[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Powder hardening: was re: Request Package Review

Hash: SHA256

On 31/03/13 14:09, Steven Hamilton wrote:
> Hi folks, I've been working on the Powder package with intention to
> adopt. I'm doing the hardening bit, where the previous package was
> never hardened.
> I've updated the rules file to be more dh(1) like so;
> #!/usr/bin/make -f # Uncomment this to turn on verbose mode. 
> #export DH_VERBOSE=1
> %: dh $@
> override_dh_auto_build: dh_testdir bash -ex ./buildall.sh
> clean: dh_testdir dh_testroot rm -f *.o */*.o */*/*.o rooms/*.cpp
> rooms/allrooms.h gfx/*.c gfx/*/*.c rm -f license.cpp glbdef.cpp
> glbdef.h encyclopedia.cpp encyclopedia.h rm -f credits.cpp
> gfx/akoi3x/sprite16_3x.bmp rm -f powder port/linux/powder
> support/bmp2c/bmp2c support/encyclopedia2c/encyclopedia2c
> support/enummaker/enummaker support/map2c/map2c
> support/tile2c/tile2c support/txt2c/txt2c port/linux/libstdc++.a 
> dh_clean
> As you can see the build is performed by a script that comes with
> the source. The script supports multiple platforms (GBA, Windows
> etc). How do I pass hardening CXXFLAGS into it though? If I export
> in the rules file they don't transfer to the script. Should I patch
> the script to include the flags or is there a way to do pass them
> from rule? Here's a snippet from the start of the script where is
> catchs CXXFLAGS. The makefile under the ports/linux folder catches
> #!/bin/bash
> if [ -z "$CXXFLAGS" ]; then export CXXFLAGS=-O3 fi
> ....the off to build.

and in true internet fashion I figured it out 2 mins after I mailed
out. I've done this and it seems to work. If commands are sent out in
the same line they enter the same shell.

	echo "export LDFLAGS="$LDFLAGS /
	echo "export CXXFLAGS="$CXXFLAGS /
	bash -ex ./buildall.sh

I now have the following result;

 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

Not quite sure how to get those last yet but ignore me for now. :)

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


Reply to: