Re: Enabling hardening flags for HIP libraries

To: debian-ai@lists.debian.org
Subject: Re: Enabling hardening flags for HIP libraries
From: Christian Kastner <ckk@debian.org>
Date: Sat, 4 Mar 2023 10:44:48 +0100
Message-id: <[🔎] e0896759-7de1-d1c3-500a-ce205f326e50@debian.org>
In-reply-to: <[🔎] ae39d8ccf44f6f28a953b483e02c71c8f613af67.camel@debian.org>
References: <[🔎] 1661a76c-0845-4930-13be-b741ced72db4@slerp.xyz> <[🔎] ae39d8ccf44f6f28a953b483e02c71c8f613af67.camel@debian.org>

On 2023-03-04 05:31, M. Zhou wrote:
> The eventual result of hardening=xxx is additional CXXFLAGS/CPPFLAGS/LDFLAGS.
> You may lookup dpkg-buildflags(1) man page for details.
> 
> I did not manage to recall an elegant way to dump these flags, but you may
> copy the actual compiler flags from the man page and manually add them
> to {CXX,CPP,LD} flags as a temporary workaround.
> 
> Maybe someone else has a better idea.

src:libcap2 builds both executables and libraries, and hardening=+all
adding -fPIE to CFLAGS interfered with the library build, so I patched
upstream's Makefile [1] to filter out those flags where necessary.

The solution of using -X seems like the "correct" way to do it, but I'm
not sure how this could be implemented. Like Mo says above,
hardening=xxx just modifies a couple of standard variables.

[1] https://sources.debian.org/src/libcap2/1%3A2.66-3/debian/patches/Filter-out-PIE-flags-when-building-shared-objects.patch/

Best,
Christian

Reply to:

Follow-Ups:
- Re: Enabling hardening flags for HIP libraries
  - From: Cordell Bloor <cgmb-deb@slerp.xyz>

References:
- Enabling hardening flags for HIP libraries
  - From: Cordell Bloor <cgmb-deb@slerp.xyz>
- Re: Enabling hardening flags for HIP libraries
  - From: "M. Zhou" <lumin@debian.org>

Prev by Date: Re: ROCM host architectures
Next by Date: Re: Maintaining rocm-device-libs and rocm-comgr
Previous by thread: Re: Enabling hardening flags for HIP libraries
Next by thread: Re: Enabling hardening flags for HIP libraries
Index(es):
- Date
- Thread