Request: Hardened system tutorial/patch

Daniel Kozak via Digitalmars-d digitalmars-d at puremagic.com
Wed Oct 19 06:16:08 PDT 2016 

Dne 19.10.2016 v 14:51 Lodovico Giaretta via Digitalmars-d napsal(a):

> Hi!
>
> As you might have noticed, Ubuntu 16.10 joins the community of 
> hardened systems by shipping GCC 6.2 with PIE enabled by default. This 
> is a wonderful security choice, but it comes with some problems when 
> one tries to use DMD. Here is what happened to me.
>
> 1) Trying to unittest std.experimental.xml:
>
>    I got tons of failed relocations, but I was kind of expecting that. 
> I was using DUB,
>    so I added `"lflags": ["-no-pie"]`, but it didn't do anything and I 
> really don't know
>    why. Then I tried setting "dflags" with "-fPIC", but it didn't 
> suffice, as I had to
>    set "-defaultlib" to "libphobos2.so".
>    Ok, this finally worked, but it produced PIE executables. What if I 
> want to use a plain
>    old fixed-position executable? I didn't manage to do that. Also, 
> the "default" dmd
>    call, without any option, should really work out of the box. I 
> don't really care if by
>    default it produces PIE or not. I care that I don't have to think 
> about it unless it's
>    an important decision for me. And I care that if I want, I can 
> switch to whatever with
>    a command line option.
This is possible, it is on package maintainers to do this (compile 
druntime and phobos itself with -fPIC and add -fPIC to /etc/dmd.conf)

>
> 2) Trying to use DUB seriously:
>
>    This is a good reason to have a working default configuration. 
> While working on the
>    xml library, I used `dub -b ddox`. Being the first time on the new 
> system, DUB fetched
>    ddox and tried to build it. But of course it failed! And that's 
> because ddox (as every
>    dub package) does not specify "-fPIC -defaultlib=libphobos2.so", as 
> it has never been
>    necessary. I still don't know how to make this work without hacking 
> ddox.
>
> So, what we really need is either a good tutorial on how to setup 
> everything so that it "just works", or even better the compiler should 
> recognize if the linker has hardening enabled by default, and take 
> actions to either compile with PIC or call the linker with -no-pie.
same as above just add -fPIC to dmd.conf

More information about the Digitalmars-d mailing list