[Pkg-pascal-devel] Improve hardening situation of FPC generated programs (was: Lazarus lintian warnings)

Fri Jan 31 19:00:24 GMT 2025

Hi All,

On Mon, 2024-10-28 at 23:32 +0100, Abou Al Montacir wrote:
> Hi Peter,
> 
> On Mon, 2024-10-28 at 12:32 +0000, Peter B wrote:
> > A further thought on this subject.
> > 
> > It would of course would be preferable to build with -pie,
> > rather than override the warning, if it works.
> Yes, but as we did not have a new FPC version, I doubt it will work.
> > 
> > Does anyone know for sure whether there is still any issue here with armhf?
> I suppose yes, but we can have a trial.
> > 
> > pie is disabled in the lazarus build for armhf,
> > but I have two fpc packages that build with -pie on armhf
> > and both are passing autopkgtest.
> Lazarus is unlikely to be compared to other projects as it is far bigger than
> any other FPC compiled program.
> However, we can try and see what issue will raise.
> > 
> > 
> > Another question;
> > -pie is disabled on three architectures, armhf, ppc64 & ppc64el.
> > but there are only two lintian warnings. Any ideas?
> No idea

I would propose that, instead of letting each program bother with hardening
alone, FPC provides a facility to help.

The solution I imagine is that we provide a hardening configuration file (let's
call it hardening) in FPC configuration directory (/etc/fpc-${VERSION}.cfg.d).
This way any program that want to enforce hardening, just add @hardening
compiler option and it is done with hardening.
A basic example will be: fpc @hardening myprog

Now the content of the file may vary between targets. For example it can be
empty for those that do not support PIE and other hardening option, but not for
amd64.
Something like this:
#IFDEF CPUAMD64
-XD
#ENDIF

#IFDEF CPUI386
-XD
#ENDIF

#IFDEF CPUARMEL
-XD
#

#IFDEF CPUARM64
-XD
#

#SECTION FPC_LINK_DYNAMIC
#WRITE Enabled Hardening for Dynamically Linked Executable

# Enable Position Independent Code (-fPIC)
-Cg

# Force dynamic linker
-k--dynamic-linker=/lib64/ld-linux-x86-64.so.2

# Enabled Position Independent Executable (-fPIE)
-k-pie
-k-znow

This forces all programs to be dynamically linked (even if not needed) and to be
PIE.
If everyone is OK, I can prepare an upload with that change.
-- 
Cheers,
Abou Al Montacir

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-pascal-devel/attachments/20250131/69df6b1e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-pascal-devel/attachments/20250131/69df6b1e/attachment-0001.sig>