Packages: hardening flags for deb.

2017-12-28 20:38:36 +03:00
parent ad63a3e752
commit d22aa88405
3 changed files with 33 additions and 9 deletions
--- a/pkg/deb/debian/rules.in
+++ b/pkg/deb/debian/rules.in
@@ -3,6 +3,12 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1

+export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
+export DEB_CFLAGS_MAINT_APPEND=-Wp,-D_FORTIFY_SOURCE=2 -fPIC
+export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -pie
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
 BUILDDIR_unit = $(CURDIR)/debian/build-unit
 BUILDDIR_unit_debug = $(CURDIR)/debian/build-unit-debug
 INSTALLDIR = $(CURDIR)/debian/unit
@@ -21,16 +27,20 @@ config.env.%:

 configure.unit: config.env.unit
 	cd $(BUILDDIR_unit) && \
-	./configure \
+	CFLAGS= ./configure \
 		%%CONFIGURE_ARGS%% \
-		--modules=/usr/lib/unit/modules
+		--modules=/usr/lib/unit/modules \
+		--cc-opt="$(CFLAGS)" \
+		--ld-opt="$(LDFLAGS)"
 	touch $@

 configure.unit_debug: config.env.unit_debug
 	cd $(BUILDDIR_unit_debug) && \
-	./configure \
+	CFLAGS= ./configure \
 		%%CONFIGURE_ARGS%% \
 		--modules=/usr/lib/unit/debug-modules \
+		--cc-opt="$(CFLAGS)" \
+		--ld-opt="$(LDFLAGS)" \
 		--debug
 	touch $@