3 files changed, 116 insertions, 12 deletions
diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index 2d07794..fcf5b1e 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -79,7 +79,7 @@ sub run_hook {
 	}
     } elsif ($hook eq 'update-buildflags') {
         $self->set_build_features(@params);
-        $self->_add_build_flags(@params);
+        $self->add_build_flags(@params);
     } elsif ($hook eq 'builtin-system-build-paths') {
         return qw(/build/);
     } elsif ($hook eq 'build-tainted-by') {
@@ -113,7 +113,8 @@ sub set_build_features {
             # XXX: This is set to undef so that we can handle the alias from
             # the future feature area.
             lfs => undef,
-            time64 => 0,
+            # XXX: This is set to undef to handle mask on the default setting.
+            time64 => undef,
         },
         qa => {
             bug => 0,
@@ -270,9 +271,36 @@ sub set_build_features {
 
     ## Area: abi
 
+    if (any { $arch eq $_ } qw(hurd-i386 kfreebsd-i386)) {
+        # Mask time64 on hurd-i386 and kfreebsd-i386, as their kernel lacks
+        # support for that arch and it will not be implemented.
+        $use_feature{abi}{time64} = 0;
+    } elsif (not defined $use_feature{abi}{time64}) {
+        # If the user has not requested a specific setting, by default only
+        # enable time64 everywhere except for i386, where we preserve it for
+        # binary backwards compatibility.
+        if ($arch eq 'i386') {
+            $use_feature{abi}{time64} = 0;
+        } else {
+            $use_feature{abi}{time64} = 1;
+        }
+    }
+
+    # In Debian gcc enables time64 (and lfs) for the following architectures
+    # by injecting pre-processor flags, though the libc ABI has not changed.
+    if (any { $arch eq $_ } qw(armel armhf hppa m68k mips mipsel powerpc sh4)) {
+        $flags->set_option_value('cc-abi-time64', 1);
+    } else {
+        $flags->set_option_value('cc-abi-time64', 0);
+    }
+
     if ($use_feature{abi}{time64} && ! $builtin_feature{abi}{time64}) {
         # On glibc 64-bit time_t support requires LFS.
         $use_feature{abi}{lfs} = 1 if $libc eq 'gnu';
+
+        # Require -Werror=implicit-function-declaration, to avoid linking
+        # against the wrong symbol.
+        $use_feature{qa}{'bug-implicit-func'} = 1;
     }
 
     # XXX: Handle lfs alias from future abi feature area.
@@ -392,7 +420,7 @@ sub set_build_features {
     }
 }
 
-sub _add_build_flags {
+sub add_build_flags {
     my ($self, $flags) = @_;
 
     ## Global default flags
@@ -425,13 +453,22 @@ sub _add_build_flags {
     ## Area: abi
 
     my %abi_builtins = $flags->get_builtins('abi');
+    my $cc_abi_time64 = $flags->get_option_value('cc-abi-time64');
+
     if ($flags->use_feature('abi', 'lfs') && ! $abi_builtins{lfs}) {
         $flags->append('CPPFLAGS',
                        '-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64');
+    } elsif (! $flags->use_feature('abi', 'lfs') &&
+             ! $abi_builtins{lfs} && $cc_abi_time64) {
+        $flags->append('CPPFLAGS',
+                       '-U_LARGEFILE_SOURCE -U_FILE_OFFSET_BITS');
     }
 
     if ($flags->use_feature('abi', 'time64') && ! $abi_builtins{time64}) {
         $flags->append('CPPFLAGS', '-D_TIME_BITS=64');
+    } elsif (! $flags->use_feature('abi', 'time64') &&
+             ! $abi_builtins{time64} && $cc_abi_time64) {
+        $flags->append('CPPFLAGS', '-U_TIME_BITS');
     }
 
     ## Area: qa
@@ -586,7 +623,11 @@ sub _add_build_flags {
         } elsif ($cpu eq 'amd64') {
             $flag = '-fcf-protection';
         }
-        $flags->append($_, $flag) foreach @compile_flags;
+        # The following should always be true on Debian, but it might not
+        # be on derivatives.
+        if (defined $flag) {
+            $flags->append($_, $flag) foreach @compile_flags;
+        }
     }
 }
 
diff --git a/scripts/Dpkg/Vendor/Default.pm b/scripts/Dpkg/Vendor/Default.pm
index fc0e6be..934953f 100644
--- a/scripts/Dpkg/Vendor/Default.pm
+++ b/scripts/Dpkg/Vendor/Default.pm
@@ -218,6 +218,19 @@ sub set_build_features {
     return;
 }
 
+=item $vendor->add_build_flags($flags)
+
+Adds the vendor build flags to the compiler flag variables based on the
+vendor defaults and previously set build features.
+
+=cut
+
+sub add_build_flags {
+    my ($self, $flags) = @_;
+
+    return;
+}
+
 =back
 
 =head1 CHANGES
diff --git a/scripts/Dpkg/Vendor/Ubuntu.pm b/scripts/Dpkg/Vendor/Ubuntu.pm
index b50da37..f907fa9 100644
--- a/scripts/Dpkg/Vendor/Ubuntu.pm
+++ b/scripts/Dpkg/Vendor/Ubuntu.pm
@@ -95,14 +95,6 @@ sub run_hook {
         if (scalar(@$bugs)) {
             $fields->{'Launchpad-Bugs-Fixed'} = join(' ', @$bugs);
         }
-    } elsif ($hook eq 'update-buildflags') {
-	my $flags = shift @params;
-
-        # Run the Debian hook to add hardening flags
-        $self->SUPER::run_hook($hook, $flags);
-
-	# Per https://wiki.ubuntu.com/DistCompilerFlags
-        $flags->prepend('LDFLAGS', '-Wl,-Bsymbolic-functions');
     } else {
         return $self->SUPER::run_hook($hook, @params);
     }
@@ -137,6 +129,64 @@ sub set_build_features {
     $flags->set_option_value('fortify-level', 3);
 }
 
+sub add_build_flags {
+    my ($self, $flags) = @_;
+
+    my @compile_flags = qw(
+        CFLAGS
+        CXXFLAGS
+        OBJCFLAGS
+        OBJCXXFLAGS
+        FFLAGS
+        FCFLAGS
+    );
+
+    $self->SUPER::add_build_flags($flags);
+
+    # Per https://wiki.ubuntu.com/DistCompilerFlags
+    $flags->prepend('LDFLAGS', '-Wl,-Bsymbolic-functions');
+
+    # In Ubuntu these flags are set by the compiler, so when disabling the
+    # features we need to pass appropriate flags to disable them.
+    if (!$flags->use_feature('hardening', 'stackprotectorstrong') &&
+        !$flags->use_feature('hardening', 'stackprotector')) {
+        my $flag = '-fno-stack-protector';
+        $flags->append($_, $flag) foreach @compile_flags;
+    }
+
+    if (!$flags->use_feature('hardening', 'stackclash')) {
+        my $flag = '-fno-stack-clash-protection';
+        $flags->append($_, $flag) foreach @compile_flags;
+    }
+
+    if (!$flags->use_feature('hardening', 'fortify')) {
+        $flags->append('CPPFLAGS', '-D_FORTIFY_SOURCE=0');
+    }
+
+    if (!$flags->use_feature('hardening', 'format')) {
+        my $flag = '-Wno-format -Wno-error=format-security';
+        $flags->append('CFLAGS', $flag);
+        $flags->append('CXXFLAGS', $flag);
+        $flags->append('OBJCFLAGS', $flag);
+        $flags->append('OBJCXXFLAGS', $flag);
+     }
+
+     if (!$flags->use_feature('hardening', 'branch')) {
+        my $cpu = $flags->get_option_value('hardening-branch-cpu');
+        my $flag;
+        if ($cpu eq 'arm64') {
+            $flag = '-mbranch-protection=none';
+        } elsif ($cpu eq 'amd64') {
+            $flag = '-fno-cf-protection';
+        }
+        if (defined $flag) {
+            $flags->append($_, $flag) foreach @compile_flags;
+        }
+    }
+
+    return;
+}
+
 =head1 PUBLIC FUNCTIONS
 
 =over