NAME

blhc - build log hardening check, checks build logs for missing hardening flags

SYNOPSIS

blhc [options] <dpkg-buildpackage build log file>..

DESCRIPTION

blhc is a small tool which checks build logs for missing hardening flags. It's licensed under the GPL 3 or later.

It's designed to check build logs generated by Debian's dpkg-buildpackage (or tools using dpkg-buildpackage like pbuilder or sbuild (which is used for the official buildd build logs)) to help maintainers detect missing hardening flags in their packages.

Only gcc is detected as compiler at the moment. If other compilers support hardening flags as well, please report them.

If there's no output, no flags are missing and the build log is fine.

See README for details about performed checks, auto-detection and limitations.

FALSE POSITIVES

To suppress false positives you can embed the following string in the build log:

    blhc: ignore-line-regexp: REGEXP

All lines fully matching REGEXP (see --ignore-line for details) will be ignored. The string can be embedded multiple times to ignore different regexps.

Please use this feature sparingly so that missing flags are not overlooked. If you find false positives which affect more packages please report a bug.

To generate this string simply use echo in "debian/rules"; make sure to use @ to suppress the echo command itself as it could also trigger a false positive. If the build process takes a long time edit the ".build" file in place and tweak the ignore string until blhc --all --debian package.build no longer reports any false positives.

OPTIONS

--all: Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto detected.
--arch architecture: Set the specific architecture (e.g. amd64, armel, etc.), automatically disables hardening flags not available on this architecture. Is detected automatically if dpkg-buildpackage is used.
--bindnow: Force check for all +bindnow hardening flags. By default it's auto detected.
--buildd: Special mode for buildds when automatically parsing log files. The following changes are in effect:

Print tags instead of normal warnings, see "BUILDD TAGS" for a list of possible tags.
Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is detected).
Don't require Term::ANSIColor.
Return exit code 0, unless there was a error (-I, -W messages don't count as error).

--debian

Apply Debian-specific settings. At the moment this only disables checking for PIE which is automatically applied by Debian's GCC and no longer requires a compiler command line argument.

--color

Use colored (ANSI) output for warning messages.

--line-numbers

Display line numbers.

--ignore-arch arch

Ignore build logs from architectures matching arch. arch is a string.

Used to prevent false positives. This option can be specified multiple times.

--ignore-arch-flag arch:flag

Like --ignore-flag, but only ignore flag on arch.

--ignore-arch-line arch:line

Like --ignore-line, but only ignore line on arch.

--ignore-flag flag

Don't print an error when the specific flag is missing in a compiler line. flag is a string.

Used to prevent false positives. This option can be specified multiple times.

--ignore-line regex

Ignore lines matching the given Perl regex. regex is automatically anchored at the beginning and end of the line to prevent false negatives.

NOTE: Not the input lines are checked, but the lines which are displayed in warnings (which have line continuation resolved).

Used to prevent false positives. This option can be specified multiple times.

--pie

Force check for all +pie hardening flags. By default it's auto detected.

-h -? --help

Print available options.

--version

Print version number and license.

Auto detection for --pie and --bindnow only works if at least one command uses the required hardening flag (e.g. -fPIE). Then it's required for all other commands as well.

EXAMPLES

Normal usage, parse a single log file.

    blhc path/to/log/file

If there's no output, no flags are missing and the build log is fine.

Parse multiple log files. The exit code is ORed over all files.

    blhc path/to/directory/with/log/files/*

Don't treat missing "-g" as error:

    blhc --ignore-flag -g path/to/log/file

Don't treat missing "-pie" on kfreebsd-amd64 as error:

    blhc --ignore-arch-flag kfreebsd-amd64:-pie path/to/log/file

Ignore lines consisting exactly of "./script gcc file" which would cause a false positive.

    blhc --ignore-line '\./script gcc file' path/to/log/file

Ignore lines matching "./script gcc file" somewhere in the line.

    blhc --ignore-line '.*\./script gcc file.*' path/to/log/file

Use blhc with pbuilder.

    pbuilder path/to/package.dsc | tee path/log/file
    blhc path/to/file || echo flags missing

Assume this build log was created on a Debian system and thus don't warn about missing PIE flags if the current architecture injects them automatically (this is enabled in buildd mode per default). "--arch" is necessary if the build log contains no architecture information as written by dpkg-buildpackage.

    blhc --debian --all --arch=amd64 path/to/log/file

BUILDD TAGS

The following tags are used in --buildd mode. In braces the additional data which is displayed.

I-hardening-wrapper-used

The package uses hardening-wrapper which intercepts calls to gcc and adds hardening flags. The build log doesn't contain any hardening flags and thus can't be checked by blhc.

W-compiler-flags-hidden (summary of hidden lines)

Build log contains lines which hide the real compiler flags. For example:

    CC test-a.c
    CC test-b.c
    CC test-c.c
    LD test

Most of the time either "export V=1" or "export verbose=1" in debian/rules fixes builds with hidden compiler flags. Sometimes ".SILENT" in a Makefile must be removed. And as last resort the Makefile must be patched to remove the "@"s hiding the real compiler commands.

W-dpkg-buildflags-missing (summary of missing flags)

CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS missing.

I-invalid-cmake-used (version)

By default CMake ignores CPPFLAGS thus missing those hardening flags. Debian patched CMake in versions 2.8.7-1 and 2.8.7-2 to respect CPPFLAGS, but this patch was rejected by upstream and later reverted in Debian. Thus those two versions show correct usage of CPPFLAGS even if the package doesn't correctly handle them (for example by passing them to CFLAGS). To prevent false negatives just blacklist those two versions.

I-no-compiler-commands

No compiler commands were detected. Either the log contains none or they were not correctly detected by blhc (please report the bug in this case).

EXIT STATUS

The exit status is a "bit mask", each listed status is ORed when the error condition occurs to get the result.

0: Success.
1: No compiler commands were found.
2: Invalid arguments/options given to blhc.
4: Non verbose build.
8: Missing hardening flags.
16: Hardening wrapper detected, no tests performed.
32: Invalid CMake version used. See I-invalid-cmake-used under "BUILDD TAGS" for a detailed explanation.

AUTHOR

Simon Ruderich, <simon@ruderich.org>

Thanks to to Bernhard R. Link <brlink@debian.org> and Jaria Alto <jari.aalto@cante.net> for their valuable input and suggestions.

LICENSE AND COPYRIGHT

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.