Re: Powder hardening: was re: Request Package Review
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 31/03/13 14:09, Steven Hamilton wrote:
> Hi folks, I've been working on the Powder package with intention to
> adopt. I'm doing the hardening bit, where the previous package was
> never hardened.
>
> I've updated the rules file to be more dh(1) like so;
>
> #!/usr/bin/make -f # Uncomment this to turn on verbose mode.
> #export DH_VERBOSE=1
>
> %: dh $@
>
> override_dh_auto_build: dh_testdir bash -ex ./buildall.sh
>
> clean: dh_testdir dh_testroot rm -f *.o */*.o */*/*.o rooms/*.cpp
> rooms/allrooms.h gfx/*.c gfx/*/*.c rm -f license.cpp glbdef.cpp
> glbdef.h encyclopedia.cpp encyclopedia.h rm -f credits.cpp
> gfx/akoi3x/sprite16_3x.bmp rm -f powder port/linux/powder
> support/bmp2c/bmp2c support/encyclopedia2c/encyclopedia2c
> support/enummaker/enummaker support/map2c/map2c
> support/tile2c/tile2c support/txt2c/txt2c port/linux/libstdc++.a
> dh_clean
>
>
> As you can see the build is performed by a script that comes with
> the source. The script supports multiple platforms (GBA, Windows
> etc). How do I pass hardening CXXFLAGS into it though? If I export
> in the rules file they don't transfer to the script. Should I patch
> the script to include the flags or is there a way to do pass them
> from rule? Here's a snippet from the start of the script where is
> catchs CXXFLAGS. The makefile under the ports/linux folder catches
> LDFLAGS ok.
>
> #!/bin/bash
>
> if [ -z "$CXXFLAGS" ]; then export CXXFLAGS=-O3 fi
>
> ....the off to build.
>
and in true internet fashion I figured it out 2 mins after I mailed
out. I've done this and it seems to work. If commands are sent out in
the same line they enter the same shell.
override_dh_auto_build:
dh_testdir
echo "export LDFLAGS="$LDFLAGS /
echo "export CXXFLAGS="$CXXFLAGS /
bash -ex ./buildall.sh
I now have the following result;
powder:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
Not quite sure how to get those last yet but ignore me for now. :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iF4EAREIAAYFAlFXuv4ACgkQunxZKpjzbPfp+gEAryLMnCNxyRRDJ5xEtn2LAe/s
p63SmgplvIiWUUAKxjMA/i5JSjcuwNax/W1NgXCMSV+yv8DYfNz8KGpMpIPa6Tyh
=C3UT
-----END PGP SIGNATURE-----
Reply to: