Re: Passing LDFLAGS to Apache modules for hardened build flags
On Mon, Apr 09, 2012 at 10:15:23PM +0200, Arno Töll wrote:
> Hi Moritz,
>
> On 08.04.2012 22:10, Moritz Muehlenhoff wrote:
> > Hi,
> > I'm working on hardened build flags for Squeeze and I'm looking into
> > how to pass hardened build flags to Apache modules.
>
> Perhaps we should add hardening flags to config_vars.mk which is where
> apxs gets defaults from. However, sadly both apr-config and apxs
> completely apparently ignore any override.
>
> We should address that for Wheezy but we probably need to patch
> upstreams apxs to achieve that. I can see how there are use cases to
> override linking flags at build time.
>
> > The CFLAGS stuff is handled correctly. However for LDFLAGS, this
> > results in the following error:
>
> Yes. If you look at the apxs source, you will see:
>
> # create link command
> ...
> my $apr_ldflags=`$apr_config --ldflags`;
> chomp($apr_ldflags);
> $opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version
> $apr_ldflags";
> ...
> push(@cmds, "$libtool $ltflags --mode=link --tag=disable-static
> $CFG_CC -o $dso_file $opt $lo");
>
> i.e. it reads linking flags from apr-config only, no way to override
> that, it does not even use shell override. You can override PREFIX,
> TARGET, SYSCONFDIR, CFLAGS, INCLUDEDIR, CC, LIBEXECDIR and SBINDIR only.
I see. I got this impression from the apxs manpage, which indicates it should
work out:
Query Options
-q Performs a query for apxs's knowledge about certain settings.
The query parameters can be one or more of the following
estrings: CC, CFLAGS, CFLAGS_SHLIB, INCLUDEDIR, LD_SHLIB,
LDFLAGS_SHLIB, LIBEXECDIR, LIBS_SHLIB, SBINDIR, SYSCONFDIR,
TARGET. .PP Use this for manually determining settings. For
instance use INC=-I`apxs -q INCLUDEDIR` .PP inside your own
Makefiles if you need manual access to Apache's C header files.
> I consider that a bug and I will see to patch that for the upcoming 2.4
> package. This does not help you for Squeeze though.
This is not for Squeeze, all the hardening efforts are targeted at Wheezy
and beyond.
> Generally speaking I am not sure whether it makes sense to inject
> hardening flags per package individually. Maybe we should tweak apxs to
> use hardening flags by default instead. What do you think?
> We build Apache with hardening flags already, it wouldn't be much of a
> problem to provide the very same hardening flags used for the Apache
> package to modules built with apxs later.
>
> The only problem is that apxs makes it difficult to remove a flag from
> the defaults once provided as a default. Thus we should make sure they
> do not cause any problem to any module.
I can rebuild the Apache modules in the archive with test builds if that
helps.
Cheers,
Moritz
Reply to: