On 23/07/14 05:21 PM, Thomas Bächler wrote: > Am 23.07.2014 22:17, schrieb Daniel Micay: >> PIE is required for full address space layout optimization (ASLR) and >> there is little to no benefit from ASLR without it since global ELF >> tables (GOT/PLT) and application code are at known locations. >> >> A wrapper script is required in order to pass the correct flags for >> executables without changing the flags for libraries. It adds `-pie` >> when linking (no `-c` switch) if `-static` or `-shared` are not passed, >> and `-fPIE` whenever `-fPIC` is not already there. This technique comes >> from the Debian hardening wrappers. >> >> Position independent code is expensive on i686, so it's only enabled by >> default on x86_64 where the cost is negligible. It can be enabled on a >> package-by-package basis on i686. The same cost already exists for any >> code in a dynamic library. >> >> The hardening-wrapper package also enforces the chosen hardening flags >> even when build systems aren't using CFLAGS / CXXFLAGS / LDFLAGS from >> the environment. It would need to be moved from [community] to [core]. > > Why should this be in devtools? The build settings are configured in > makepkg and we should not split this into two places.
Well, my earlier patch did that, but PIE is dealt with using distribution-specific machinery so it didn't really belong there: https://mailman.archlinux.org/pipermail/pacman-dev/2014-July/019202.html An alternative would be having makepkg (pacman) depend on the hardening-wrapper package and setting the appropriate HARDENING_* variables in makepkg.conf. HARDENED_PIE needs to vary based on CARCH to avoid a performance hit on i686, so it can't really be dealt with using defaults inside the wrapper.
signature.asc
Description: OpenPGP digital signature
