[Olsr-dev] making olsrd a "Position Independent Executable" i.e. gcc -pie -fPIE
Henning Rogge
(spam-protected)
Tue Oct 2 23:03:39 CEST 2012
On Tue, Oct 2, 2012 at 10:56 PM, Hans-Christoph Steiner
<(spam-protected)> wrote:
>
> I'm in the process of making olsrd build properly with all of the Debian
> hardening flags. One of the things the hardening wants is to have the
> executable built with -fPIE and linked with -pie.
>
> Has anyone worked with this in olsrd before?
We did some experiments with the master branch about it.
the trick was to add the following flags
CFLAGS += -fPIE
LDFLAGS += -pie
And you need to use at least "-O2".
> Any particular objections
> to including such a thing in olsrd proper?
Last time we put it into Makefile.inc as an option... not sure this
was a good idea.
> I think we need to do as
> much as we can to make sure olsrd has minimal exploits, since it runs
> fully as root.
Yes, unfortunately we cannot give root away after initializing... even
if we could hand over the rtnetlink socket to another process, OLSRd
needs the capability to open new sockets when an interface goes up.
Henning Rogge
--
Steven Hawkings about cosmic inflation: "An increase of billions of
billions of percent in a tiny fraction of a second. Of course, that
was before the present government."
More information about the Olsr-dev
mailing list