Hi Moritz, On 08.04.2012 22:10, Moritz Muehlenhoff wrote: > Hi, > I'm working on hardened build flags for Squeeze and I'm looking into > how to pass hardened build flags to Apache modules. Perhaps we should add hardening flags to config_vars.mk which is where apxs gets defaults from. However, sadly both apr-config and apxs completely apparently ignore any override. We should address that for Wheezy but we probably need to patch upstreams apxs to achieve that. I can see how there are use cases to override linking flags at build time. > The CFLAGS stuff is handled correctly. However for LDFLAGS, this > results in the following error: Yes. If you look at the apxs source, you will see: # create link command ... my $apr_ldflags=`$apr_config --ldflags`; chomp($apr_ldflags); $opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version $apr_ldflags"; ... push(@cmds, "$libtool $ltflags --mode=link --tag=disable-static $CFG_CC -o $dso_file $opt $lo"); i.e. it reads linking flags from apr-config only, no way to override that, it does not even use shell override. You can override PREFIX, TARGET, SYSCONFDIR, CFLAGS, INCLUDEDIR, CC, LIBEXECDIR and SBINDIR only. I consider that a bug and I will see to patch that for the upcoming 2.4 package. This does not help you for Squeeze though. Generally speaking I am not sure whether it makes sense to inject hardening flags per package individually. Maybe we should tweak apxs to use hardening flags by default instead. What do you think? We build Apache with hardening flags already, it wouldn't be much of a problem to provide the very same hardening flags used for the Apache package to modules built with apxs later. The only problem is that apxs makes it difficult to remove a flag from the defaults once provided as a default. Thus we should make sure they do not cause any problem to any module. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D
Attachment:
signature.asc
Description: OpenPGP digital signature