On 23/07/14 05:21 PM, Thomas Bächler wrote:
Am 23.07.2014 22:17, schrieb Daniel Micay:
PIE is required for full address space layout optimization (ASLR) and there is little to no benefit from ASLR without it since global ELF tables (GOT/PLT) and application code are at known locations.
A wrapper script is required in order to pass the correct flags for executables without changing the flags for libraries. It adds `-pie` when linking (no `-c` switch) if `-static` or `-shared` are not passed, and `-fPIE` whenever `-fPIC` is not already there. This technique comes from the Debian hardening wrappers.
Position independent code is expensive on i686, so it's only enabled by default on x86_64 where the cost is negligible. It can be enabled on a package-by-package basis on i686. The same cost already exists for any code in a dynamic library.
The hardening-wrapper package also enforces the chosen hardening flags even when build systems aren't using CFLAGS / CXXFLAGS / LDFLAGS from the environment. It would need to be moved from [community] to [core].
Why should this be in devtools? The build settings are configured in makepkg and we should not split this into two places.
Well, my earlier patch did that, but PIE is dealt with using distribution-specific machinery so it didn't really belong there: https://mailman.archlinux.org/pipermail/pacman-dev/2014-July/019202.html An alternative would be having makepkg (pacman) depend on the hardening-wrapper package and setting the appropriate HARDENING_* variables in makepkg.conf. HARDENED_PIE needs to vary based on CARCH to avoid a performance hit on i686, so it can't really be dealt with using defaults inside the wrapper.