On 01/20/2015 11:25 PM, Bernhard Voelker wrote:
On 01/05/2015 10:10 AM, Marcus Meissner wrote:
short: Marcus wants to enable PIE support globally.
FWIW Fedora guys are also discussing (how) to enable PIE:
http://thread.gmane.org/gmane.linux.redhat.fedora.devel/203065/ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-ind...
Turning on PIE via CFLAGS/LDFLAGS is a problem for projects where the ELFs are built differently, e.g. in coreutils all normal executables can be built with PIE, but this breaks building the shared library libstdbuf.so. The advantage of the Fedora approach is that the additional specs file takes care of this. --- hardened-cc1 --- *cc1_options: + %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}} --- hardened-ld --- *self_spec: + %{!shared:-pie} *link: + -z now and then $ export CFLAGS='-specs=hardened-cc1' $ export LDFLAGS='-specs=hardened-ld' $ configure ... I hacked it into my copy of coreutils, and it seems to work - also the testsuite passes. ;-) https://build.opensuse.org/project/monitor/home:bernhard-voelker:pie TBH I'm not very familiar with such GCC specs files, so would someone with more foo tell if this is a good approach (done centrally, of course, with the possibility to turn off hardening similar to what Fedora proposes)? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org