From aea75949fba1d7e4d72a91cd2ffbfb2f6b48eb76 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@citrix.com>
Date: Tue, 4 Feb 2020 14:11:10 +0000
Subject: [PATCH] debian/rules: Set DEB_BUILD_MAINT_OPTIONS in shell

This makes these hardening options actually effective.

Closes: #939560 (1/3)
Reported-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Ian Jackson <ian.jackson@citrix.com>
---
 debian/rules | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/debian/rules b/debian/rules
index b96017a7ba..fdf68805b4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -16,7 +16,10 @@ SHELL    := bash -e
 # of them are sane to use in the hypervisor context, rather than
 # simply in userland binaries.
 #
-export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+# Inexplicably, if you tell make `export V=value' and `$(shell ...)'
+# it does not pass V to the shell.  WTF.  So we set a variable
+# dbmo which we include in the relevant $(shell ...) invocations.
+dbmo= DEB_BUILD_MAINT_OPTIONS=hardening=+all
 
 # Architecture handling.
 #
@@ -127,9 +130,9 @@ export WGET=/bin/false GIT=/bin/false
 
 t=$(PWD)/debian/tmp
 
-dpkg_CFLAGS   := $(shell dpkg-buildflags --get CFLAGS)
-dpkg_CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS)
-dpkg_LDFLAGS  := $(shell dpkg-buildflags --get LDFLAGS)
+dpkg_CFLAGS   := $(shell $(dbmo) dpkg-buildflags --get CFLAGS)
+dpkg_CPPFLAGS := $(shell $(dbmo) dpkg-buildflags --get CPPFLAGS)
+dpkg_LDFLAGS  := $(shell $(dbmo) dpkg-buildflags --get LDFLAGS)
 
 make_args_xen= $(make_args_common) \
 	XEN_COMPILE_ARCH=$(xen_arch_$(DEB_BUILD_ARCH)) \
-- 
2.30.2