[Development] -reduce-relocations vs hardening
Kevin Kofler
kevin.kofler at chello.at
Fri Aug 21 20:15:35 CEST 2015
Timo Jyrinki wrote:
> We patched a couple of packages to use:
>
> export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
>
> due to this, seeing it as the best option at the moment to get GCC5
> transition completed for those packages that had some insistence of
> adding -fPIE where we did not want it.
For the record, how the hardening works in Fedora is that we do not pass
-fPIE in CFLAGS/CXXFLAGS directly, but:
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
and likewise for the linking step:
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld
The contents of the specs files:
/usr/lib/rpm/redhat/redhat-hardened-cc1:
*cc1_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}
/usr/lib/rpm/redhat/redhat-hardened-ld:
*self_spec:
+ %{!shared:-pie}
*link:
+ -z now
In particular, redhat-hardened-cc1 takes care to only pass -fPIE if -fPIC is
not being passed.
I hope this helps.
Kevin Kofler
More information about the Development
mailing list