Am 24.06.2013 21:47, schrieb Richard W.M. Jones: >> $ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so >> ./usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so: >> Position Independent Executable: no, regular shared library (ignored) >> Stack protected: yes >> Fortify Source functions: yes (some protected functions found) >> Read-only relocations: yes >> Immediate binding: yes > > Note there is still a problem that an LDFLAGS hack was needed in the > spec file, otherwise libtool (or something) eats the hardening LDFLAGS
IMHO the hardening macro should always step in directly before
%configure becaus it does also not work with rpmrc not importing
the distribution defaults (for good reasons)
[builduser@buildserver64:~]$ cat /home/builduser/.rpmrc
optflags: x86_64 -m64 -O3 -march=corei7 -mtune=corei7 -fopenmp -mmmx -msse2
-msse3 -msse4.1 -msse4.2 -maes -pipe
-fstack-protector --param=ssp-buffer-size=4 -mfpmath=sse -D_FORTIFY_SOURCE=2
-fexceptions
that is why is witched on my private build-environments to manually
set all the FLAGS and avoid the hardening-macro at all
[builduser@buildserver64:~]$ cat /rpmbuild/SPECS/dovecot.spec | grep FLAGS
export CFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export CXXFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export FFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export CPPFLAGS="%{optflags} -fPIC -fPIE -funroll-loops -fstack-protector-all"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
export SH_LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
signature.asc
Description: OpenPGP digital signature
-- devel mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/devel
