On 22/07/14 05:01 AM, Allan McRae wrote: > On 22/07/14 07:41, Daniel Micay wrote: >> A `pie` option is added for wrapping C and C++ compilers and passing the >> correct options for building position independent executables. PIE is >> required for full address space layout optimization (ASLR) and there is >> little to no benefit from ASLR without it since global ELF tables >> (GOT/PLT) and application code are at known locations. >> >> A wrapper script is required in order to pass the correct flags for >> executables without changing the flags for libraries. It adds `-pie` >> when linking (no `-c` switch) if `-static` or `-shared` are not passed, >> and `-fPIE` whenever `-fPIC` is not already there. This technique comes >> from the Debian hardening wrappers. >> >> Position independent code is expensive on i686, so it's only enabled by >> default on x86_64 where the cost is negligible. It can be enabled on a >> package-by-package basis on i686. The same cost already exists for any >> code in a dynamic library. > > Why should this be in makepkg? Just like Debian this should be a > distribution build system integration rather than in the package manager. > > Allan
The wrapper script could be provided in a separate hardening-wrapper package, but makepkg needs to be aware of it as an option in order to make PIE the default on x86_64. I could put the script itself in a hardening-wrapper package and extend it to cover other issues. The only public / documented part of this is the `pie` option, so the implementation could always change in the future. PIE is the only one of these options that's more complicated than the build system respecting CFLAGS though, so a more complex wrapper like Debian isn't necessarily a good idea. It would make it easier to have packages respect our hardening flags, but they wouldn't be respecting the other CFLAGS/LDFLAGS which could still be considered a bug.
signature.asc
Description: OpenPGP digital signature
