[pacman-dev] [PATCH] add support for PIE to makepkg
A `pie` option is added for wrapping C and C++ compilers and passing the
correct options for building position independent executables. PIE is
required for full address space layout optimization (ASLR) and there is
little to no benefit from ASLR without it since global ELF tables
(GOT/PLT) and application code are at known locations.
A wrapper script is required in order to pass the correct flags for
executables without changing the flags for libraries. It adds `-pie`
when linking (no `-c` switch) if `-static` or `-shared` are not passed,
and `-fPIE` whenever `-fPIC` is not already there. This technique comes
from the Debian hardening wrappers.
Position independent code is expensive on i686, so it's only enabled by
default on x86_64 where the cost is negligible. It can be enabled on a
package-by-package basis on i686. The same cost already exists for any
code in a dynamic library.
Signed-off-by: Daniel Micay
On 22/07/14 07:41, Daniel Micay wrote:
A `pie` option is added for wrapping C and C++ compilers and passing the correct options for building position independent executables. PIE is required for full address space layout optimization (ASLR) and there is little to no benefit from ASLR without it since global ELF tables (GOT/PLT) and application code are at known locations.
A wrapper script is required in order to pass the correct flags for executables without changing the flags for libraries. It adds `-pie` when linking (no `-c` switch) if `-static` or `-shared` are not passed, and `-fPIE` whenever `-fPIC` is not already there. This technique comes from the Debian hardening wrappers.
Position independent code is expensive on i686, so it's only enabled by default on x86_64 where the cost is negligible. It can be enabled on a package-by-package basis on i686. The same cost already exists for any code in a dynamic library.
Why should this be in makepkg? Just like Debian this should be a distribution build system integration rather than in the package manager. Allan
On 22/07/14 05:01 AM, Allan McRae wrote:
On 22/07/14 07:41, Daniel Micay wrote:
A `pie` option is added for wrapping C and C++ compilers and passing the correct options for building position independent executables. PIE is required for full address space layout optimization (ASLR) and there is little to no benefit from ASLR without it since global ELF tables (GOT/PLT) and application code are at known locations.
A wrapper script is required in order to pass the correct flags for executables without changing the flags for libraries. It adds `-pie` when linking (no `-c` switch) if `-static` or `-shared` are not passed, and `-fPIE` whenever `-fPIC` is not already there. This technique comes from the Debian hardening wrappers.
Position independent code is expensive on i686, so it's only enabled by default on x86_64 where the cost is negligible. It can be enabled on a package-by-package basis on i686. The same cost already exists for any code in a dynamic library.
Why should this be in makepkg? Just like Debian this should be a distribution build system integration rather than in the package manager.
Allan
The wrapper script could be provided in a separate hardening-wrapper package, but makepkg needs to be aware of it as an option in order to make PIE the default on x86_64. I could put the script itself in a hardening-wrapper package and extend it to cover other issues. The only public / documented part of this is the `pie` option, so the implementation could always change in the future. PIE is the only one of these options that's more complicated than the build system respecting CFLAGS though, so a more complex wrapper like Debian isn't necessarily a good idea. It would make it easier to have packages respect our hardening flags, but they wouldn't be respecting the other CFLAGS/LDFLAGS which could still be considered a bug.
On 22/07/14 05:01 AM, Allan McRae wrote:
On 22/07/14 07:41, Daniel Micay wrote:
A `pie` option is added for wrapping C and C++ compilers and passing the correct options for building position independent executables. PIE is required for full address space layout optimization (ASLR) and there is little to no benefit from ASLR without it since global ELF tables (GOT/PLT) and application code are at known locations.
A wrapper script is required in order to pass the correct flags for executables without changing the flags for libraries. It adds `-pie` when linking (no `-c` switch) if `-static` or `-shared` are not passed, and `-fPIE` whenever `-fPIC` is not already there. This technique comes from the Debian hardening wrappers.
Position independent code is expensive on i686, so it's only enabled by default on x86_64 where the cost is negligible. It can be enabled on a package-by-package basis on i686. The same cost already exists for any code in a dynamic library.
Why should this be in makepkg? Just like Debian this should be a distribution build system integration rather than in the package manager.
Allan
I'll add a pie-wrapper package to [community] and ask for it to be included in base-devel on arch-dev-public instead of this.
participants (2)
-
Allan McRae
-
Daniel Micay