If I want to compile packages from BLFS, how can I recognize to which I
can add CFLAGS -pie -fpie and SSP?
Sorry for this question, but I'm beginner in this. ;-)
Filip Bartmann
Basically don't bother. -pie/-fpie only allow the compiler
to optimize the compilation. By default the gcc hardened specs
installed by HLFS compiles everything with -pic which is the same
as far as security is concerned and works for all files.
-pie only works for executables and not for libraries but both
lead to position independant code which means that the start address
of the code can be randomized.
The hardened specs also enable ssp by default which works with almost
all software. The only exception I have come across sofar is Firefox -
it crashes when you start it. So basically try to recompile your
package with hardened specs turned off if your software does not work
(this assumes that your program is not killed by PAX while will produce
a corresponding error message in the syslog. In this case just use
paxctl to fix the problem.)
So to summerize: The gcc compiler installed by HLFS compiles everything
with pic/ssp - there is nothing you need to do. That's the beauty of
HLFS!
Sebastian Faulborn
Homepage: http://www.secure-slinux.org
--
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
