[oe] [meta-oe][PATCH 2/2] meta_oe_security_flags: disable PIE for libdbus-c++

André Draszik git at andred.net
Fri Nov 25 15:18:03 UTC 2016 

From: André Draszik <adraszik at tycoint.com>

The short version - it ain't working.

The long version:

For shared libraries made from C++ sources, configure
runs some code to determine how to link shared libraries
(from libtool.m4) using g++. In particular, it calls
g++ ${CFLAGS} -c conftest.c
g++ ${CFLAGS} -nostdinc -shared -v conftest.o
to then parse the gcc -v output.

If CFLAGS contains -pie -fpie, g++ adds Scrt1.o to the
objects being linked together to form the final output.

Once Scrt1.o is pulled into a shared library, it becomes
impossible to link this DSO against a final binary. I
didn't investigate why, by I suspect because of
-Wl,relro -Wl,now

libtool takes note of Scrt1.o (and all other libraries
added by gcc, but those don't matter here) and adds it
everywhere a shared library is being created, see
predep_objects= and postdep_objects= in the
'LIBTOOL TAG CONFIG: CXX' section.

In other words, the the shared library created during
the build can't be linked against. This includes
some applications that are part of the libdbus-c++
source tree, but also any other external user.

While I am not sure if the root of the issue is in
- gcc (should it really add Scrt1.o despite -shared),
  or in
- libtool (should it filter out -pie -fpie during the
  configure step), or even in
- OE (should it really be adding -pie -fpie to
  everything, even shared libraries by default and
  unconditionally),
we can make things work by using SECURITY_NO_PIE_CFLAGS
instead.

Signed-off-by: André Draszik <adraszik at tycoint.com>
---
 meta-oe/conf/distro/include/meta_oe_security_flags.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-oe/conf/distro/include/meta_oe_security_flags.inc b/meta-oe/conf/distro/include/meta_oe_security_flags.inc
index 2559948..f027008 100644
--- a/meta-oe/conf/distro/include/meta_oe_security_flags.inc
+++ b/meta-oe/conf/distro/include/meta_oe_security_flags.inc
@@ -1,4 +1,5 @@
 # Build errors with the pie options enabled
+SECURITY_CFLAGS_pn-libdbus-c++ = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-lvm2 = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-rrdtool = "${SECURITY_NO_PIE_CFLAGS}"
 
-- 
2.10.2

More information about the Openembedded-devel mailing list