[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Passing LDFLAGS to Apache modules for hardened build flags

On Mon, Apr 09, 2012 at 10:15:23PM +0200, Arno Töll wrote:
> Hi Moritz,
> 
> On 08.04.2012 22:10, Moritz Muehlenhoff wrote:
> > Hi,
> > I'm working on hardened build flags for Squeeze and I'm looking into
> > how to pass hardened build flags to Apache modules. 
> 
> Perhaps we should add hardening flags to config_vars.mk which is where
> apxs gets defaults from. However, sadly both apr-config and apxs
> completely apparently ignore any override.
> 
> We should address that for Wheezy but we probably need to patch
> upstreams apxs to achieve that. I can see how there are use cases to
> override linking flags at build time.
> 
> > The CFLAGS stuff is handled correctly. However for LDFLAGS, this
> > results in the following error:
> 
> Yes. If you look at the apxs source, you will see:
> 
>     #   create link command
> ...
>         my $apr_ldflags=`$apr_config --ldflags`;
>         chomp($apr_ldflags);
>         $opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version
> $apr_ldflags";
> ...
>     push(@cmds, "$libtool $ltflags --mode=link --tag=disable-static
> $CFG_CC -o $dso_file $opt $lo");
> 
> i.e. it reads linking flags from apr-config only, no way to override
> that, it does not even use shell override. You can override PREFIX,
> TARGET, SYSCONFDIR, CFLAGS, INCLUDEDIR, CC, LIBEXECDIR and SBINDIR only.

I see. I got this impression from the apxs manpage, which indicates it should
work out:

Query Options
   -q     Performs a query for apxs's knowledge about certain settings. 
          The query parameters can be one or more  of  the following  
          estrings:  CC,  CFLAGS,  CFLAGS_SHLIB,  INCLUDEDIR, LD_SHLIB, 
          LDFLAGS_SHLIB, LIBEXECDIR, LIBS_SHLIB, SBINDIR, SYSCONFDIR, 
          TARGET. .PP Use this for manually determining settings. For 
          instance use  INC=-I`apxs  -q INCLUDEDIR` .PP inside your own 
          Makefiles if you need manual access to Apache's C header files.

> I consider that a bug and I will see to patch that for the upcoming 2.4
> package. This does not help you for Squeeze though.

This is not for Squeeze, all the hardening efforts are targeted at Wheezy
and beyond.
 
> Generally speaking I am not sure whether it makes sense to inject
> hardening flags per package individually. Maybe we should tweak apxs to
> use hardening flags by default instead. What do you think?
> We build Apache with hardening flags already, it wouldn't be much of a
> problem to provide the very same hardening flags used for the Apache
> package to modules built with apxs later.
>

> The only problem is that apxs makes it difficult to remove a flag from
> the defaults once provided as a default. Thus we should make sure they
> do not cause any problem to any module.

I can rebuild the Apache modules in the archive with test builds if that
helps.

Cheers,
        Moritz
Reply to: