Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors
Using -fPIE won't work when linking the library, -fPIC must be used for the library (at least on amd64). -fPIE is only for binaries. The attached patch fixes the missing hardening flags (CFLAGS, CPPFLAGS) and fixes the build by stripping -fPIE/-pie when compiling/linking the library. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /lib/x86_64-linux-gnu/libkeyutils.so.1.4 /bin/keyctl /sbin/request-key /sbin/key.dns_resolver /lib/x86_64-linux-gnu/libkeyutils.so.1.4: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: yes /bin/keyctl: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes /sbin/request-key: Position Independent Executable: yes Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes /sbin/key.dns_resolver: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes Read-only relocations: yes Immediate binding: yes Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. . Also strip -pie/-fPIE from CFLAGS/LDFLAGS when used to link libraries. It conflicts with -fPIC. Author: Simon Ruderich si...@ruderich.org Last-Update: 2012-03-22 Index: keyutils-1.5.5/Makefile === --- keyutils-1.5.5.orig/Makefile 2012-03-22 22:21:03.354236747 +0100 +++ keyutils-1.5.5/Makefile 2012-03-22 22:27:28.118251392 +0100 @@ -1,5 +1,9 @@ -CPPFLAGS := -I. -CFLAGS := -g -Wall -Werror +CPPFLAGS += -I. +CFLAGS += -g -Wall -Werror +# Libraries can't be compiled with -pie/-fPIE. Strip it from CFLAGS/LDFLAGS if +# used. +CFLAGS_LIB := $(filter-out -fPIE,$(CFLAGS)) +LDFLAGS_LIB := $(filter-out -fPIE,$(filter-out -pie,$(LDFLAGS))) INSTALL := install DESTDIR := SPECFILE := keyutils.spec @@ -116,10 +120,10 @@ LIBVERS := -shared -Wl,-soname,$(SONAME) -Wl,--version-script,version.lds $(LIBNAME): keyutils.os version.lds Makefile - $(CC) $(CFLAGS) -fPIC $(LDFLAGS) $(LIBVERS) -o $@ keyutils.os $(LIBLIBS) + $(CC) $(CFLAGS_LIB) -fPIC $(LDFLAGS_LIB) $(LIBVERS) -o $@ keyutils.os $(LIBLIBS) keyutils.os: keyutils.c keyutils.h Makefile - $(CC) $(CPPFLAGS) $(VCPPFLAGS) $(CFLAGS) -fPIC -o $@ -c $ + $(CC) $(CPPFLAGS) $(VCPPFLAGS) $(CFLAGS_LIB) -fPIC -o $@ -c $ ### # signature.asc Description: Digital signature
Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors
* Simon Ruderich si...@ruderich.org, 2012-03-22, 22:38: Using -fPIE won't work when linking the library, -fPIC must be used for the library (at least on amd64). -fPIE is only for binaries. Correct. Thanks for clarification. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors
severity 661393 serious thanks * Miguel Colon debian.mic...@gmail.com, 2012-02-26, 17:15: The last release enabled hardening but caused the following errors in amd64: /usr/bin/ld: keyctl.o: relocation R_X86_64_32S against `commands' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: request-key.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: key.dns_resolver.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC [...] --- keyutils-1.5.5.orig/Makefile +++ keyutils-1.5.5/Makefile @@ -127,7 +127,7 @@ keyutils.os: keyutils.c keyutils.h Makef # ### %.o: %.c keyutils.h Makefile - $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ -c $ + $(CC) $(CPPFLAGS) $(CFLAGS) -fPIC -o $@ -c $ keyctl: keyctl.o $(DEVELLIB) $(CC) -L. $(CFLAGS) $(LDFLAGS) $(RPATH) -o $@ $ -lkeyutils The correct fix would be to make the makefile respect CFLAGS set from environment, which already include -fPIE (not -fPIC). -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors
Source: keyutils Version: 1.5.5-1 Severity: important Tags: patch Hello: The last release enabled hardening but caused the following errors in amd64: /usr/bin/ld: keyctl.o: relocation R_X86_64_32S against `commands' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: request-key.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: key.dns_resolver.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC If hardening is disabled the errors go away but I doubt that is desired. As an attachment I included a patch for a possible way to fix the FTBFS. The log of the errors can be found: https://buildd.debian.org/status/fetch.php?pkg=keyutilsarch=amd64ver=1.5.5-1stamp=1327720867 The 2nd and 3rd -fPIC error messages appear when you add -fPIC flag to the object file of the previous line. Hope this helps, Miguel Description: Use -fPIC for the generated *.o. Errors caused by enabling hardening in amd64: /usr/bin/ld: keyctl.o: relocation R_X86_64_32S against `commands' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: request-key.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: key.dns_resolver.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC Forwarded: no Author: Miguel Colon debian.mic...@gmail.com Last-Update: 2012-02-26 --- keyutils-1.5.5.orig/Makefile +++ keyutils-1.5.5/Makefile @@ -127,7 +127,7 @@ keyutils.os: keyutils.c keyutils.h Makef # ### %.o: %.c keyutils.h Makefile - $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ -c $ + $(CC) $(CPPFLAGS) $(CFLAGS) -fPIC -o $@ -c $ keyctl: keyctl.o $(DEVELLIB) $(CC) -L. $(CFLAGS) $(LDFLAGS) $(RPATH) -o $@ $ -lkeyutils