[arch-projects] [devtools] [PATCH] enforce hardening flags and use PIE on x86_64

Daniel Micay danielmicay at gmail.com
Wed Jul 23 16:17:25 EDT 2014

PIE is required for full address space layout optimization (ASLR) and
there is little to no benefit from ASLR without it since global ELF
tables (GOT/PLT) and application code are at known locations.

A wrapper script is required in order to pass the correct flags for
executables without changing the flags for libraries. It adds `-pie`
when linking (no `-c` switch) if `-static` or `-shared` are not passed,
and `-fPIE` whenever `-fPIC` is not already there. This technique comes
from the Debian hardening wrappers.

Position independent code is expensive on i686, so it's only enabled by
default on x86_64 where the cost is negligible. It can be enabled on a
package-by-package basis on i686. The same cost already exists for any
code in a dynamic library.

The hardening-wrapper package also enforces the chosen hardening flags
even when build systems aren't using CFLAGS / CXXFLAGS / LDFLAGS from
the environment. It would need to be moved from [community] to [core].
 archbuild.in     |  5 +++--
 makechrootpkg.in | 12 +++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/archbuild.in b/archbuild.in
index ae2f511..419ae5b 100644
--- a/archbuild.in
+++ b/archbuild.in
@@ -2,7 +2,7 @@
+base_packages=(base-devel hardening-wrapper)
 makechrootpkg_args=(-c -n)
@@ -67,11 +67,12 @@ if ${clean_first} || [[ ! -d "${chroots}/${repo}-${arch}" ]]; then
 		"${base_packages[@]}" || abort
 	lock 9 "${chroots}/${repo}-${arch}/root.lock" "Locking clean chroot"
+	# upgrade and install any new packages from base_packages
 	arch-nspawn \
 		-C "@pkgdatadir@/pacman-${repo}.conf" \
 		-M "@pkgdatadir@/makepkg-${arch}.conf" \
 		"${chroots}/${repo}-${arch}/root" \
-                pacman -Syu --noconfirm || abort
+		pacman -Syu --noconfirm --needed "${base_packages[@]}" || abort
 msg "Building in chroot for [${repo}] (${arch})..."
diff --git a/makechrootpkg.in b/makechrootpkg.in
index 97c7780..ad804fc 100644
--- a/makechrootpkg.in
+++ b/makechrootpkg.in
@@ -320,7 +320,17 @@ _chrootbuild() {
 		exit 1
-	sudo -u nobody makepkg $makepkg_args || exit 1
+	# enforced compiler hardening flags (can be overriden in a PKGBUILD)
+	. /etc/makepkg.conf
+	if [[ $CARCH = i686 ]]; then
+		export HARDENING_PIE=0
+	else
+		export HARDENING_PIE=1
+	fi
+	sudo -E -u nobody makepkg $makepkg_args || exit 1
 	if $run_namcap; then
 		pacman -S --needed --noconfirm namcap

More information about the arch-projects mailing list