Re: Seeking hardening flag / blhc expoert
Otto Kekäläinen <otto@debian.org> wrote:
> I've read this section many times over but I don't get it. A
> workaround is presented but since we are on a new debhelper it is
> advised not to be used. It suggests using
> /usr/share/dpkg/buildflags.mk but since we already call default.mk the
> buildflags.mk should be included. There are some variables set, but
> since the cmake command does not include them, changes in them does
> not have an effect. There is no explanation about that flags do what
> and which are the relevant ones, so blindly just defining everything
> does not seem like a savvy solution.
CMake is a bit "special" in that regard. To get the right hardening
flags to work for some parts of Bacula, we had to include the following
patch to kind-of brute force the flags:
https://salsa.debian.org/bacula-team/bacula/blob/master/debian/patches/debian/enable-hardening-for-qmake
,----
| --- a/src/qt-console/bat.pro.in
| +++ b/src/qt-console/bat.pro.in
| @@ -187,3 +187,9 @@
| QMAKE_EXTRA_TARGETS += depend
|
| TRANSLATIONS += ts/bat_fr.ts ts/bat_de.ts
| +
| +### See https://wiki.debian.org/Hardening#Notes_for_packages_using_QMake
| +QMAKE_CPPFLAGS *= $(shell dpkg-buildflags --get CPPFLAGS)
| +QMAKE_CFLAGS *= $(shell "dpkg-buildflags --get CFLAGS; dpkg-buildflags --get CPPFLAGS")
| +QMAKE_CXXFLAGS *= $(shell "dpkg-buildflags --get CXXFLAGS; dpkg-buildflags --get CPPFLAGS")
| +QMAKE_LFLAGS *= $(shell dpkg-buildflags --get LDFLAGS)
`----[...]
The rules file
https://salsa.debian.org/bacula-team/bacula/blob/master/debian/rules
just contains the usual:
,----
| # enable bindnow
| # https://wiki.debian.org/HardeningWalkthrough
| export DEB_BUILD_MAINT_OPTIONS = hardening=+all
|
| # avoid unnecessary linking
| # https://wiki.debian.org/HardeningWalkthrough
| export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
`----
Maybe this gives you a hint at what to do and where.
S!
--
Sigmentation fault. Core dumped.
Reply to: