Enabling security options for makepkg/abs

walker_sh · 2017-01-17 19:31:27

I have just set up an arch installation and saw that most of the applications are not compiled with the pie flags. I therefore set out to do this myself. However I can't get the linker to use -pie while compiling.

I tried this with xfce4-terminal:
Relevant part of /etc/makepkg.conf

#-- Compiler and Linker Flags
# -march (or -mcpu) builds exclusively for an architecture
# -mtune optimizes for an architecture, but builds for whole processor family
CPPFLAGS="-D_FORTIFY_SOURCE=2 -fpic -pie"
CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fpic -pie"
CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fpic -pie"
LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
#-- Make Flags: change this for DistCC/SMP systems
#MAKEFLAGS="-j2"

And any attempt to include -pie in LDFLAGS results in the following error:

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether UID '1000' is supported by ustar format... yes
checking whether GID '1000' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking whether to enable maintainer-specific portions of Makefiles... no
checking whether make supports nested variables... (cached) yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/home/walker/abs/xfce4-terminal/src/xfce4-terminal-0.8.3':
configure: error: C compiler cannot create executables
See `config.log' for more details

config.log can be found here: https://paste2.org/V2xjU5DI

Any help would hugely be appreciated ^^

WorMzy · 2017-01-17 20:57:47

I have just set up an arch installation and saw that most of the applications are not compiled with the pie flags.

You can see why here: https://lists.archlinux.org/pipermail/a … 28543.html and https://bbs.archlinux.org/viewtopic.php?id=221761

I'm not well versed in this, but I think you want "-fPIE" in your C{,XX}FLAGS, not "-pie". You possiby need "-pie" in your LDFLAGS though.

Mod note: Moving to creating/modifying packages.

Last edited by WorMzy (2017-01-17 20:58:19)

walker_sh · 2017-01-17 23:30:29

I have already checked using the -fPIE tag, this does not enable PIE for the executable (checked using the checksec package). Using "-pie" in the LDFLAGS will cause the makepkg to fail with the same error as described above.

Is there any way to monitor the progess on implementing PIE as a default compiler flag? Should I monitor the mailing list for this?

WorMzy · 2017-01-18 00:18:23

The arch-dev-public mailing list would be the place to watch, but as mentioned in that thread I linked to, PIE support is essentially on permanent hold until someone has time to figure it all out.

walker_sh · 2017-01-18 12:45:22

So I was able to compile xfce4-terminal by using gcc compiled with the tag --enable-default-pie.
And then using that to compile the program.

Looking forward to when it is enabled by default

adamlau · 2017-01-24 04:25:59

hardening-wrapper is an alternative to rebuilding gcc with--enable-default-pie.

Arch Linux

#1 2017-01-17 19:31:27

Enabling security options for makepkg/abs

#2 2017-01-17 20:57:47

Re: Enabling security options for makepkg/abs

#3 2017-01-17 23:30:29

Re: Enabling security options for makepkg/abs

#4 2017-01-18 00:18:23

Re: Enabling security options for makepkg/abs

#5 2017-01-18 12:45:22

Re: Enabling security options for makepkg/abs

#6 2017-01-24 04:25:59

Re: Enabling security options for makepkg/abs

Board footer