[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Hardening Flags for sg3-utils


Following the Hardening wiki, I have build-dep the hardening-includes
package and enabled the hardening flags as follows :

rrs@zan:/var/tmp/sg3-utils (build)$ cat debian/rules
#!/usr/bin/make -f
# debian/rules file for the sg3-utils package

# This has to be exported to make some magic below work.

include /usr/share/hardening-includes/hardening.make

CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS)
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)

But still, the hardening-check tool reports this:

rrs@zan:/var/tmp/Debian-Build/Result$ hardening-check /usr/bin/sg_inq
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

any suggestion on what could have gone wrong?

Looking at the build log, I don't see the hardening flags being honored:

libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I ../include
sg_pt_linux.c -o sg_pt_linux.o >/dev/null 2>&1
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.
-I..    -I ../include -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall
-W -g -O2 -c -o sg_io_linux.lo sg_io_linux.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I ../include
sg_io_linux.c  -fPIC -DPIC -o .libs/sg_io_linux.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I ../include
sg_io_linux.c -o sg_io_linux.o >/dev/null 2>&1

If I bump the debhelper version to > 9, I do see the correct build flags.

Given the large number of mailing lists I follow, I request you to CC me
in replies for quicker response

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: