On Wed, 21 Jan 2015, Marcus Meissner wrote:
On Wed, Jan 21, 2015 at 12:31:11PM +0100, Bernhard Voelker wrote:
On 01/20/2015 11:25 PM, Bernhard Voelker wrote:
On 01/05/2015 10:10 AM, Marcus Meissner wrote:
short: Marcus wants to enable PIE support globally.
FWIW Fedora guys are also discussing (how) to enable PIE:
http://thread.gmane.org/gmane.linux.redhat.fedora.devel/203065/ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-ind...
Turning on PIE via CFLAGS/LDFLAGS is a problem for projects where the ELFs are built differently, e.g. in coreutils all normal executables can be built with PIE, but this breaks building the shared library libstdbuf.so.
The advantage of the Fedora approach is that the additional specs file takes care of this.
--- hardened-cc1 --- *cc1_options: + %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}
--- hardened-ld --- *self_spec: + %{!shared:-pie}
*link: + -z now
and then
$ export CFLAGS='-specs=hardened-cc1' $ export LDFLAGS='-specs=hardened-ld' $ configure ...
I hacked it into my copy of coreutils, and it seems to work - also the testsuite passes. ;-) https://build.opensuse.org/project/monitor/home:bernhard-voelker:pie
TBH I'm not very familiar with such GCC specs files, so would someone with more foo tell if this is a good approach (done centrally, of course, with the possibility to turn off hardening similar to what Fedora proposes)?
Our GCC developers can take care of it.
H.J.Lu is working on a PIE default enablement branch, not sure if this branch will make gcc 5.0.
We also still have a patch in GCC that allows you to place a
defaults.spec file into /usr/lib*/gcc/*-suse-linux/*/ with the
above contents. We used that to supply a gcc-z9 package that just
does that. Thus you could add a gcc-PIE package that contains
such a specs file and that would change default behavior of GCC.
Thus then simply add
BuildRequires: gcc-PIE
Richard.
--
Richard Biener