diff options
| author | Simon Ruderich <simon@ruderich.org> | 2012-09-15 13:01:27 +0200 |
|---|---|---|
| committer | Andreas Beckmann <anbe@debian.org> | 2013-09-13 07:05:51 +0200 |
| commit | 5416958893006b5aa87461780c83ee9bf3d3360d (patch) | |
| tree | eecaa0bd769543df34cd84753913428de983c310 | |
| parent | 88b0d7aa4aa07760246f738e7d457d1f6fa6893a (diff) | |
| download | sendmail-5416958893006b5aa87461780c83ee9bf3d3360d.tar.gz | |
enable all hardening flags
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rwxr-xr-x | debian/rules | 23 | ||||
| -rw-r--r-- | debian/sensible_mda/Makefile.in | 2 |
3 files changed, 15 insertions, 11 deletions
diff --git a/debian/changelog b/debian/changelog index 9d216ec..8286f5f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,7 @@ sendmail (8.14.4-4.1) UNRELEASED; urgency=low * sendmailconfig: Add missing quoting, thanks to Stuart Sheldon. (Closes: #692047) * Raise MAXDAEMONS from 10 to 64, thanks to Kees Cook. (Closes: #720435) + * Enable all hardening flags, thanks to Simon Ruderich. (Closes: #687708) -- Andreas Beckmann <anbe@debian.org> Fri, 13 Sep 2013 05:46:00 +0200 diff --git a/debian/rules b/debian/rules index 7c97454..ae69990 100755 --- a/debian/rules +++ b/debian/rules @@ -20,16 +20,19 @@ DEB_HOST_GNU_CPU ?= $(shell dpkg-architecture -qDEB_HOST_GNU_CPU) # Well, almost impossible now 8-) # * Compile all with -fPIC (works for pic or pie objects) # * Link with either -pie or -shared -ifeq ($(DEB_HOST_GNU_CPU),arm) - MY_CFLAGS := -fPIC -else - MY_CFLAGS := -fPIC -fstack-protector-all +dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=+all,-pie" dpkg-buildflags +CFLAGS := $(shell $(dpkg_buildflags) --get CFLAGS) +CFLAGS += -fPIC +ifneq (,$(filter -fstack-protector,$(CFLAGS))) + CFLAGS += -fstack-protector-all endif -CFLAGS += ${MY_CFLAGS} -export CFLAGS -MY_LDFLAGS := -Wl,-z,noexecstack,-z,relro,-z,now -Wl,--warn-shared-textrel -LDFLAGS += -pie ${MY_LDFLAGS} -export LDFLAGS +CXXFLAGS := $(shell $(dpkg_buildflags) --get CXXFLAGS) +CPPFLAGS := $(shell $(dpkg_buildflags) --get CPPFLAGS) +LDFLAGS := $(shell $(dpkg_buildflags) --get LDFLAGS) +LDFLAGS += -Wl,-z,noexecstack -Wl,--warn-shared-textrel +MY_LDFLAGS := $(LDFLAGS) +LDFLAGS += -fpie +export CFLAGS CXXFLAGS CPPFLAGS LDFLAGS # Obtain package/version information from the path (debian/changelog is walkabout) ifneq (y, $(shell test -f debian/changelog && echo 'y')) @@ -428,7 +431,7 @@ common-build-arch:: (cd ${DEB_SRCDIR}/obj*/libmilter && \ gcc -shared -pthread \ -o libmilter.so.${sm_libmilter_version} \ - -fPIC ${MY_CFLAGS} \ + -fPIC ${CFLAGS} \ -Wl,-soname,libmilter.so.${sm_libmilter_version} \ ${MY_LDFLAGS} \ *.o;); \ diff --git a/debian/sensible_mda/Makefile.in b/debian/sensible_mda/Makefile.in index cae8480..fd1b9db 100644 --- a/debian/sensible_mda/Makefile.in +++ b/debian/sensible_mda/Makefile.in @@ -98,7 +98,7 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ +CPPFLAGS = @CPPFLAGS@ $(shell dpkg-buildflags --get CPPFLAGS) CYGPATH_W = @CYGPATH_W@ DEBIAN = @DEBIAN@ DEBIAN_DH = @DEBIAN_DH@ |