_hardened_build not affecting libtool-compiled libraries
Richard W.M. Jones
rjones at redhat.com
Mon Jun 24 18:46:09 UTC 2013
Here's the problem (found by Björn Esser):
https://bugzilla.redhat.com/show_bug.cgi?id=977446#c10
and then later on:
https://bugzilla.redhat.com/show_bug.cgi?id=977446#c14
So it seems as if _hardened_build for some reason doesn't work for
libtool-compiled libraries. It does look as if the correct CFLAGS and
LDFLAGS are getting to the build. See for example:
http://koji.fedoraproject.org/koji/buildinfo?buildID=429062
http://kojipkgs.fedoraproject.org//packages/nbdkit/1.0.0/4.fc20/data/logs/x86_64/build.log
but the plugins from that build are not hardened fully:
$ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so
./usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
Also we had to add an LDFLAGS hack into the %build section to even get
this far.
Any ideas? Is this a bug or how it should be?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
More information about the devel
mailing list