_hardened_build not affecting libtool-compiled libraries

Richard W.M. Jones rjones at redhat.com
Mon Jun 24 18:46:09 UTC 2013

Here's the problem (found by Björn Esser):


and then later on:


So it seems as if _hardened_build for some reason doesn't work for
libtool-compiled libraries.  It does look as if the correct CFLAGS and
LDFLAGS are getting to the build.  See for example:


but the plugins from that build are not hardened fully:

  $ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so
   Position Independent Executable: no, regular shared library (ignored)
   Stack protected: no, not found!
   Fortify Source functions: no, only unprotected functions found!
   Read-only relocations: yes
   Immediate binding: yes

Also we had to add an LDFLAGS hack into the %build section to even get
this far.

Any ideas?  Is this a bug or how it should be?


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

More information about the devel mailing list