[ioquake3] 04/05: Enable full compiler hardening

Simon McVittie smcv at debian.org
Mon Mar 21 09:25:05 UTC 2016 

This is an automated email from the git hooks/post-receive script.

smcv pushed a commit to branch master
in repository ioquake3.

commit 9c1598413209f1b2021bbb20b92d0ced10b3bd45
Author: Simon McVittie <smcv at debian.org>
Date:   Mon Mar 21 08:41:59 2016 +0000

    Enable full compiler hardening
---
 debian/changelog                                   |  1 +
 ...HLIBLDFLAGS-used-to-link-executables-only.patch | 50 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 debian/rules                                       |  8 +++-
 4 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 9aff8f9..adf84fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ ioquake3 (1.36+u20160122+dfsg1-2) UNRELEASED; urgency=medium
     mode for now
   * Update reproducibility patch to pick up SOURCE_DATE_EPOCH, as set by
     debhelper >= 9.20151004
+  * Enable full compiler hardening
 
  -- Simon McVittie <smcv at debian.org>  Wed, 02 Mar 2016 09:28:06 +0000
 
diff --git a/debian/patches/Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch b/debian/patches/Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch
new file mode 100644
index 0000000..7b63900
--- /dev/null
+++ b/debian/patches/Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch
@@ -0,0 +1,50 @@
+From: Simon McVittie <smcv at debian.org>
+Date: Mon, 21 Mar 2016 08:55:23 +0000
+Subject: Introduce NOTSHLIBLDFLAGS, used to link executables only
+
+This can be used for LDFLAGS that would be inappropriate for shared
+libraries, such as the "-fPIE -pie" used to link position-independent
+executables. PIEs make it more difficult to exploit various classes
+of security vulnerability.
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 1e1490f..4e0d0e9 100644
+--- a/Makefile
++++ b/Makefile
+@@ -2057,7 +2057,7 @@ endif
+ ifneq ($(USE_RENDERER_DLOPEN),0)
+ $(B)/$(CLIENTBIN)$(FULLBINEXT): $(Q3OBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CC) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CC) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(LIBS)
+ 
+@@ -2073,13 +2073,13 @@ $(B)/renderer_opengl2_$(SHLIBNAME): $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ)
+ else
+ $(B)/$(CLIENTBIN)$(FULLBINEXT): $(Q3OBJ) $(Q3ROBJ) $(JPGOBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CC) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CC) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) $(Q3ROBJ) $(JPGOBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(RENDERER_LIBS) $(LIBS)
+ 
+ $(B)/$(CLIENTBIN)_opengl2$(FULLBINEXT): $(Q3OBJ) $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ) $(LIBSDLMAIN)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CC) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) \
++	$(Q)$(CC) $(CLIENT_CFLAGS) $(CFLAGS) $(CLIENT_LDFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) \
+ 		-o $@ $(Q3OBJ) $(Q3R2OBJ) $(Q3R2STRINGOBJ) $(JPGOBJ) \
+ 		$(LIBSDLMAIN) $(CLIENT_LIBS) $(RENDERER_LIBS) $(LIBS)
+ endif
+@@ -2221,7 +2221,7 @@ endif
+ 
+ $(B)/$(SERVERBIN)$(FULLBINEXT): $(Q3DOBJ)
+ 	$(echo_cmd) "LD $@"
+-	$(Q)$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(Q3DOBJ) $(LIBS)
++	$(Q)$(CC) $(CFLAGS) $(LDFLAGS) $(NOTSHLIBLDFLAGS) -o $@ $(Q3DOBJ) $(LIBS)
+ 
+ 
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 35bcae6..aacecdd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ Let-servers-set-sv_fps-too.patch
 Run-in-a-window-by-default-on-new-installations.patch
 ui-reinstate-minimal-code-to-determine-whether-this-.patch
 Pick-up-date-from-SOURCE_DATE_EPOCH-for-reproducible-buil.patch
+Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch
diff --git a/debian/rules b/debian/rules
index 97e4417..e1340b2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,7 @@
 #!/usr/bin/make -f
 #export DH_VERBOSE=1
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 export LC_ALL=C.UTF-8
 export TZ=UTC
 
@@ -23,6 +24,8 @@ else
 TARGET = debug
 endif
 
+# LIBSDLMAIN would normally be empty; we (ab)use it as a convenient variable
+# that is passed to the linker if and only if linking the executable
 OPTIONS := \
 		BR=build \
 		BD=build \
@@ -42,7 +45,10 @@ OPTIONS := \
 		BUILD_GAME_SO=1 \
 		BUILD_GAME_QVM=0 \
 		VERSION=$(DEB_VERSION)/$(DEB_VENDOR) \
-		CFLAGS='$(CFLAGS) $(CPPFLAGS)' \
+		CFLAGS='$(filter-out -fPIE -pie,$(CFLAGS)) $(CPPFLAGS)' \
+		NOTSHLIBCFLAGS='$(filter -fPIE -pie,$(CFLAGS))' \
+		LDFLAGS='$(filter-out -fPIE -pie,$(LDFLAGS))' \
+		NOTSHLIBLDFLAGS='$(filter -fPIE -pie,$(LDFLAGS))' \
 		FULLBINEXT="" \
 		NO_STRIP=1 \
 		$(NULL)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/ioquake3.git

More information about the Pkg-games-commits mailing list