Hi Moritz,
On 08.04.2012 22:10, Moritz Muehlenhoff wrote:
> Hi,
> I'm working on hardened build flags for Squeeze and I'm looking into
> how to pass hardened build flags to Apache modules.
Perhaps we should add hardening flags to config_vars.mk which is where
apxs gets defaults from. However, sadly both apr-config and apxs
completely apparently ignore any override.
We should address that for Wheezy but we probably need to patch
upstreams apxs to achieve that. I can see how there are use cases to
override linking flags at build time.
> The CFLAGS stuff is handled correctly. However for LDFLAGS, this
> results in the following error:
Yes. If you look at the apxs source, you will see:
# create link command
...
my $apr_ldflags=`$apr_config --ldflags`;
chomp($apr_ldflags);
$opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version
$apr_ldflags";
...
push(@cmds, "$libtool $ltflags --mode=link --tag=disable-static
$CFG_CC -o $dso_file $opt $lo");
i.e. it reads linking flags from apr-config only, no way to override
that, it does not even use shell override. You can override PREFIX,
TARGET, SYSCONFDIR, CFLAGS, INCLUDEDIR, CC, LIBEXECDIR and SBINDIR only.
I consider that a bug and I will see to patch that for the upcoming 2.4
package. This does not help you for Squeeze though.
Generally speaking I am not sure whether it makes sense to inject
hardening flags per package individually. Maybe we should tweak apxs to
use hardening flags by default instead. What do you think?
We build Apache with hardening flags already, it wouldn't be much of a
problem to provide the very same hardening flags used for the Apache
package to modules built with apxs later.
The only problem is that apxs makes it difficult to remove a flag from
the defaults once provided as a default. Thus we should make sure they
do not cause any problem to any module.
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
Attachment:
signature.asc
Description: OpenPGP digital signature