Improve binary security by enabling a hardening linker flag.
Details
- Reviewers
Itms LudovicRousseau - Commits
- rP20896: Build with the "read-only relocation" hardening linker flag
- Trac Tickets
- #4894
Patch already used on Debian.
Tested locally by @Gallaecio as well.
Diff Detail
- Repository
- rP 0 A.D. Public Repository
- Lint
Automatic diff as part of commit; lint not applicable. - Unit
Automatic diff as part of commit; unit tests not applicable.
Event Timeline
https://sources.debian.org/src/0ad/0.0.22-3.1/debian/patches/enable-hardening-relro.patch/
The link to the Debian patch was added to the trac ticket but not here. Sorry.
Hey thanks for the patch. Maybe out of scope for this differential but you might want to look at the Premake 5 files. We did the switch recently
Thanks for the patch and the work on the Debian package in general ?
As stated above, the changes need to be performed on both the premake4 and premake5 build scripts. The former will be dropped sometime soon, so maybe you should wait in order not to perform unneeded work on premake4.
I am new at maintaining 0ad for Debian. The honours should go to Vincent Cheng, the previous Debian maintainer.
I review Debian patches and try to push them upstream.
As stated above, the changes need to be performed on both the premake4 and premake5 build scripts. The former will be dropped sometime soon, so maybe you should wait in order not to perform unneeded work on premake4.
Are premake5 build scripts production ready?
Should I use them for the Debian packaging of alpha 22? or wait until a future version of 0ad?
Itms committed the premake5 script in the current svn version (BuildInstructions) and it will be in th release of alpha 23, but not alpha 22.
Perhaps it might be patched again, but I don't expect any unresolvable merge conflicts with this one-liner.
https://code.wildfiregames.com/source/0ad/browse/ps/trunk/build/premake/premake5.lua
I was actually thanking you for taking the helm ?
They are currently used in production. As of today they are even used in automated testing, and we will remove support for premake 4 entirely before soon. While we're at it, it might be interesting to package premake5 in distributions! As soon as we drop p4 support we will have an option to use system premake.
Alpha 22 should keep premake4.
Btw @LudovicRousseau If you haven't already I suggest you add our irc channel on quakenet #0ad-dev to get pinged for releases :) And feel free to drop by to say hello sometimes.
If it's only that, then I don't see any need to let Ludovic update the patch if he is busy (assuming it was actually tested well on debian).
We should remember to mention vincent as the author, who we don't have in programming.json yet.
Index: build/premake/premake5.lua =================================================================== --- build/premake/premake5.lua (revision 20867) +++ build/premake/premake5.lua (working copy) @@ -257,7 +257,7 @@ if os.istarget("linux") or os.istarget("bsd") then buildoptions { "-fPIC" } - linkoptions { "-Wl,--no-undefined", "-Wl,--as-needed" } + linkoptions { "-Wl,--no-undefined", "-Wl,--as-needed", "-Wl,-z,relro" } end if arch == "x86" then
According to Debian changelog file at https://anonscm.debian.org/git/pkg-games/0ad.git/tree/debian/changelog#n287 (quoted bellow) the relro patch is used in Debian (as well as Ubuntu and other derivatives) since 0ad version r11863 in May 2012. I think it is "well tested" in the field.
0ad (0~r11863-1) unstable; urgency=low
- New upstream release.
- Refresh patches.
- Add debian/patches/enable-hardening-relro.patch to build using the "read-only relocation" link flag, as suggested by lintian.
- Add build-depends on libxcursor-dev.
- Vincent Cheng <Vincentc1208@gmail.com> Wed, 16 May 2012 23:50:12 -0700
LudovicRousseau if you formally accept the diff then the formal review guidelines are satisfied. I guess it wouldn't hurt if someone could confirm that the premake5 doesn't fall apart before the commit.