[iortcw] 06/06: Enable full compiler hardening

Simon McVittie smcv at debian.org
Mon Mar 21 09:23:10 UTC 2016 

This is an automated email from the git hooks/post-receive script.

smcv pushed a commit to branch master
in repository iortcw.

commit 591715b6cc2c7d59fb2fb68e2c0aec428591d8bd
Author: Simon McVittie <smcv at debian.org>
Date:   Mon Mar 21 08:57:35 2016 +0000

    Enable full compiler hardening
---
 debian/changelog                                   |  1 +
 ...HLIBLDFLAGS-used-to-link-executables-only.patch | 89 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 debian/rules                                       |  8 +-
 4 files changed, 98 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index f4c94b0..4920c9c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ iortcw (1.42d+dfsg1-2) UNRELEASED; urgency=medium
   * Add Documentation key to the systemd services
   * Add a patch fixing some spelling mistakes in user-visible messages
     (but not "persistant", which is unfortunately part of the API)
+  * Enable full compiler hardening
 
  -- Simon McVittie <smcv at debian.org>  Tue, 08 Mar 2016 09:10:46 +0000
 
diff --git a/debian/patches/Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch b/debian/patches/Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch
new file mode 100644
index 0000000..cb88b31
--- /dev/null
+++ b/debian/patches/Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch
@@ -0,0 +1,89 @@
+From: Simon McVittie <smcv at debian.org>
+Date: Mon, 21 Mar 2016 08:57:10 +0000
+Subject: Introduce NOTSHLIBLDFLAGS, used to link executables only
+
+This can be used for LDFLAGS that would be inappropriate for shared
+libraries, such as the "-fPIE -pie" used to link position-independent
+executables. PIEs make it more difficult to exploit various classes
+of security vulnerability.
+---
+ MP/Makefile | 8 ++++----
+ SP/Makefile | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/MP/Makefile b/MP/Makefile
+index 6bda6f7..cf5effc 100644
+--- a/MP/Makefile
++++ b/MP/Makefile
+@@ -2209,7 +2209,7 @@ endif
+ ifneq ($(USE_RENDERER_DLOPEN),0)
+ $(B)/$(CLIENTBIN)$(FULLBINEXT): $(Q3OBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(LIBS)
+ 
+@@ -2225,13 +2225,13 @@ $(B)/renderer_mp_rend2_$(SHLIBNAME): $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ) $(FTO
+ else
+ $(B)/$(CLIENTBIN)$(FULLBINEXT): $(Q3OBJ) $(Q3ROBJ) $(JPGOBJ) $(FTOBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) $(Q3ROBJ) $(JPGOBJ) $(FTOBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(RENDERER_LIBS) $(LIBS)
+ 
+ $(B)/$(CLIENTBIN)_rend2$(FULLBINEXT): $(Q3OBJ) $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ) $(FTOBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ) $(FTOBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(RENDERER_LIBS) $(LIBS)
+ endif
+@@ -2380,7 +2380,7 @@ endif
+ 
+ $(B)/$(SERVERBIN)$(FULLBINEXT): $(Q3DOBJ)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(Q3DOBJ) $(LIBS)
++	$(Q)$(CC) $(CFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) -o $@ $(Q3DOBJ) $(LIBS)
+ 
+ 
+ 
+diff --git a/SP/Makefile b/SP/Makefile
+index 5c2f8a3..85d4d92 100644
+--- a/SP/Makefile
++++ b/SP/Makefile
+@@ -2180,7 +2180,7 @@ endif
+ ifneq ($(USE_RENDERER_DLOPEN),0)
+ $(B)/$(CLIENTBIN)$(FULLBINEXT): $(Q3OBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(LIBS)
+ 
+@@ -2196,13 +2196,13 @@ $(B)/renderer_sp_rend2_$(SHLIBNAME): $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ) $(FTO
+ else
+ $(B)/$(CLIENTBIN)$(FULLBINEXT): $(Q3OBJ) $(Q3ROBJ) $(JPGOBJ) $(FTOBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) $(Q3ROBJ) $(JPGOBJ) $(FTOBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(RENDERER_LIBS) $(LIBS)
+ 
+ $(B)/$(CLIENTBIN)_rend2$(FULLBINEXT): $(Q3OBJ) $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ) $(FTOBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CXX) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ) $(FTOBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(RENDERER_LIBS) $(LIBS)
+ endif
+@@ -2347,7 +2347,7 @@ endif
+ 
+ $(B)/$(SERVERBIN)$(FULLBINEXT): $(Q3DOBJ)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(Q3DOBJ) $(LIBS)
++	$(Q)$(CC) $(CFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) -o $@ $(Q3DOBJ) $(LIBS)
+ 
+ 
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 2978a96..fc7903c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ Default-to-non-fullscreen.patch
 Remove-support-for-downloading-executable-updates.patch
 Pick-up-date-from-SOURCE_DATE_EPOCH-for-reproducible-buil.patch
 Fix-some-spelling-errors.patch
+Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch
diff --git a/debian/rules b/debian/rules
index 99e209a..6dc1008 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,7 @@
 #export DH_VERBOSE=1
 
 DEB_MAINT_CFLAGS_APPEND := -fsigned-char
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 
 include /usr/share/dpkg/default.mk
 
@@ -14,6 +15,8 @@ else
 TARGET = debug
 endif
 
+# LIBSDLMAIN would normally be empty; we (ab)use it as a convenient variable
+# that is passed to the linker if and only if linking the executable
 options := \
 	V=1 \
 	USE_CODEC_OPUS=1 \
@@ -29,7 +32,10 @@ options := \
 	$(shell debian/q3arch make ${DEB_HOST_GNU_CPU} ${DEB_HOST_GNU_SYSTEM}) \
 	COPYDIR=/usr/lib/rtcw \
 	VERSION=$(DEB_VERSION)/$(DEB_VENDOR) \
-	CFLAGS="$(CPPFLAGS) $(CFLAGS)" \
+	CFLAGS='$(filter-out -fPIE -pie,$(CFLAGS)) $(CPPFLAGS)' \
+	NOTSHLIBCFLAGS='$(filter -fPIE -pie,$(CFLAGS))' \
+	LDFLAGS='$(filter-out -fPIE -pie,$(LDFLAGS))' \
+	NOTSHLIBLDFLAGS='$(filter -fPIE -pie,$(LDFLAGS))' \
 	$(NULL)
 sp_options := \
 	BR=$(CURDIR)/debian/build/sp \

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/iortcw.git

More information about the Pkg-games-commits mailing list