Hi, Following the Hardening wiki, I have build-dep the hardening-includes package and enabled the hardening flags as follows : rrs@zan:/var/tmp/sg3-utils (build)$ cat debian/rules #!/usr/bin/make -f # debian/rules file for the sg3-utils package # This has to be exported to make some magic below work. export DH_OPTIONS include /usr/share/hardening-includes/hardening.make CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS) CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS) LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) But still, the hardening-check tool reports this: rrs@zan:/var/tmp/Debian-Build/Result$ hardening-check /usr/bin/sg_inq /usr/bin/sg_inq: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: no, not found! Immediate binding: no, not found! any suggestion on what could have gone wrong? Looking at the build log, I don't see the hardening flags being honored: libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I ../include -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c sg_pt_linux.c -o sg_pt_linux.o >/dev/null 2>&1 /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I ../include -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c -o sg_io_linux.lo sg_io_linux.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I ../include -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c sg_io_linux.c -fPIC -DPIC -o .libs/sg_io_linux.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I ../include -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c sg_io_linux.c -o sg_io_linux.o >/dev/null 2>&1 If I bump the debhelper version to > 9, I do see the correct build flags. -- Given the large number of mailing lists I follow, I request you to CC me in replies for quicker response
Attachment:
signature.asc
Description: OpenPGP digital signature