[arch-projects] [devtools] [PATCH] enforce hardening flags and use PIE on x86_64
danielmicay at gmail.com
Wed Jul 23 17:48:45 EDT 2014
On 23/07/14 05:21 PM, Thomas Bächler wrote:
> Am 23.07.2014 22:17, schrieb Daniel Micay:
>> PIE is required for full address space layout optimization (ASLR) and
>> there is little to no benefit from ASLR without it since global ELF
>> tables (GOT/PLT) and application code are at known locations.
>> A wrapper script is required in order to pass the correct flags for
>> executables without changing the flags for libraries. It adds `-pie`
>> when linking (no `-c` switch) if `-static` or `-shared` are not passed,
>> and `-fPIE` whenever `-fPIC` is not already there. This technique comes
>> from the Debian hardening wrappers.
>> Position independent code is expensive on i686, so it's only enabled by
>> default on x86_64 where the cost is negligible. It can be enabled on a
>> package-by-package basis on i686. The same cost already exists for any
>> code in a dynamic library.
>> The hardening-wrapper package also enforces the chosen hardening flags
>> even when build systems aren't using CFLAGS / CXXFLAGS / LDFLAGS from
>> the environment. It would need to be moved from [community] to [core].
> Why should this be in devtools? The build settings are configured in
> makepkg and we should not split this into two places.
Well, my earlier patch did that, but PIE is dealt with using
distribution-specific machinery so it didn't really belong there:
An alternative would be having makepkg (pacman) depend on the
hardening-wrapper package and setting the appropriate HARDENING_*
variables in makepkg.conf. HARDENED_PIE needs to vary based on CARCH to
avoid a performance hit on i686, so it can't really be dealt with using
defaults inside the wrapper.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-projects