[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Hardening powder

Hi folks,
I'm adopting and repacking Powder as per bug #691835. In addition to modernising the package I'm attempt to harden it. The package uses a custom shell script to build which I fork out of the rules file. No matter what I do though I can't fully harden it with the best I can get being this; 

./powder:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
PIE and Immediate binding I just can't seem to do. During compilation I can see the following in the final executable so it looks like the correct args are being passed.
g++ -static-libgcc -L. -o powder linuxmain.o ../sdl/hamfake.o ../../action.o ../../assert.o ../../ai.o ../../artifact.o ../../bmp.o ../../build.o ../../buf.o ../../control.o ../../creature.o ../../dpdf_table.o ../../encyc_support.o ../../gfxengine.o ../../grammar.o ../../hiscore.o ../../input.o ../../intrinsic.o ../../item.o ../../map.o ../../mobref.o ../../msg.o ../../name.o ../../piety.o ../../rand.o ../../signpost.o ../../smokestack.o ../../speed.o ../../sramstream.o ../../stylus.o ../../victory.o ../../encyclopedia.o ../../glbdef.o ../../credits.o ../../license.o ../../gfx/all_bitmaps.o ../../rooms/allrooms.o `sdl-config --libs` -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro 

But!

powder-117$ readelf -d powder | grep BIND
mongrol@square:~/dev/debian/powder/powder-117$

powder-117$ file powder
powder: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x25f4efae0013b9cc33df06718f7f262f160eb887, not stripped 

Here's my rules file;

#!/usr/bin/make -f
# Uncomment this to turn on verbose mode.
export DH_VERBOSE=1
CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS) $(CPPFLAGS)
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)

%:
	dh $@

override_dh_auto_build:
	dh_testdir
	echo "export LDFLAGS="$LDFLAGS /
	echo "export CXXFLAGS="$CXXFLAGS /
	bash -ex ./buildall.sh	

clean:
	dh_testdir
	dh_testroot
	rm -f *.o */*.o */*/*.o rooms/*.cpp rooms/allrooms.h gfx/*.c gfx/*/*.c
	rm -f license.cpp glbdef.cpp glbdef.h encyclopedia.cpp encyclopedia.h
	rm -f credits.cpp gfx/akoi3x/sprite16_3x.bmp
rm -f powder port/linux/powder support/bmp2c/bmp2c support/encyclopedia2c/encyclopedia2c support/enummaker/enummaker support/map2c/map2c support/tile2c/tile2c support/txt2c/txt2c port/linux/libstdc++.a 
	dh_clean
Reply to: