Am 24.06.2013 21:47, schrieb Richard W.M. Jones:
>> $ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so
>> ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so:
>> Position Independent Executable: no, regular shared library (ignored)
>> Stack protected: yes
>> Fortify Source functions: yes (some protected functions found)
>> Read-only relocations: yes
>> Immediate binding: yes
>
> Note there is still a problem that an LDFLAGS hack was needed in the
> spec file, otherwise libtool (or something) eats the hardening LDFLAGS
IMHO the hardening macro should always step in directly before
%configure becaus it does also not work with rpmrc not importing
the distribution defaults (for good reasons)
[builduser@buildserver64:~]$ cat /home/builduser/.rpmrc
optflags: x86_64 -m64 -O3 -march=corei7 -mtune=corei7 -fopenmp -mmmx -msse2 -msse3 -msse4.1 -msse4.2 -maes -pipe
-fstack-protector --param=ssp-buffer-size=4 -mfpmath=sse -D_FORTIFY_SOURCE=2 -fexceptions
that is why is witched on my private build-environments to manually
set all the FLAGS and avoid the hardening-macro at all
[builduser@buildserver64:~]$ cat /rpmbuild/SPECS/dovecot.spec | grep FLAGS
export CFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export CXXFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export FFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export CPPFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
export SH_LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
