Using -fPIE won't work when linking the library, -fPIC must be used for the library (at least on amd64). -fPIE is only for binaries.
The attached patch fixes the missing hardening flags (CFLAGS,
CPPFLAGS) and fixes the build by stripping -fPIE/-pie when
compiling/linking the library.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /lib/x86_64-linux-gnu/libkeyutils.so.1.4 /bin/keyctl
/sbin/request-key /sbin/key.dns_resolver
/lib/x86_64-linux-gnu/libkeyutils.so.1.4:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
/bin/keyctl:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/sbin/request-key:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/sbin/key.dns_resolver:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. . Also strip -pie/-fPIE from CFLAGS/LDFLAGS when used to link libraries. It conflicts with -fPIC. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-03-22 Index: keyutils-1.5.5/Makefile =================================================================== --- keyutils-1.5.5.orig/Makefile 2012-03-22 22:21:03.354236747 +0100 +++ keyutils-1.5.5/Makefile 2012-03-22 22:27:28.118251392 +0100 @@ -1,5 +1,9 @@ -CPPFLAGS := -I. -CFLAGS := -g -Wall -Werror +CPPFLAGS += -I. +CFLAGS += -g -Wall -Werror +# Libraries can't be compiled with -pie/-fPIE. Strip it from CFLAGS/LDFLAGS if +# used. +CFLAGS_LIB := $(filter-out -fPIE,$(CFLAGS)) +LDFLAGS_LIB := $(filter-out -fPIE,$(filter-out -pie,$(LDFLAGS))) INSTALL := install DESTDIR := SPECFILE := keyutils.spec @@ -116,10 +120,10 @@ LIBVERS := -shared -Wl,-soname,$(SONAME) -Wl,--version-script,version.lds $(LIBNAME): keyutils.os version.lds Makefile - $(CC) $(CFLAGS) -fPIC $(LDFLAGS) $(LIBVERS) -o $@ keyutils.os $(LIBLIBS) + $(CC) $(CFLAGS_LIB) -fPIC $(LDFLAGS_LIB) $(LIBVERS) -o $@ keyutils.os $(LIBLIBS) keyutils.os: keyutils.c keyutils.h Makefile - $(CC) $(CPPFLAGS) $(VCPPFLAGS) $(CFLAGS) -fPIC -o $@ -c $< + $(CC) $(CPPFLAGS) $(VCPPFLAGS) $(CFLAGS_LIB) -fPIC -o $@ -c $< ############################################################################### #
signature.asc
Description: Digital signature
