1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
#!/usr/bin/make -f
# Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess.
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null)
DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null)
include hardening.make
DEFAULT_PIE:=$(DEB_BUILD_HARDENING_PIE)
DEFAULT_STACKPROT:=$(DEB_BUILD_HARDENING_STACKPROTECTOR)
build: build-stamp test
build-stamp:
# Building
dh_testdir
mkdir -p build-tree
install hardened-cc hardened-ld build-tree
# Set defaults, based on OS and CPU
perl -pi -e 's/ #OS#/ '"$(DEB_HOST_ARCH_OS)"'/; s/ #CPU#/ '"$(DEB_HOST_ARCH_CPU)"'/;' build-tree/hardened-cc build-tree/hardened-ld
perl -pi -e "s/default{'DEB_BUILD_HARDENING_PIE'}=1;/default{'DEB_BUILD_HARDENING_PIE'}=$(DEFAULT_PIE);/;" build-tree/hardened-cc build-tree/hardened-ld
perl -pi -e "s/default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=1;/default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=$(DEFAULT_STACKPROT);/;" build-tree/hardened-cc build-tree/hardened-ld
# Duplicate cc wrapper to c++
cp build-tree/hardened-cc build-tree/hardened-c++
perl -pi -e 's/hardened-cc/hardened-c++/g; s|/usr/bin/cc|/usr/bin/c++|g;' build-tree/hardened-c++
# Set up man pages
ln -sf hardened-cc.1 hardening-wrapper.1
cp hardened-cc.1 hardened-c++.1
perl -pi -e 's/hardened-cc/hardened-c++/g; s/gcc/g++/g;' hardened-c++.1
pod2man hardening-check > hardening-check.1
# Done building
touch build-stamp
clean:
dh_testdir
dh_testroot
rm -f build-stamp test-stamp
rm -rf build-tree
rm -f hardened-c++.1 hardening-wrapper.1 hardening-check.1
dh_clean
test: build-stamp test-stamp
test-stamp:
(cd tests; make check)
# Done testing
touch test-stamp
install: build
dh_testdir
dh_testroot
dh_clean -k
dh_installdirs usr/bin
dh_installdirs -phardening-wrapper -A usr/share/lintian/overrides
install -m644 debian/lintian.overrides debian/hardening-wrapper/usr/share/lintian/overrides/hardening-wrapper
install build-tree/hardened-cc build-tree/hardened-c++ build-tree/hardened-ld debian/hardening-wrapper/usr/bin
# programatically build links (change debian/h-w.{preinst,postrm} too)
for ver in 4.1 4.2 4.3 4.4 4.5; do dh_link -phardening-wrapper \
usr/bin/hardened-cc usr/bin/gcc-$$ver \
usr/bin/hardened-c++ usr/bin/g++-$$ver \
;\
done
dh_link -phardening-wrapper usr/bin/hardened-ld usr/bin/ld.bfd
dh_link -phardening-wrapper usr/bin/hardened-ld usr/bin/ld.gold
install -m644 -D hardening.make debian/hardening-includes/usr/share/hardening-includes/hardening.make
install -m755 -D hardening-check debian/hardening-includes/usr/bin/hardening-check
# Build architecture-dependent files here.
binary-arch: build install
# dh_testversion -a
dh_perl -a
dh_testdir -a
dh_testroot -a
dh_installdocs -a AUTHORS TODO
dh_installexamples -a
dh_installmenu -a
# dh_installinit -a
dh_installcron -a
dh_installman -a
# dh_undocumented -a
dh_installchangelogs -a
dh_strip -a
dh_compress -a
dh_fixperms -a
dh_installdeb -a
dh_shlibdeps -a
dh_gencontrol -a
# dh_makeshlibs -a
dh_md5sums -a
dh_builddeb -a
# Build architecture-independent files here.
binary-indep: build install
dh_testdir -i
dh_testroot -i
dh_installchangelogs -i
dh_installdocs -i
dh_installexamples -i
# dh_installmenu -i
# dh_installdebconf -i
# dh_installlogrotate -i
# dh_installemacsen -i
# dh_installcatalogs -i
# dh_installpam -i
# dh_installmime -i
# dh_installinit -i
# dh_installcron -i
# dh_installinfo -i
# dh_installwm -i
# dh_installudev -i
# dh_lintian -i
# dh_bugfiles -i
# dh_undocumented -i
dh_installman -i
dh_link -i
dh_compress -i
dh_fixperms -i
# dh_perl -i
dh_installdeb -i
dh_gencontrol -i
dh_md5sums -i
dh_builddeb -i
source diff:
@echo >&2 'source and diff are obsolete - use dpkg-source -b'; false
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary test
|
