_hardened_build not affecting libtool-compiled libraries
Reindl Harald
h.reindl at thelounge.net
Mon Jun 24 19:55:17 UTC 2013
Am 24.06.2013 21:47, schrieb Richard W.M. Jones:
>> $ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so
>> ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so:
>> Position Independent Executable: no, regular shared library (ignored)
>> Stack protected: yes
>> Fortify Source functions: yes (some protected functions found)
>> Read-only relocations: yes
>> Immediate binding: yes
>
> Note there is still a problem that an LDFLAGS hack was needed in the
> spec file, otherwise libtool (or something) eats the hardening LDFLAGS
IMHO the hardening macro should always step in directly before
%configure becaus it does also not work with rpmrc not importing
the distribution defaults (for good reasons)
[builduser at buildserver64:~]$ cat /home/builduser/.rpmrc
optflags: x86_64 -m64 -O3 -march=corei7 -mtune=corei7 -fopenmp -mmmx -msse2 -msse3 -msse4.1 -msse4.2 -maes -pipe
-fstack-protector --param=ssp-buffer-size=4 -mfpmath=sse -D_FORTIFY_SOURCE=2 -fexceptions
that is why is witched on my private build-environments to manually
set all the FLAGS and avoid the hardening-macro at all
[builduser at buildserver64:~]$ cat /rpmbuild/SPECS/dovecot.spec | grep FLAGS
export CFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export CXXFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export FFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export CPPFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
export SH_LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130624/7f24f807/attachment.sig>
More information about the devel
mailing list