='-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines' + fs_opt='' + + if [[ "\$@" =~ "-O0" ]]; then + #openjdk set O0 can not use FS + sec_opt=\`echo \$sec_opt | sed 's/ -D_FORTIFY_SOURCE=2 -O2 / /'\` + fi + + if [ -d '/home/abuild/rpmbuild/SOURCES' ]; then + configfile=/home/abuild/rpmbuild/SOURCES/config_for_secure_g++ + else + configfile=/root/rpmbuild/SOURCES/config_for_secure_g++ + fi + + if [ -f \$configfile ]; then + rpm_name=\`cat \$configfile| grep rpm_name| awk -F: '{print \$NF}'\` + sec_opt=\`cat \$configfile| grep sec_opt| awk -F: '{print \$NF}'\` + fs_opt=\`cat \$configfile| grep fs_opt| awk -F: '{print \$NF}'\` + fi + + if [[ x"\$@" = "x-v" ]];then + #libtool use g++ -v for test compile env,if add Wl opt, it will make g++ -v fail + /usr/bin/g++_normal "\$@" + else + /usr/bin/g++_normal \$sec_opt "\$@" \$fs_opt --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.pie --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.ld --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.fs + fi +else + /usr/bin/g++_normal "\$@" +fi diff --git a/openeuler_gcc_secure.opt.fs b/openeuler_gcc_secure.opt.fs new file mode 100644 index 0000000..b1e1653 --- /dev/null +++ b/openeuler_gcc_secure.opt.fs @@ -0,0 +1 @@ +*cc1_options:\n+ %{!D__KERNEL__:%{!nostdlib:%{!nodefaultlibs:%{!fno-stack-protector:%{!fstack-protector-all:-fstack-protector-strong}}}}} diff --git a/openeuler_gcc_secure.opt.ld b/openeuler_gcc_secure.opt.ld new file mode 100644 index 0000000..6732818 --- /dev/null +++ b/openeuler_gcc_secure.opt.ld @@ -0,0 +1 @@ +*self_spec:\n+ %{!D__KERNEL__:%{!pie:%{!A:%{!fno-pie:%{!fno-PIE:%{!fno-pic:%{!fno-PIC:%{!shared:%{!static:%{!r:%{!nostdlib:%{!nostartfiles:-pie}}}}}}}}}}}} diff --git a/openeuler_gcc_secure.opt.pie b/openeuler_gcc_secure.opt.pie new file mode 100644 index 0000000..2fdf7dd --- /dev/null +++ b/openeuler_gcc_secure.opt.pie @@ -0,0 +1 @@ +*cc1_options:\n+ %{!r:%{!D__KERNEL__:%{!pie:%{!fpic:%{!fPIC:%{!fpie:%{!fPIE:%{!fno-pic:%{!fno-PIC:%{!fno-pie:%{!fno-PIE:%{!shared:%{!static:%{!nostdlib:%{!nostartfiles:-fPIE}}}}}}}}}}}}}}}' diff --git a/openeuler_gcc_secure_wrapper b/openeuler_gcc_secure_wrapper new file mode 100755 index 0000000..f7327f1 --- /dev/null +++ b/openeuler_gcc_secure_wrapper @@ -0,0 +1,38 @@ +#!/bin/sh +gcc_secure_exclude=\`rpm --eval %{gcc_secure_exclude}\` +if ! cat /.build.command | egrep "\$gcc_secure_exclude" &>/dev/null; then + sec_opt='-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -fsigned-char' + fs_opt='' + + if [[ "\$@" =~ "-O0" ]]; then + #openjdk set O0 can not use FS + sec_opt=\`echo \$sec_opt | sed 's/ -D_FORTIFY_SOURCE=2 -O2 / /'\` + fi + + if [ -d '/home/abuild/rpmbuild/SOURCES' ]; then + configfile=/home/abuild/rpmbuild/SOURCES/config_for_secure + else + configfile=/root/rpmbuild/SOURCES/config_for_secure + fi + + if [ -f \$configfile ]; then + rpm_name=\`cat \$configfile| grep rpm_name| awk -F: '{print \$NF}'\` + sec_opt=\`cat \$configfile| grep sec_opt| awk -F: '{print \$NF}'\` + fs_opt=\`cat \$configfile| grep fs_opt| awk -F: '{print \$NF}'\` + fi + + if [[ x\$rpm_name = "xnumactl" ]] && [[ "\$@" =~ "-march=x86-64" ]];then + #numactl i686 use asm can't add -fPIC + sec_opt=\`echo \$sec_opt | sed 's/-fPIC / /'\` + fi + + if [[ x\$rpm_name = "xglibc" ]] || [[ x\$rpm_name = "xcompat-glibc" ]];then + #glibc supply fs define, can not add fs for glibc self + /usr/bin/gcc_normal \$sec_opt "\$@" \$fs_opt --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.pie --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.ld + else + /usr/bin/gcc_normal \$sec_opt "\$@" \$fs_opt --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.pie --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.ld --specs=/usr/share/gcc_secure/openeuler_gcc_secure.opt.fs + fi + +else + /usr/bin/gcc_normal "\$@" +fi -- Gitee