1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
Description: Add dpkg-buildflags hardening flags via QMake
https://wiki.debian.org/Hardening#Notes_for_packages_using_QMake
The overlay intentionally disables the "-z,now" linker flag in
order to be able to resolve OpenGL symbols at runtime without
linking against a specific libGL implementation.
Author: Christopher Knadle <Chris.Knadle@coredump.us>
Last-Updated: 2020-01-07
--- a/qmake/compiler.pri
+++ b/qmake/compiler.pri
@@ -223,6 +223,11 @@
unix|win32-g++ {
DEFINES *= RESTRICT=__restrict__
+ # Add Debian hardening flags via dpkg-buildflags
+ QMAKE_CPPFLAGS *= $(shell dpkg-buildflags --get CPPFLAGS)
+ QMAKE_CFLAGS *= $(shell dpkg-buildflags --get CFLAGS)
+ QMAKE_CXXFLAGS *= $(shell dpkg-buildflags --get CXXFLAGS)
+ QMAKE_LFLAGS *= $(shell dpkg-buildflags --get LDFLAGS)
QMAKE_CFLAGS *= -fvisibility=hidden
QMAKE_CXXFLAGS *= -fvisibility=hidden
QMAKE_OBJECTIVE_CFLAGS *= -fvisibility=hidden
--- a/overlay_gl/overlay_gl.pro
+++ b/overlay_gl/overlay_gl.pro
@@ -24,6 +24,16 @@
linux* {
LIBS *= -lrt -ldl
}
+ # Add Debian hardening flags via dpkg-buildflags
+ QMAKE_CPPFLAGS *= $(shell dpkg-buildflags --get CPPFLAGS)
+ QMAKE_CFLAGS *= $(shell dpkg-buildflags --get CFLAGS)
+ QMAKE_CXXFLAGS *= $(shell dpkg-buildflags --get CXXFLAGS)
+ QMAKE_LFLAGS *= $(shell dpkg-buildflags --get LDFLAGS)
+ #... but specifically remove "-z,now" because mumble-overlay (libmumble.so)
+ # needs to be able to resolve OpenGL symbols at runtime rather than linking
+ # to a specific libGL implementation
+ QMAKE_LFLAGS -= -z,now
+ #
QMAKE_CFLAGS *= -fvisibility=hidden $(CFLAGS_ADD)
QMAKE_LFLAGS -= -Wl,--no-undefined
|
