[hardening-discuss] Linker fails on i386 and amd64 with hardening options

[Kees Cook]

Hi Jörg,

On Mon, Apr 28, 2008 at 06:43:36PM +0200, Jörg Sommer wrote:
> I've enabled hardening support for slrn.

Ah!  I see the problem now.  You're doing a separate debian/rules thing,
instead of using hardening-wrapper and DEB_BUILD_HARDENING=1.

You have:

ifeq (,$(findstring nohardening,$(DEB_BUILD_OPTIONS)))
    # http://lists.debian.org/debian-devel-announce/2008/01/msg00006.html
    CFLAGS += -fPIC -fPIE -fstack-protector -Wformat=2 -Wextra
    LDFLAGS += -Wl,-zrelro,-pie
    ifeq  (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
        CFLAGS += -D_FORTIFY_SOURCE=2
    endif
endif

This won't work for reasons I mentioned in the prior email.  I would
recommend using hardening-wrapper directly[1].  If, however, you want to do
it piece-meal, you will need multiple arch-specific tests for PIE and
stack-protector (see hardening-wrapper source[2]), and you will need to
pass "-fPIE" only to objects going into the final executable (-fPIC as
usual for libraries), as well as "-pie" for the final gcc link of the
executable.  hardening-wrapper currently handles all these cases.

You don't need a special-case for opopt, since FORITY_SOURCE will be
silently ignored if -O is less than 2.

-Kees


[1] http://wiki.debian.org/Hardening
    add hardening-wrapper to debian/control Build-Deps
    add "export DEB_BUILD_HARDENING=1" to debian/rules
[2] http://svn.debian.org/wsvn/hardening/hardening-wrapper/debian/rules?op=file&rev=0&sc=0

-- 
Kees Cook                                            @outflux.net