On 05/21/2016 07:32 PM, Theodore Ts'o wrote: > If the pie hardening option is enabled, then dpkg-buildflags --get > LDFLAGS emits: > > -fPIE -pie -Wl,-z,relro > > According to the dpkg-buildflags man page: > > LDFLAGS > Options passed to the compiler when linking executables or > shared objects > > Unfortunate the linker will blow up if -fPIE is specified: > > (cd elfshared; gcc --shared -o libcom_err.so.2.1 \ > -L../../../lib -fPIE -pie -Wl,-z,relro \ > -Wl,-soname,libcom_err.so.2 error_message.o et_name.o init_et.o > com_err.o com_right.o -lpthread) > /usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/Scrt1.o: In > function `_start': > (.text+0x20): undefined reference to `main' > collect2: error: ld returned 1 exit status
Libtool filters -fPIE, -pie and -fpie when compiling shared libraries, so anything using autotools + libtool should automatically be covered. In a project where I have just a plain Makefile, I have used the following in the past: CFLAGS_LIB = $(filter-out -fPIE -fpie -pie,$(CFLAGS)) -fPIC LDFLAGS_LIB = $(filter-out -fPIE -fpie -pie,$(LDFLAGS)) -fPIC Unfortunately, you then also have to override the rules for the object files that will be added to the library. In my case, this is just a single file, but in other projects this becomes more complicated. However, I just looked at what CMake does, and it will not filter out -fPIE or -pie or the such, but what it will do is the following: - pass -fPIC after CFLAGS & CPPFLAGS when compiling e.g. cc -Wall ... -fPIE -fPIC -o bla.o -c bla.c ^^^^^^^^^^^^^^^ ^^^^ C{,PP}FLAGS added via rule -fPIC overrides the previous -fPIE - pass -shared after CFLAGS & LDFLAGS, e.g. cc -fPIE -pie -shared -Wl,-soname,libbla.so.0 -o libbla.so.0 bla.o -lfoo ^^^^^ ^^^^ ^^^^^^ ^^^^^ | | | LDLIBS / LDFLAGS | CFLAGS added via rule Here, -shared (create shared library) will override -pie (create executable) and the library will be compiled in the right way. So what you could do is just make sure that all your Makefile rules always keep -shared (when linking) and -fPIC (when compiling) afteer CFLAGS/CPPFLAGS/LDFLAGS, and then you should be all set. (Hopefully.) Note that if you compile statically linked programs, you still need to explicitly drop the -pie at the moment (-fPIE for compilation is fine, because you can link -fPIE code into a non-PIE executable, it just makes the code slightly larger and slower), because no libc supports creating statically linked PIE executables as of now. (Although dietlibc upstream is working on that at least on amd64.) Hope that helps. Regards, Christian
signature.asc
Description: OpenPGP digital signature