Initial commit

Author: PaulGrandperrin

build.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -xe
+
+mkdir -p sources
+cd sources
+apt source $1
+cd ..
+
+cowbuilder build --configfile pbuilderrc sources/*.dsc
+
+rm -rf sources
+

hooks/D65force-use-llvm-clang

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -xe
+
+apt-get install -y "${APTGETOPT[@]}" clang-8 lld-8 llvm-8-dev
+
+ln -sf /usr/bin/clang-8        /usr/bin/clang
+ln -sf /usr/bin/clang++-8      /usr/bin/clang++
+ln -sf /usr/bin/clang-cpp-8    /usr/bin/clang-cpp
+ln -sf /usr/bin/lld-8          /usr/bin/lld
+
+ln -sf /usr/bin/clang          /usr/bin/cc
+ln -sf /usr/bin/clang          /usr/bin/gcc
+ln -sf /usr/bin/clang          /usr/bin/x86_64-linux-gnu-gcc
+ln -sf /usr/bin/clang++        /usr/bin/c++
+ln -sf /usr/bin/clang++        /usr/bin/g++
+ln -sf /usr/bin/clang++        /usr/bin/x86_64-linux-gnu-g++
+ln -sf /usr/bin/clang-cpp      /usr/bin/cpp
+ln -sf /usr/bin/clang-cpp      /usr/bin/x86_64-linux-gnu-cpp
+
+ln -sf /usr/bin/lld            /usr/bin/ld
+ln -sf /usr/bin/lld            /usr/bin/x86_64-linux-gnu-ld
+
+ln -sf /usr/bin/llvm-ranlib-8  /usr/bin/ranlib
+ln -sf /usr/bin/llvm-objcopy-8 /usr/bin/objcopy
+ln -sf /usr/bin/llvm-objcopy-8 /usr/bin/strip
+ln -sf /usr/bin/llvm-nm-8      /usr/bin/nm
+ln -sf /usr/bin/llvm-objdump-8 /usr/bin/objdump
+ln -sf /usr/bin/llvm-as-8      /usr/bin/as
+
+exit 0

hooks/D80no-man-db-rebuild

@@ -0,0 +1,7 @@
+#!/bin/sh
+# Don't rebuild man-db
+
+echo "I: Preseed man-db/auto-update to false"
+debconf-set-selections <<EOF
+man-db man-db/auto-update boolean false
+EOF

init.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -xe
+
+. ./pbuilderrc
+mkdir -p $APTCACHE
+mkdir -p $BUILDPLACE
+mkdir -p $BASEPATH
+cowbuilder create --configfile pbuilderrc
+

pbuilderrc

@@ -0,0 +1,62 @@
+# pbuilder specific vars 
+DISTRIBUTION=buster
+BUILDRESULT=debs
+BUILDPLACE=builder/build
+BASEPATH=builder/base.cow 
+APTCACHE="$(pwd)/builder/aptcache"
+MIRRORSITE=http://deb.debian.org/debian/
+OTHERMIRROR="deb http://security.debian.org/ buster/updates main|deb http://deb.debian.org/debian buster-updates main|deb http://http.debian.net/debian buster-backports main"
+HOOKDIR=hooks
+EATMYDATA=yes
+DEBBUILDOPTS="--build=binary" # Builds the architecture specific binary packages
+EXTRAPACKAGES="clang-8 lld-8 llvm-8-dev"
+#APTCONFDIR=""
+#NO_COWDANCER_UPDATE=1 
+#DEBOOTSTRAPOPTS="" 
+
+# pbuilder undocumented vars...
+BIN_NMU=yes
+BINNMU_MESSAGE="rebuild with clang and hardening options"
+BINNMU_MAINTAINER="Paul Grandperrin <[email protected]>"
+BINNMU_VERSION="hardened1"
+#BINARY_ARCH=binary
+
+# dpkg-buildpackage specific vars
+#export DEB_VENDOR ?
+export DEB_BUILD_PROFILES="nocheck nodoc noudeb nobiarch"
+export DEB_BUILD_OPTIONS="nocheck nodoc hardening=+all"
+
+# Toolchain selection
+export CC=clang
+export CPP=clang-cpp
+export CXX=clang++
+export LD=lld
+
+# Toolchain flags
+FLAGS="$FLAGS -flto -fPIE -fPIC -pie"
+
+# Safe Stack
+FLAGS="$FLAGS -fsanitize=safe-stack"
+
+# CFI
+#FLAGS="$FLAGS -fvisibility=hidden" # if it fails, use default
+FLAGS="$FLAGS -fvisibility=default"
+FLAGS="$FLAGS -fsanitize=cfi-cast-strict"
+FLAGS="$FLAGS -fsanitize=cfi-derived-cast"
+FLAGS="$FLAGS -fsanitize=cfi-unrelated-cast"
+FLAGS="$FLAGS -fsanitize=cfi-nvcall"
+FLAGS="$FLAGS -fsanitize=cfi-vcall"
+FLAGS="$FLAGS -fsanitize=cfi-icall" # if it fails, try with -fsanitize-cfi-icall-generalize-pointers (incompat with cross-dso) and -fno-sanitize-cfi-canonical-jump-tables or replace with -fsanitize=function (slower, included in -fsanitize=undefined)
+FLAGS="$FLAGS -fsanitize=cfi-mfcall"
+
+# UBSAN
+FLAGS="$FLAGS -fsanitize-trap=integer"
+FLAGS="$FLAGS -fsanitize-trap=nullability"
+FLAGS="$FLAGS -fsanitize-trap=function"
+FLAGS="$FLAGS -fsanitize-trap=bounds"
+FLAGS="$FLAGS -fsanitize-trap=pointer-overflow"
+
+# customize dpkg-buildflags
+export DEB_CFLAGS_APPEND="$FLAGS"
+export DEB_CXXFLAGS_APPEND="$FLAGS"
+export DEB_LDFLAGS_APPEND="$FLAGS"