[hardening-discuss] Bug#596150: No documentation how to filter *_PIE which breaks building of shared objects

Emil Langrock emil.langrock at gmx.de
Wed Sep 8 23:30:26 UTC 2010 

Kees Cook wrote:
> Hi,
> 
> On Wed, Sep 08, 2010 at 11:02:18PM +0200, Emil Langrock wrote:
> > I tried to use the file to find the correct flags for a project. It
> > simply included it as specified in the file
> > 
> > /usr/share/hardening-includes/hardening.make
> > 
> > And in my main Makefile i did something like
> > 
> > export CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
> > export LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
> > 
> > 
> > but omg, it killed the compilation completely. The reason seems to be the
> > pie stuff. So I could disable the PIE  of course, but when thinking
> > about package management then we would have the problem that packages
> > which are shared objects and executables that we automatically kill pie
> > for them.
> 
> Which project was this? I'd like to see the specific situation in which it
> fails so I can more easily debug it.

Just use amarok_2.3.1-1. Add following to the ./debian/rules

include /usr/share/hardening-includes/hardening.make
export CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
export CPPFLAGS=$(shell dpkg-buildflags --get CPPFLAGS)
export CXXFLAGS=$(shell dpkg-buildflags --get CXXFLAGS)
export LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
CFLAGS += $(HARDENING_CFLAGS)
CXXFLAGS += $(HARDENING_CFLAGS)
LDFLAGS += $(HARDENING_LDFLAGS)



It will stop with 

Linking CXX shared library ../../lib/libamarokcore.so
cd src/core && /usr/bin/cmake -E cmake_link_script CMakeFiles/amarokcore.dir/link.txt --verbose=1                                                                                                         
/usr/bin/c++  -fPIC -g -O2  -fPIE  -fstack-protector  -D_FORTIFY_SOURCE=2  -Wformat -Wformat-security   -fmessage-length=0 -Wl,--as-needed -Wnon-virtual-dtor -Wno-long-
long -ansi -Wundef -Wcast-align -Wchar-subscripts -Wall -W -Wpointer-arith -Wformat-security -fno-exceptions -DQT_NO_EXCEPTIONS -fno-check-new -fno-common -Woverloaded-
virtual -fno-threadsafe-statics -fvisibility=hidden -fvisibility-inlines-hidden -DNDEBUG -DQT_NO_DEBUG -Wl,--enable-new-dtags -Wl,--fatal-warnings -Wl,--no-undefined -lc   
-fPIE -pie  -Wl,-z,relro  -Wl,-z,now  -shared -Wl,-soname,libamarokcore.so.1 -o ../../lib/libamarokcore.so.1.0.0 CMakeFiles/amarokcore.dir/amarokcore_automoc.o 
CMakeFiles/amarokcore.dir/plugins/Plugin.o CMakeFiles/amarokcore.dir/plugins/PluginManager.o CMakeFiles/amarokcore.dir/plugins/PluginConfig.o 
CMakeFiles/amarokcore.dir/podcasts/PodcastReader.o CMakeFiles/amarokcore.dir/podcasts/PodcastMeta.o CMakeFiles/amarokcore.dir/podcasts/PodcastImageFetcher.o 
CMakeFiles/amarokcore.dir/podcasts/PodcastProvider.o CMakeFiles/amarokcore.dir/interfaces/Logger.o CMakeFiles/amarokcore.dir/collections/Collection.o 
CMakeFiles/amarokcore.dir/collections/CollectionLocation.o CMakeFiles/amarokcore.dir/collections/MetaQueryMaker.o CMakeFiles/amarokcore.dir/collections/QueryMaker.o 
CMakeFiles/amarokcore.dir/collections/support/TrackForUrlWorker.o CMakeFiles/amarokcore.dir/statistics/StatisticsProvider.o CMakeFiles/amarokcore.dir/playlists/Playlist.o 
CMakeFiles/amarokcore.dir/playlists/PlaylistFormat.o CMakeFiles/amarokcore.dir/playlists/PlaylistProvider.o CMakeFiles/amarokcore.dir/meta/Meta.o 
CMakeFiles/amarokcore.dir/meta/support/MetaUtility.o CMakeFiles/amarokcore.dir/meta/support/PrivateMetaRegistry.o CMakeFiles/amarokcore.dir/capabilities/Capability.o 
CMakeFiles/amarokcore.dir/capabilities/BookmarkThisCapability.o CMakeFiles/amarokcore.dir/capabilities/BoundedPlaybackCapability.o 
CMakeFiles/amarokcore.dir/capabilities/CollectionCapability.o CMakeFiles/amarokcore.dir/capabilities/CurrentTrackActionsCapability.o 
CMakeFiles/amarokcore.dir/capabilities/CustomActionsCapability.o CMakeFiles/amarokcore.dir/capabilities/DecoratorCapability.o 
CMakeFiles/amarokcore.dir/capabilities/EditCapability.o CMakeFiles/amarokcore.dir/capabilities/EditablePlaylistCapability.o 
CMakeFiles/amarokcore.dir/capabilities/FindInSourceCapability.o CMakeFiles/amarokcore.dir/capabilities/LastFmCapability.o 
CMakeFiles/amarokcore.dir/capabilities/MultiPlayableCapability.o CMakeFiles/amarokcore.dir/capabilities/MultiSourceCapability.o 
CMakeFiles/amarokcore.dir/capabilities/OrganiseCapability.o CMakeFiles/amarokcore.dir/capabilities/ReadLabelCapability.o 
CMakeFiles/amarokcore.dir/capabilities/SourceInfoCapability.o CMakeFiles/amarokcore.dir/capabilities/StatisticsCapability.o 
CMakeFiles/amarokcore.dir/capabilities/StreamInfoCapability.o CMakeFiles/amarokcore.dir/capabilities/UpdateCapability.o 
CMakeFiles/amarokcore.dir/capabilities/WriteLabelCapability.o CMakeFiles/amarokcore.dir/engine/EngineObserver.o CMakeFiles/amarokcore.dir/support/Amarok.o 
CMakeFiles/amarokcore.dir/support/Components.o CMakeFiles/amarokcore.dir/support/SmartPointerList.o CMakeFiles/amarokcore.dir/support/Debug.o -lpthread 
/usr/lib/libkio.so.5.4.0 /usr/lib/libkutils.so.4.4.0 /usr/lib/libsolid.so.4.4.0 /usr/lib/libthreadweaver.so.4.4.0 -ldl /usr/lib/libQtNetwork.so /usr/lib/libQtXml.so 
/usr/lib/libkdeui.so.5.4.0 /usr/lib/libQtSvg.so /usr/lib/libkdecore.so.5.4.0 /usr/lib/libQtDBus.so /usr/lib/libQtGui.so /usr/lib/libQtCore.so 
/usr/bin/ld: CMakeFiles/amarokcore.dir/amarokcore_automoc.o: relocation R_X86_64_PC32 against symbol `Amarok::Logger::staticMetaObject' can not be used when making a 
shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: ld returned 1 exit status
make[3]: *** [lib/libamarokcore.so.1.0.0] Error 1
make[3]: Leaving directory `/tmp/buildd/amarok-2.3.1/obj-x86_64-linux-gnu'
make[2]: *** [src/core/CMakeFiles/amarokcore.dir/all] Error 2
make[2]: Leaving directory `/tmp/buildd/amarok-2.3.1/obj-x86_64-linux-gnu'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/tmp/buildd/amarok-2.3.1/obj-x86_64-linux-gnu'
dh_auto_build: make -j1 returned exit code 2
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
E: Failed autobuilding of package
I: unmounting /var/cache/pbuilder/ccache filesystem
I: unmounting dev/pts filesystem
I: unmounting proc filesystem
 -> Cleaning COW directory
  forking: rm -rf /var/cache/pbuilder/build//cow.28300


Personally I am not really pleased by the wrapper. It is maybe nice for
testing purposes, but i doubt that it plays fine with ccache and something
like that.
-- 
Emil Langrock

More information about the hardening-discuss mailing list