On 29/01/12 23:25, Russ Allbery wrote:
> For PIE, the main practical problem with PIE is that PIE and PIC conflict,
> so you can't just add -fPIE to the compiler flags of a package that builds
> both executables and libraries.
I investigated this for D-Bus (which builds a security-sensitive daemon,
dbus-daemon, and a library, libdbus). It turns out that libtool is
clever enough to replace -fPIE with -fPIC -DPIC when compiling objects
that will go in a shared library, and omit -pie when linking shared
libraries, so if your hybrid executable|library package uses libtool (as
D-Bus does), you *can* just add the PIE flags:
https://bugs.freedesktop.org/show_bug.cgi?id=16621#c9
(If your upstream has an ancient libtool, you might need to
re-libtoolize - but do that anyway, tbh. dh_autoreconf makes it quite
straightforward.)
As a result, I dropped the elaborate machinery from the upstream build
system to apply -fPIE in the compiler flags of only those objects that
will end up in an executable, in favour of recommending that
distributions use something like
'./configure CFLAGS=-fPIE LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"' or the
dpkg-buildflags equivalent.
At some point I should update the dbus source package to use the right
magic options to dpkg-buildflags, but for now it's still using
hardening-wrapper and seems to work fine.
S
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f265e36.2010...@debian.org
