Re: hardening for binaries/libraries packages
On 10/01/13 18:02, Nick Andrik wrote:
> I'm trying to work with a source package that builds packages that
> includes both binaries and dynamic libraries.
> My question is on how to enable hardening in both of them, but PIE
> support only in the binary (since libraries use PIC anyway).
Does your library use GNU libtool? If it does, you can just throw in all
of the "hardening" CFLAGS and LDFLAGS, including -fPIE, and it will Do
The Right Thing. libtool knows about the distinction between static
libraries, shared libraries and executables, and between -fPIE and
-fPIC, and will replace -fPIE with whatever is right for the object. See
<https://bugs.freedesktop.org/show_bug.cgi?id=16621#c9> for some
examples from a real build log.
If it doesn't use libtool, you have discovered the sort of thing that
led to libtool being written in the first place :-) The easiest way
might be to set separate sets of variables for shared libraries, static
libraries (if you have them) and executables, and patch upstream's build
system to follow what it says in those; or upstream's build system might
well already have suitable variables that it uses to pass -shared, -fPIC
and so on, which you might be able to override on the make command line:
"${DEB_MAKE_INVOKE} libfoo_ldflags='-shared -fPIC $(call
nopie,LDFLAGS)'" or something.
If it doesn't use libtool and you don't want to patch upstream's build
system, you will have to do something like what you quoted. I would
recommend dh-style rules over cdbs for situations like this: it's just
as short, and much much clearer what's going on.
Or, if your package doesn't do anything particularly strange, you might
even be able to get away with setting CXX="libtool --mode=compile g++"
and "LD=libtool --mode=link g++" :-)
Note that if this change targets wheezy, you should not convert from
cdbs to dh7 - but this sort of change seems too intrusive at this stage
of the freeze anyway, and doubly so if you have to do something this
non-obvious.
S
Reply to: