DEB_BUILD_MAINT_OPTIONS=hardening=+pie breaks shared library builds

To: debian-devel@lists.debian.org
Subject: DEB_BUILD_MAINT_OPTIONS=hardening=+pie breaks shared library builds
From: Theodore Ts'o <tytso@mit.edu>
Date: Sat, 21 May 2016 13:32:19 -0400
Message-id: <[🔎] 20160521173219.GA10399@thunk.org>

If the pie hardening option is enabled, then dpkg-buildflags --get
LDFLAGS emits:

	-fPIE -pie -Wl,-z,relro

According to the dpkg-buildflags man page:

       LDFLAGS
              Options passed to  the  compiler  when  linking  executables  or
              shared objects

Unfortunate the linker will blow up if -fPIE is specified:

(cd elfshared; gcc --shared -o libcom_err.so.2.1 \
	-L../../../lib -fPIE -pie -Wl,-z,relro \
	-Wl,-soname,libcom_err.so.2 error_message.o et_name.o init_et.o com_err.o com_right.o -lpthread)
/usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/Scrt1.o: In function `_start':
(.text+0x20): undefined reference to `main'
collect2: error: ld returned 1 exit status

Should I file a bug against dpkg-buildflags?  Or the
hardening-includes package?  What is the suggested workaround if you
have a package that has both executables and shared libraries, and you
want to enable pie hardening for the executables?

Thanks,

					- Ted

Reply to:

Follow-Ups:
- Re: DEB_BUILD_MAINT_OPTIONS=hardening=+pie breaks shared library builds
  - From: Andrey Rahmatullin <wrar@debian.org>
- Re: DEB_BUILD_MAINT_OPTIONS=hardening=+pie breaks shared library builds
  - From: Christian Kastner <ckk@debian.org>
- Re: DEB_BUILD_MAINT_OPTIONS=hardening=+pie breaks shared library builds
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: Empty Contents and Packages files in http://deb.debian.org/debian-debug?
Next by Date: tools to share binary attachments
Previous by thread: Bug#824919: ITP: eja -- a micro web server for static and dynamic Lua generated content
Next by thread: Re: DEB_BUILD_MAINT_OPTIONS=hardening=+pie breaks shared library builds
Index(es):
- Date
- Thread