From: Aaron M. Ucko Date: Fri, 11 May 2012 03:32:08 +0000 (+0000) Subject: ncbi-blast+: Enable full hardening flags, introducing a small patch X-Git-Tag: archive/raspbian/2.16.0+ds-7+rpi1~1^2~292 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=1edab708af4dc4072816500bc403ea20bf8381f1;p=ncbi-blast%2B.git ncbi-blast+: Enable full hardening flags, introducing a small patch (use_pie_for_apps) to reflect the need to build executables and libraries differently. --- diff --git a/debian/changelog b/debian/changelog index f547cfb7..f0ab1db0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,9 @@ ncbi-blast+ (2.2.26-3) UNRELEASED; urgency=low - Use modern syntax for making protected base members public. - Add forward declarations as needed. * Wrap and sort build dependencies to ease maintenance thereof. + * Enable full hardening flags, introducing a small patch + (use_pie_for_apps) to reflect the need to build executables and + libraries differently. [ Andreas Tille ] * debian/control: Modernize Vcs-* fields. diff --git a/debian/control b/debian/control index 32886fcf..f192bffe 100644 --- a/debian/control +++ b/debian/control @@ -3,6 +3,7 @@ Section: science Priority: optional Build-Depends: autotools-dev (>= 20100122), debhelper (>= 7.0.50~), + dpkg-dev (>= 1.16.1), libboost-test-dev, libbz2-dev, libc0.3-dev (>= 2.13-9~) [hurd-i386], diff --git a/debian/patches/series b/debian/patches/series index 5c737d2b..10b11987 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ fix_lib_deps no_multiarch_rpath wrong_path_to_touch.patch fix_gcc47_errors +use_pie_for_apps diff --git a/debian/patches/use_pie_for_apps b/debian/patches/use_pie_for_apps new file mode 100644 index 00000000..c4528e03 --- /dev/null +++ b/debian/patches/use_pie_for_apps @@ -0,0 +1,20 @@ +Subject: build executables with -fPIE, not -fPIC + +* -fPIC is only useful for shared libraries; substitute -fPIE (to be + accompanied by appropriate APP_LDFLAGS) when building executables. + +Author: Aaron M. Ucko +Last-Update: 2012-05-10 +--- a/c++/src/build-system/Makefile.app.in ++++ b/c++/src/build-system/Makefile.app.in +@@ -24,8 +24,8 @@ + + ### C/C++ source file compilation (and maybe auto-dependencies) build rules + +-CXXFLAGS_ALL = @f_compile@ $(CXXFLAGS) $(LOCAL_CPPFLAGS) $(CPPFLAGS) +-CFLAGS_ALL = @f_compile@ $(CFLAGS) $(LOCAL_CPPFLAGS) $(CPPFLAGS) ++CXXFLAGS_ALL = @f_compile@ $(CXXFLAGS:-fPIC=-fPIE) $(LOCAL_CPPFLAGS) $(CPPFLAGS) ++CFLAGS_ALL = @f_compile@ $(CFLAGS:-fPIC=-fPIE) $(LOCAL_CPPFLAGS) $(CPPFLAGS) + SOURCES = @UNIX_SRC@ $(SRC) + include $(builddir)/Makefile.$(Rules) + diff --git a/debian/rules b/debian/rules index faf4f4f9..4292f6a2 100755 --- a/debian/rules +++ b/debian/rules @@ -7,7 +7,7 @@ DEB_CONFIGURE_EXTRA_FLAGS=--with-dll --with-mt --without-autodep \ --without-makefile-auto-update --with-flat-makefile --without-caution \ --without-dbapi --without-lzo --with-runpath=/usr/lib/ncbi-blast+ \ - --with-build-root=BUILD LDFLAGS='-Wl,--as-needed -Wl,--enable-new-dtags' + --with-build-root=BUILD proj=algo/blast/ app/ objmgr/ objtools/align_format/ objtools/blast/ # XXX - not quite right, as we get -DNDEBUG vs. -D_DEBUG @@ -17,12 +17,21 @@ else DEB_CONFIGURE_EXTRA_FLAGS += --with-optimization endif +export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie + DEB_HOST_ARCH := $(shell dpkg-architecture -qDEB_HOST_ARCH) + +CFLAGS := $(shell dpkg-buildflags --get CFLAGS) +CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS) +CXXFLAGS := $(shell dpkg-buildflags --get CXXFLAGS) +LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS) -Wl,--as-needed + ifneq (,$(findstring mips,$(DEB_HOST_ARCH))) -DEB_CONFIGURE_EXTRA_FLAGS += CXXFLAGS=-O FAST_CXXFLAGS=-O +CXXFLAGS := $(CXXFLAGS:-O%=-O) +DEB_CONFIGURE_EXTRA_FLAGS += FAST_CXXFLAGS=-O endif -export MAKE +export CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MAKE llp=LD_LIBRARY_PATH override_dh_auto_configure: @@ -30,7 +39,9 @@ override_dh_auto_configure: CONFIG_SHELL=/bin/bash ./configure $(DEB_CONFIGURE_EXTRA_FLAGS) override_dh_auto_build: - cd c++/BUILD/build && make -f Makefile.flat all_projects="$(proj)" + cd c++/BUILD/build && \ + make -f Makefile.flat all_projects="$(proj)" \ + APP_LDFLAGS='-Wl,-E -fPIE -pie' override_dh_auto_test: -dh_auto_test @@ -65,7 +76,7 @@ override_dh_clean: `basename $$x .files`.module purge_sources); \ done rm -rf c++/BUILD c++/compilers/dll c++/config.log c++/Makefile - rm -f c++/src/objects/blastxml/blastxml.module + rm -f c++/configure.lineno c++/src/objects/blastxml/blastxml.module %: dh $@ -Dc++ --with autotools_dev --with quilt