hardening for binaries/libraries packages

To: debian-devel@lists.debian.org
Subject: hardening for binaries/libraries packages
From: Nick Andrik <nick.andrik@gmail.com>
Date: Thu, 10 Jan 2013 20:02:53 +0200
Message-id: <[🔎] CANn5kOtCo_g6wv7vt_HDS9NmAxW+34A9wuBXM9E0+WrkbL-KVA@mail.gmail.com>

I'm trying to work with a source package that builds packages that
includes both binaries and dynamic libraries.
My question is on how to enable hardening in both of them, but PIE
support only in the binary (since libraries use PIC anyway).

My solution so far is something like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
include /usr/share/dpkg/buildflags.mk

include /usr/share/cdbs/1/class/makefile.mk
include /usr/share/cdbs/1/rules/debhelper.mk

# Make sure the library is built without PIE support (it already uses PIC
# since it is shared library)
nopie = $(shell
DEB_BUILD_MAINT_OPTIONS=$(DEB_BUILD_MAINT_OPTIONS),-pie
dpkg-buildflags --get $(1))

build/libunrar0:: CXXFLAGS := -fPIC $(call nopie,CXXFLAGS)
build/libunrar0:: LDFLAGS  := -fPIC $(call nopie,LDFLAGS)
-Wl,-soname,libunrar.so.0
build/libunrar0::
	$(DEB_MAKE_INVOKE) lib
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This solution has the minor side-effect of requiring "dpkg-dev (>=
1.16.1~)" build-dep since it uses dpkg-builflags for the hardening
options.
Is there another more compact way to achieve this?


Thanks,
Nick

--
=Do-
N.AND

Reply to:

Follow-Ups:
- Re: hardening for binaries/libraries packages
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: debian/* license of non-free packages
Next by Date: Bug#697854: closed by Holger Levsen <holger@layer-acht.org> (Re: Bug#697854: general: Fail to display video)
Previous by thread: Bug#697869: ITP: librrd-simple-perl -- Simple interface to create and store data in RRD files
Next by thread: Re: hardening for binaries/libraries packages
Index(es):
- Date
- Thread