[pacman-dev] [PATCH] add support for PIE to makepkg

Daniel Micay danielmicay at gmail.com
Tue Jul 22 13:25:35 EDT 2014

On 22/07/14 05:01 AM, Allan McRae wrote:
> On 22/07/14 07:41, Daniel Micay wrote:
>> A `pie` option is added for wrapping C and C++ compilers and passing the
>> correct options for building position independent executables. PIE is
>> required for full address space layout optimization (ASLR) and there is
>> little to no benefit from ASLR without it since global ELF tables
>> (GOT/PLT) and application code are at known locations.
>> A wrapper script is required in order to pass the correct flags for
>> executables without changing the flags for libraries. It adds `-pie`
>> when linking (no `-c` switch) if `-static` or `-shared` are not passed,
>> and `-fPIE` whenever `-fPIC` is not already there. This technique comes
>> from the Debian hardening wrappers.
>> Position independent code is expensive on i686, so it's only enabled by
>> default on x86_64 where the cost is negligible. It can be enabled on a
>> package-by-package basis on i686. The same cost already exists for any
>> code in a dynamic library.
> Why should this be in makepkg?  Just like Debian this should be a
> distribution build system integration rather than in the package manager.
> Allan

The wrapper script could be provided in a separate hardening-wrapper
package, but makepkg needs to be aware of it as an option in order to
make PIE the default on x86_64. I could put the script itself in a
hardening-wrapper package and extend it to cover other issues. The only
public / documented part of this is the `pie` option, so the
implementation could always change in the future.

PIE is the only one of these options that's more complicated than the
build system respecting CFLAGS though, so a more complex wrapper like
Debian isn't necessarily a good idea. It would make it easier to have
packages respect our hardening flags, but they wouldn't be respecting
the other CFLAGS/LDFLAGS which could still be considered a bug.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20140722/856e7e6a/attachment-0001.asc>

More information about the pacman-dev mailing list