Bug 53940

Summary: build with binary hardening measures in place ( pie and -z now )
Product: systemd Reporter: Marcus Meissner <marcus>
Component: generalAssignee: systemd-bugs
Status: RESOLVED FIXED QA Contact: systemd-bugs
Severity: normal    
Priority: medium CC: zbyszek
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: cflags-znow.patch

Description Marcus Meissner 2012-08-22 15:26:10 UTC 
Created attachment 65965 [details] [review]
cflags-znow.patch

As systemd is talking dbus it should get some more binary hardening measures...

(not sure if there is another bug for this already)

I suggest to just enable the flags for everything, as there should be no noticable performance impact or functional change.
Comment 1 Lennart Poettering 2012-08-22 23:13:03 UTC 
Actually, we already set znow:

http://cgit.freedesktop.org/systemd/systemd/tree/configure.ac#n134

is the fpie stuff supported properly by libtool and automake these days? i.e. afair we need to compile things differently for convenience libs and for shared libs. Does libtool/automake get that right automatically? Can you elaborate on this?
Comment 2 Marcus Meissner 2012-08-23 10:10:57 UTC 
openSUSE 12.2 with libtool 2.4.2 and automake 1.12.1 cope fine.

This libtool version filters out the -pie/-fPIE flags transparetnly while building libraries (and uses -fPIC there).
Comment 3 Lennart Poettering 2012-08-23 11:17:15 UTC 
Hmm, are you suggesting that the hardened build RPM magic is not necessary anymore?

https://lists.fedoraproject.org/pipermail/devel/2011-August/155358.html

i.e. more specifically, that the -spec stuff it does is unnecessary for packages which use a recent automake/libtool?

The reason we didn't add the pie stuff to systemd was mostly due to the requirement of that -spec stuff.
Comment 4 Marcus Meissner 2012-08-23 11:25:33 UTC 
the hardenend build flags are related, yes.

I am suggesting to systemd to do PIE for all its binaries by default 
 without needing other hardening buildmagic.
Comment 5 Lennart Poettering 2012-08-23 11:32:31 UTC 
(In reply to comment #4)
> the hardenend build flags are related, yes.
> 
> I am suggesting to systemd to do PIE for all its binaries by default 
>  without needing other hardening buildmagic.

Yes, I understand that, and I agree with it. I am just trying to wrap my head around this: why do we need the -spec file magic that is mentioned here:

https://lists.fedoraproject.org/pipermail/devel/2011-August/155358.html

Is that mostly redundant now because libtool/automake got updated and don't need this stuff anymore, or does the -spec stuff actually have any benefits still?
Comment 6 Marcus Meissner 2012-08-23 11:41:01 UTC 
I think it is largely for upstream programs that do not want to do this by default, or have no more upstream releases or other reasons.
Comment 7 Lennart Poettering 2014-05-24 10:17:19 UTC 
This is in place since a few days in git now. Closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.