Re: Hardening Flags for sg3-utils

To: Ritesh Raj Sarraf <rrs@debian.org>
Cc: debian-devel@lists.debian.org, Jonathan McDowell <noodles@earth.li>
Subject: Re: Hardening Flags for sg3-utils
From: Nick Andrik <nick.andrik@gmail.com>
Date: Tue, 25 Jun 2013 18:17:45 +0200
Message-id: <[🔎] CANn5kOtV8sfoMaEF34Tai_fHpC4dN0Tan_W18bsthoxPQZKo-w@mail.gmail.com>
In-reply-to: <[🔎] 51C9C0F9.70004@debian.org>
References: <[🔎] 51C9C0F9.70004@debian.org>

Would it be that you need this?

DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk

--
=Do-
N.AND


2013/6/25 Ritesh Raj Sarraf <rrs@debian.org>:
> Hi,
>
> Following the Hardening wiki, I have build-dep the hardening-includes
> package and enabled the hardening flags as follows :
>
> rrs@zan:/var/tmp/sg3-utils (build)$ cat debian/rules
> #!/usr/bin/make -f
> # debian/rules file for the sg3-utils package
>
> # This has to be exported to make some magic below work.
> export DH_OPTIONS
>
> include /usr/share/hardening-includes/hardening.make
>
> CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
> CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
> CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS)
> LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
>
>
> But still, the hardening-check tool reports this:
>
> rrs@zan:/var/tmp/Debian-Build/Result$ hardening-check /usr/bin/sg_inq
> /usr/bin/sg_inq:
>  Position Independent Executable: no, normal executable!
>  Stack protected: no, not found!
>  Fortify Source functions: no, only unprotected functions found!
>  Read-only relocations: no, not found!
>  Immediate binding: no, not found!
>
> any suggestion on what could have gone wrong?
>
>
> Looking at the build log, I don't see the hardening flags being honored:
>
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I ../include
> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c
> sg_pt_linux.c -o sg_pt_linux.o >/dev/null 2>&1
> /bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.
> -I..    -I ../include -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall
> -W -g -O2 -c -o sg_io_linux.lo sg_io_linux.c
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I ../include
> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c
> sg_io_linux.c  -fPIC -DPIC -o .libs/sg_io_linux.o
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I ../include
> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c
> sg_io_linux.c -o sg_io_linux.o >/dev/null 2>&1
>
>
>
> If I bump the debhelper version to > 9, I do see the correct build flags.
>
> --
> Given the large number of mailing lists I follow, I request you to CC me
> in replies for quicker response
>
>

Reply to:

Follow-Ups:
- Re: Hardening Flags for sg3-utils
  - From: Nick Andrik <nick.andrik@gmail.com>
- Re: Hardening Flags for sg3-utils
  - From: Ritesh Raj Sarraf <rrs@debian.org>

References:
- Hardening Flags for sg3-utils
  - From: Ritesh Raj Sarraf <rrs@debian.org>

Prev by Date: Hardening Flags for sg3-utils
Next by Date: Re: Hardening Flags for sg3-utils
Previous by thread: Hardening Flags for sg3-utils
Next by thread: Re: Hardening Flags for sg3-utils
Index(es):
- Date
- Thread