Re: Powder hardening: was re: Request Package Review

To: debian-devel-games@lists.debian.org
Subject: Re: Powder hardening: was re: Request Package Review
From: Steven Hamilton <oz@scorch.net>
Date: Sun, 31 Mar 2013 14:26:46 +1000
Message-id: <[🔎] 5157BB06.8020000@scorch.net>
In-reply-to: <[🔎] 5157B70D.8020002@scorch.net>
References: <[🔎] 513C5E51.5030905@scorch.net> <[🔎] 20130311102308.GA31390@debian> <[🔎] 5141A4E8.5080807@scorch.net> <[🔎] 20130314145505.GA12750@debian> <[🔎] 20130314231439.5268254e@sk2.org> <[🔎] 5157B70D.8020002@scorch.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 31/03/13 14:09, Steven Hamilton wrote:
> Hi folks, I've been working on the Powder package with intention to
> adopt. I'm doing the hardening bit, where the previous package was
> never hardened.
> 
> I've updated the rules file to be more dh(1) like so;
> 
> #!/usr/bin/make -f # Uncomment this to turn on verbose mode. 
> #export DH_VERBOSE=1
> 
> %: dh $@
> 
> override_dh_auto_build: dh_testdir bash -ex ./buildall.sh
> 
> clean: dh_testdir dh_testroot rm -f *.o */*.o */*/*.o rooms/*.cpp
> rooms/allrooms.h gfx/*.c gfx/*/*.c rm -f license.cpp glbdef.cpp
> glbdef.h encyclopedia.cpp encyclopedia.h rm -f credits.cpp
> gfx/akoi3x/sprite16_3x.bmp rm -f powder port/linux/powder
> support/bmp2c/bmp2c support/encyclopedia2c/encyclopedia2c
> support/enummaker/enummaker support/map2c/map2c
> support/tile2c/tile2c support/txt2c/txt2c port/linux/libstdc++.a 
> dh_clean
> 
> 
> As you can see the build is performed by a script that comes with
> the source. The script supports multiple platforms (GBA, Windows
> etc). How do I pass hardening CXXFLAGS into it though? If I export
> in the rules file they don't transfer to the script. Should I patch
> the script to include the flags or is there a way to do pass them
> from rule? Here's a snippet from the start of the script where is
> catchs CXXFLAGS. The makefile under the ports/linux folder catches
> LDFLAGS ok.
> 
> #!/bin/bash
> 
> if [ -z "$CXXFLAGS" ]; then export CXXFLAGS=-O3 fi
> 
> ....the off to build.
> 

and in true internet fashion I figured it out 2 mins after I mailed
out. I've done this and it seems to work. If commands are sent out in
the same line they enter the same shell.

override_dh_auto_build:
	dh_testdir
	echo "export LDFLAGS="$LDFLAGS /
	echo "export CXXFLAGS="$CXXFLAGS /
	bash -ex ./buildall.sh

I now have the following result;

powder:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

Not quite sure how to get those last yet but ignore me for now. :)



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAlFXuv4ACgkQunxZKpjzbPfp+gEAryLMnCNxyRRDJ5xEtn2LAe/s
p63SmgplvIiWUUAKxjMA/i5JSjcuwNax/W1NgXCMSV+yv8DYfNz8KGpMpIPa6Tyh
=C3UT
-----END PGP SIGNATURE-----

Reply to:

References:
- Request Package Review
  - From: Steven Hamilton <oz@scorch.net>
- Re: Request Package Review
  - From: Jon Dowland <jmtd@debian.org>
- Re: Request Package Review
  - From: Steven Hamilton <oz@scorch.net>
- Re: Request Package Review
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Request Package Review
  - From: Stephen Kitt <steve@sk2.org>
- Powder hardening: was re: Request Package Review
  - From: Steven Hamilton <oz@scorch.net>

Prev by Date: Powder hardening: was re: Request Package Review
Next by Date: Re: Powder hardening: was re: Request Package Review
Previous by thread: Powder hardening: was re: Request Package Review
Next by thread: Re: Powder hardening: was re: Request Package Review
Index(es):
- Date
- Thread