@@ -75,8 +75,12 @@ OPTFLAGS = -O2 -g -pipe -Wall -Wextra -Wformat=2 -Werror=implicit-int \
-Wp,-D_FORTIFY_SOURCE=2 -fstack-protector-strong \
--param=ssp-buffer-size=4
-CFLAGS = $(OPTFLAGS) -fPIC -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\"
+CFLAGS = $(OPTFLAGS) -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\"
+BIN_CFLAGS = -fPIE -DPIE
+LIB_CFLAGS = -fPIC
SHARED_FLAGS = -shared
+LDFLAGS = -Wl,-z,relro -Wl,-z,now
+BIN_LDFLAGS = -pie
# Check whether a function with name $1 has been declared in header file $2.
check_func = \
@@ -3,7 +3,8 @@
#
include ../Makefile.inc
-CFLAGS += -I. -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS += $(BIN_CFLAGS) -I. -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+LDFLAGS += $(BIN_LDFLAGS)
LIBDEPS += -ldevmapper
@@ -15,7 +15,7 @@ HEADERS = libdmmp/libdmmp.h
OBJS = libdmmp.o libdmmp_mp.o libdmmp_pg.o libdmmp_path.o libdmmp_misc.o
-CFLAGS += -fvisibility=hidden -I$(libdmmpdir) -I$(mpathcmddir) \
+CFLAGS += $(LIB_CFLAGS) -fvisibility=hidden -I$(libdmmpdir) -I$(mpathcmddir) \
$(shell pkg-config --cflags json-c)
LIBDEPS += $(shell pkg-config --libs json-c) -L$(mpathcmddir) -lmpathcmd -lpthread
@@ -4,6 +4,8 @@ SONAME = 0
DEVLIB = libmpathcmd.so
LIBS = $(DEVLIB).$(SONAME)
+CFLAGS += $(LIB_CFLAGS)
+
OBJS = mpath_cmd.o
all: $(LIBS)
@@ -4,7 +4,7 @@ SONAME = 0
DEVLIB = libmpathpersist.so
LIBS = $(DEVLIB).$(SONAME)
-CFLAGS += -I$(multipathdir) -I$(mpathpersistdir) -I$(mpathcmddir)
+CFLAGS += $(LIB_CFLAGS) -I$(multipathdir) -I$(mpathpersistdir) -I$(mpathcmddir)
LIBDEPS += -lpthread -ldevmapper -ldl -L$(multipathdir) -lmultipath \
-L$(mpathcmddir) -lmpathcmd
@@ -7,7 +7,7 @@ SONAME = 0
DEVLIB = libmultipath.so
LIBS = $(DEVLIB).$(SONAME)
-CFLAGS += -I$(mpathcmddir)
+CFLAGS += $(LIB_CFLAGS) -I$(mpathcmddir)
LIBDEPS += -lpthread -ldl -ldevmapper -ludev -L$(mpathcmddir) -lmpathcmd -lurcu
@@ -3,7 +3,7 @@
#
include ../../Makefile.inc
-CFLAGS += -I..
+CFLAGS += $(LIB_CFLAGS) -I..
# If you add or remove a checker also update multipath/multipath.conf.5
LIBS= \
@@ -3,7 +3,7 @@
#
include ../../Makefile.inc
-CFLAGS += -I..
+CFLAGS += $(LIB_CFLAGS) -I..
# If you add or remove a prioritizer also update multipath/multipath.conf.5
LIBS = \
@@ -1,6 +1,7 @@
include ../Makefile.inc
-CFLAGS += -I$(multipathdir) -I$(mpathpersistdir)
+CFLAGS += $(BIN_CFLAGS) -I$(multipathdir) -I$(mpathpersistdir)
+LDFLAGS += $(BIN_LDFLAGS)
LIBDEPS += -lpthread -ldevmapper -L$(mpathpersistdir) -lmpathpersist \
-L$(multipathdir) -L$(mpathcmddir) -lmpathcmd -lmultipath -ludev
@@ -3,8 +3,8 @@
#
include ../Makefile.inc
-CFLAGS += -I$(multipathdir) -I$(mpathcmddir)
-
+CFLAGS += $(BIN_CFLAGS) -I$(multipathdir) -I$(mpathcmddir)
+LDFLAGS += $(BIN_LDFLAGS)
LIBDEPS += -lpthread -ldevmapper -ldl -L$(multipathdir) -lmultipath -ludev \
-L$(mpathcmddir) -lmpathcmd
@@ -6,9 +6,9 @@ include ../Makefile.inc
#CFLAGS += -DLCKDBG
#CFLAGS += -D_DEBUG_
#CFLAGS += -DLOGDBG
-CFLAGS += -I$(multipathdir) -I$(mpathpersistdir) -I$(mpathcmddir) \
- -I$(thirdpartydir)
-
+CFLAGS += $(BIN_CFLAGS) -I$(multipathdir) -I$(mpathpersistdir) \
+ -I$(mpathcmddir) -I$(thirdpartydir)
+LDFLAGS += $(BIN_LDFLAGS)
LIBDEPS += -ludev -ldl -L$(multipathdir) -lmultipath -L$(mpathpersistdir) \
-lmpathpersist -L$(mpathcmddir) -lmpathcmd -lurcu -lpthread \
-ldevmapper -lreadline
The multipath binaries were not being compiled as position independent executables (PIE). This code fixes that, and makes other minor code hardening tweaks to make hardening-check happier. Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com> --- Makefile.inc | 6 +++++- kpartx/Makefile | 3 ++- libdmmp/Makefile | 2 +- libmpathcmd/Makefile | 2 ++ libmpathpersist/Makefile | 2 +- libmultipath/Makefile | 2 +- libmultipath/checkers/Makefile | 2 +- libmultipath/prioritizers/Makefile | 2 +- mpathpersist/Makefile | 3 ++- multipath/Makefile | 4 ++-- multipathd/Makefile | 6 +++--- 11 files changed, 21 insertions(+), 13 deletions(-)