Control: tags -1 patch Hi Ritesh,
On 09/12/2016 08:18 PM, Ritesh Raj Sarraf wrote: > Control: tag -1 +help > > > Hello Balint, > > > On Mon, 2016-09-12 at 16:42 +0200, Balint Reczey wrote: >> During a rebuild of all packages in sid, your package failed to build on >> amd64 with patched GCC and dpkg. > >> The rebuild tested if packages are ready for a transition >> enabling PIE and bindnow for amd64. > > > I have tried enabling hardening flags before but that never helped. And I did > not look very deep into it. > > hardening=+all also modifies LDFLAGS which breaks the UML kernel build. > > So today, I tried with just the below, but lintian still complains. > > rrs@chutzpah:~/Community/Packaging/user-mode-linux (master)$ git diff > diff --git a/debian/rules b/debian/rules > index e29da82..802eb1e 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -15,6 +15,10 @@ tmpmodules:=$(debian)/uml-modules > DEB_HOST_ARCH?=$(shell dpkg-architecture -qDEB_HOST_ARCH) > #SUBARCH?=$(shell uname -m) > > +export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow > +#DPKG_EXPORT_BUILDFLAGS = 1 > +#include /usr/share/dpkg/buildflags.mk > + > ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) > KBUILDVARS := CFLAGS_KERNEL=-O1 > endif > > > If you have any suggestions on working around it, please do share on this bug > report. > > >> For more information about the changes to sid's dpkg and GCC please >> visit: >> https://wiki.debian.org/Hardening/PIEByDefaultTransition > >> Relevant part (hopefully): >> ... >> LD init/built-in.o >> /usr/bin/ld: arch/um/drivers/built-in.o: relocation R_X86_64_32 against >> `.rodata.str1.1' can not be used when making a shared object; recompile >> with -fPIC >> /usr/bin/ld: final link failed: Nonrepresentable section on output >> ... > > I've tagged this bug report as "help". The following patch fixes the build for me with the changed GCC and also builds fine with the original GCC 6: @@ -16,9 +16,11 @@ #SUBARCH?=$(shell uname -m) ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) -KBUILDVARS := CFLAGS_KERNEL=-O1 +CFLAGS_KERNEL += -O1 endif +KBUILDVARS := CFLAGS_KERNEL="$(CFLAGS_KERNEL)" CC="$(CC) -no-pie" LD="$(LD) -no-pie" + # development only targets # copy-config: > > BTW, do you know if the regular linux images of Debian are Hardening enabled ? If you mean PIE, no, but there are some hardening options enabled AFAIK thus I can't answer that question briefly. Cheers, Balint
signature.asc
Description: OpenPGP digital signature
