Request: Hardened system tutorial/patch
Lodovico Giaretta via Digitalmars-d
digitalmars-d at puremagic.com
Wed Oct 19 05:51:46 PDT 2016
Hi!
As you might have noticed, Ubuntu 16.10 joins the community of
hardened systems by shipping GCC 6.2 with PIE enabled by default.
This is a wonderful security choice, but it comes with some
problems when one tries to use DMD. Here is what happened to me.
1) Trying to unittest std.experimental.xml:
I got tons of failed relocations, but I was kind of expecting
that. I was using DUB,
so I added `"lflags": ["-no-pie"]`, but it didn't do anything
and I really don't know
why. Then I tried setting "dflags" with "-fPIC", but it didn't
suffice, as I had to
set "-defaultlib" to "libphobos2.so".
Ok, this finally worked, but it produced PIE executables. What
if I want to use a plain
old fixed-position executable? I didn't manage to do that.
Also, the "default" dmd
call, without any option, should really work out of the box. I
don't really care if by
default it produces PIE or not. I care that I don't have to
think about it unless it's
an important decision for me. And I care that if I want, I can
switch to whatever with
a command line option.
2) Trying to use DUB seriously:
This is a good reason to have a working default configuration.
While working on the
xml library, I used `dub -b ddox`. Being the first time on the
new system, DUB fetched
ddox and tried to build it. But of course it failed! And
that's because ddox (as every
dub package) does not specify "-fPIC
-defaultlib=libphobos2.so", as it has never been
necessary. I still don't know how to make this work without
hacking ddox.
So, what we really need is either a good tutorial on how to setup
everything so that it "just works", or even better the compiler
should recognize if the linker has hardening enabled by default,
and take actions to either compile with PIC or call the linker
with -no-pie.
More information about the Digitalmars-d
mailing list