_hardened_build not affecting libtool-compiled libraries

[Reindl Harald]

Am 24.06.2013 21:47, schrieb Richard W.M. Jones:
>> $ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so 
>> ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so:
>>  Position Independent Executable: no, regular shared library (ignored)
>>  Stack protected: yes
>>  Fortify Source functions: yes (some protected functions found)
>>  Read-only relocations: yes
>>  Immediate binding: yes
> 
> Note there is still a problem that an LDFLAGS hack was needed in the
> spec file, otherwise libtool (or something) eats the hardening LDFLAGS

IMHO the hardening macro should always step in directly before
%configure becaus it does also not work with rpmrc not importing
the distribution defaults (for good reasons)

[builduser at buildserver64:~]$ cat /home/builduser/.rpmrc
optflags: x86_64 -m64 -O3 -march=corei7 -mtune=corei7 -fopenmp -mmmx -msse2 -msse3 -msse4.1 -msse4.2 -maes -pipe
-fstack-protector --param=ssp-buffer-size=4 -mfpmath=sse -D_FORTIFY_SOURCE=2 -fexceptions

that is why is witched on my private build-environments to manually
set all the FLAGS and avoid the hardening-macro at all

[builduser at buildserver64:~]$ cat /rpmbuild/SPECS/dovecot.spec | grep FLAGS
export CFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export CXXFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export FFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export CPPFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
export SH_LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130624/7f24f807/attachment.sig>