hardening for binaries/libraries packages
I'm trying to work with a source package that builds packages that
includes both binaries and dynamic libraries.
My question is on how to enable hardening in both of them, but PIE
support only in the binary (since libraries use PIC anyway).
My solution so far is something like this:
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
# Make sure the library is built without PIE support (it already uses PIC
# since it is shared library)
nopie = $(shell
dpkg-buildflags --get $(1))
build/libunrar0:: CXXFLAGS := -fPIC $(call nopie,CXXFLAGS)
build/libunrar0:: LDFLAGS := -fPIC $(call nopie,LDFLAGS)
This solution has the minor side-effect of requiring "dpkg-dev (>=
1.16.1~)" build-dep since it uses dpkg-builflags for the hardening
Is there another more compact way to achieve this?