On Sat, Feb 20, 2021 at 01:16:07PM +0100, Bastian Germann wrote: > This is a change introduced in 5.6.0-1ubuntu3. > > Reported-by: Dimitri John Ledkov <xnox@xxxxxxxxxx> > Signed-off-by: Bastian Germann <bastiangermann@xxxxxxxxxxx> > --- > debian/changelog | 1 + > debian/rules | 8 +++++++- > 2 files changed, 8 insertions(+), 1 deletion(-) > > diff --git a/debian/changelog b/debian/changelog > index 8320a2e8..c77f04ab 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -2,6 +2,7 @@ xfsprogs (5.11.0-rc0-1) experimental; urgency=medium > > [ Dimitri John Ledkov ] > * Drop trying to create upstream distribution > + * Enable CET on amd64 > > -- Bastian Germann <bastiangermann@xxxxxxxxxxx> Sat, 20 Feb 2021 11:57:31 +0100 > > diff --git a/debian/rules b/debian/rules > index 8a3345b6..dd093f2c 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -23,8 +23,14 @@ pkgdev = DIST_ROOT=`pwd`/$(dirdev); export DIST_ROOT; > pkgdi = DIST_ROOT=`pwd`/$(dirdi); export DIST_ROOT; > stdenv = @GZIP=-q; export GZIP; > > +ifeq ($(target),amd64) > +export DEB_CFLAGS_MAINT_APPEND=-fcf-protection > +export DEB_LDFLAGS_MAINT_APPEND=-fcf-protection > +endif > +include /usr/share/dpkg/default.mk > + > options = export DEBUG=-DNDEBUG DISTRIBUTION=debian \ > - INSTALL_USER=root INSTALL_GROUP=root \ > + INSTALL_USER=root INSTALL_GROUP=root LDFLAGS='$(LDFLAGS)' \ > LOCAL_CONFIGURE_OPTIONS="--enable-editline=yes --enable-blkid=yes --disable-ubsan --disable-addrsan --disable-threadsan --enable-lto" ; > diopts = $(options) \ > export OPTIMIZER=-Os LOCAL_CONFIGURE_OPTIONS="--enable-gettext=no --disable-ubsan --disable-addrsan --disable-threadsan --enable-lto" ; No. This is not the way to turn on build wide compiler/linker options/protections. IOWs, if you want to turn on control flow protections to make ROP exploits harder (why that actually matters for xfsprogs is beyond me), then it you need to add a configure option similar to --enable-lto. Then it can actually be enabled and used by other distros, not just Ubuntu, and it will also ensure that builds will fail at configure time if the compiler/linker does not support this functionality. Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx
