Re: [hardening-discuss] Linker fails on i386 and amd64 with hardening options
Hi Jörg,
On Mon, Apr 28, 2008 at 06:43:36PM +0200, Jörg Sommer wrote:
> I've enabled hardening support for slrn.
Ah! I see the problem now. You're doing a separate debian/rules thing,
instead of using hardening-wrapper and DEB_BUILD_HARDENING=1.
You have:
ifeq (,$(findstring nohardening,$(DEB_BUILD_OPTIONS)))
# http://lists.debian.org/debian-devel-announce/2008/01/msg00006.html
CFLAGS += -fPIC -fPIE -fstack-protector -Wformat=2 -Wextra
LDFLAGS += -Wl,-zrelro,-pie
ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
CFLAGS += -D_FORTIFY_SOURCE=2
endif
endif
This won't work for reasons I mentioned in the prior email. I would
recommend using hardening-wrapper directly[1]. If, however, you want to do
it piece-meal, you will need multiple arch-specific tests for PIE and
stack-protector (see hardening-wrapper source[2]), and you will need to
pass "-fPIE" only to objects going into the final executable (-fPIC as
usual for libraries), as well as "-pie" for the final gcc link of the
executable. hardening-wrapper currently handles all these cases.
You don't need a special-case for opopt, since FORITY_SOURCE will be
silently ignored if -O is less than 2.
-Kees
[1] http://wiki.debian.org/Hardening
add hardening-wrapper to debian/control Build-Deps
add "export DEB_BUILD_HARDENING=1" to debian/rules
[2] http://svn.debian.org/wsvn/hardening/hardening-wrapper/debian/rules?op=file&rev=0&sc=0
--
Kees Cook @outflux.net
Reply to: