On 23/07/14 05:21 PM, Thomas Bächler wrote:
Am 23.07.2014 22:17, schrieb Daniel Micay:
PIE is required for full address space layout optimization (ASLR) and there is little to no benefit from ASLR without it since global ELF tables (GOT/PLT) and application code are at known locations.
A wrapper script is required in order to pass the correct flags for executables without changing the flags for libraries. It adds `-pie` when linking (no `-c` switch) if `-static` or `-shared` are not passed, and `-fPIE` whenever `-fPIC` is not already there. This technique comes from the Debian hardening wrappers.
Position independent code is expensive on i686, so it's only enabled by default on x86_64 where the cost is negligible. It can be enabled on a package-by-package basis on i686. The same cost already exists for any code in a dynamic library.
The hardening-wrapper package also enforces the chosen hardening flags even when build systems aren't using CFLAGS / CXXFLAGS / LDFLAGS from the environment. It would need to be moved from [community] to [core].
Why should this be in devtools? The build settings are configured in makepkg and we should not split this into two places.
I went ahead and altered the hardening-wrapper script so that it doesn't require any devtools / makepkg modifications. It does add a new /etc/hardening-wrapper.conf configuration file though... I don't really want to encode the difference between i686 / x86_64 into the script itself by installing a separate one on both architectures.