[arch-projects] [devtools] [PATCH] enforce hardening flags and use PIE on x86_64

Thomas Bächler thomas at archlinux.org
Wed Jul 23 17:21:28 EDT 2014


Am 23.07.2014 22:17, schrieb Daniel Micay:
> PIE is required for full address space layout optimization (ASLR) and
> there is little to no benefit from ASLR without it since global ELF
> tables (GOT/PLT) and application code are at known locations.
> 
> A wrapper script is required in order to pass the correct flags for
> executables without changing the flags for libraries. It adds `-pie`
> when linking (no `-c` switch) if `-static` or `-shared` are not passed,
> and `-fPIE` whenever `-fPIC` is not already there. This technique comes
> from the Debian hardening wrappers.
> 
> Position independent code is expensive on i686, so it's only enabled by
> default on x86_64 where the cost is negligible. It can be enabled on a
> package-by-package basis on i686. The same cost already exists for any
> code in a dynamic library.
> 
> The hardening-wrapper package also enforces the chosen hardening flags
> even when build systems aren't using CFLAGS / CXXFLAGS / LDFLAGS from
> the environment. It would need to be moved from [community] to [core].

Why should this be in devtools? The build settings are configured in
makepkg and we should not split this into two places.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-projects/attachments/20140723/2b3c4778/attachment.asc>


More information about the arch-projects mailing list