Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   dpkg-buildflags    ( 1 )

возвращает флаги сборки для использования во время сборки пакета (returns build flags to use during package build)
  Name  |  Synopsis  |  Description  |  Commands  |  Supported flags  |    Feature areas    |  Environment  |  Files  |  Examples  |

FEATURE AREAS

Each area feature can be enabled and disabled in the DEB_BUILD_OPTIONS and DEB_BUILD_MAINT_OPTIONS environment variable's area value with the '+' and '-' modifier. For example, to enable the hardening 'pie' feature and disable the 'fortify' feature you can do this in debian/rules:

export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify

The special feature all (valid in any area) can be used to enable or disable all area features at the same time. Thus disabling everything in the hardening area and enabling only 'format' and 'fortify' can be achieved with:

export DEB_BUILD_MAINT_OPTIONS=hardening=-all,+format,+fortify

future Several compile-time options (detailed below) can be used to enable features that should be enabled by default, but cannot due to backwards compatibility reasons.

lfs This setting (disabled by default) enables Large File Support on 32-bit architectures where their ABI does not include LFS by default, by adding -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 to CPPFLAGS.

qa Several compile-time options (detailed below) can be used to help detect problems in the source code or build system.

bug This setting (disabled by default) adds any warning option that reliably detects problematic source code. The warnings are fatal. The only currently supported flags are CFLAGS and CXXFLAGS with flags set to -Werror=array-bounds, -Werror=clobbered, -Werror=implicit-function-declaration and -Werror=volatile-register-var.

canary This setting (disabled by default) adds dummy canary options to the build flags, so that the build logs can be checked for how the build flags propagate and to allow finding any omission of normal build flag settings. The only currently supported flags are CPPFLAGS, CFLAGS, OBJCFLAGS, CXXFLAGS and OBJCXXFLAGS with flags set to -D__DEB_CANARY_flag_random-id__, and LDFLAGS set to -Wl,-z,deb-canary-random-id.

sanitize Several compile-time options (detailed below) can be used to help sanitize a resulting binary against memory corruptions, memory leaks, use after free, threading data races and undefined behavior bugs. Note: these options should not be used for production builds as they can reduce reliability for conformant code, reduce security or even functionality.

address This setting (disabled by default) adds -fsanitize=address to LDFLAGS and -fsanitize=address -fno-omit-frame-pointer to CFLAGS and CXXFLAGS.

thread This setting (disabled by default) adds -fsanitize=thread to CFLAGS, CXXFLAGS and LDFLAGS.

leak This setting (disabled by default) adds -fsanitize=leak to LDFLAGS. It gets automatically disabled if either the address or the thread features are enabled, as they imply it.

undefined This setting (disabled by default) adds -fsanitize=undefined to CFLAGS, CXXFLAGS and LDFLAGS.

hardening Several compile-time options (detailed below) can be used to help harden a resulting binary against memory corruption attacks, or provide additional warning messages during compilation. Except as noted below, these are enabled by default for architectures that support them.

format This setting (enabled by default) adds -Wformat -Werror=format-security to CFLAGS, CXXFLAGS, OBJCFLAGS and OBJCXXFLAGS. This will warn about improper format string uses, and will fail when format functions are used in a way that represent possible security problems. At present, this warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf(foo); instead of printf("%s", foo); This may be a security hole if the format string came from untrusted input and contains '%n'.

fortify This setting (enabled by default) adds -D_FORTIFY_SOURCE=2 to CPPFLAGS. During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain '%n' are blocked. If an application depends on such a format string, it will need to be worked around.

Note that for this option to have any effect, the source must also be compiled with -O1 or higher. If the environment variable DEB_BUILD_OPTIONS contains noopt, then fortify support will be disabled, due to new warnings being issued by glibc 2.16 and later.

stackprotector This setting (enabled by default if stackprotectorstrong is not in use) adds -fstack-protector --param=ssp-buffer-size=4 to CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS. This adds safety checks against stack overwrites. This renders many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application).

This feature requires linking against glibc (or another provider of __stack_chk_fail), so needs to be disabled when building with -nostdlib or -ffreestanding or similar.

stackprotectorstrong This setting (enabled by default) adds -fstack-protector-strong to CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS. This is a stronger variant of stackprotector, but without significant performance penalties.

Disabling stackprotector will also disable this setting.

This feature has the same requirements as stackprotector, and in addition also requires gcc 4.9 and later.

relro This setting (enabled by default) adds -Wl,-z,relro to LDFLAGS. During program load, several ELF memory sections need to be written to by the linker. This flags the loader to turn these sections read-only before turning over control to the program. Most notably this prevents GOT overwrite attacks. If this option is disabled, bindnow will become disabled as well.

bindnow This setting (disabled by default) adds -Wl,-z,now to LDFLAGS. During program load, all dynamic symbols are resolved, allowing for the entire PLT to be marked read- only (due to relro above). The option cannot become enabled if relro is not enabled.

pie This setting (with no global default since dpkg 1.18.23, as it is enabled by default now by gcc on the amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, mips64el, powerpc, ppc64, ppc64el, riscv64, s390x, sparc and sparc64 Debian architectures) adds the required options to enable or disable PIE via gcc specs files, if needed, depending on whether gcc injects on that architecture the flags by itself or not. When the setting is enabled and gcc injects the flags, it adds nothing. When the setting is enabled and gcc does not inject the flags, it adds -fPIE (via /usr/local/share/dpkg/pie-compiler.specs) to CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS, and -fPIE -pie (via /usr/local/share/dpkg/pie- link.specs) to LDFLAGS. When the setting is disabled and gcc injects the flags, it adds -fno-PIE (via /usr/local/share/dpkg/no-pie-compile.specs) to CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS, and -fno-PIE -no-pie (via /usr/local/share/dpkg/no-pie-link.specs) to LDFLAGS.

Position Independent Executable are needed to take advantage of Address Space Layout Randomization, supported by some kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position- independent. Shared libraries already do this (-fPIC), so they gain ASLR automatically, but binary .text regions need to be build PIE to gain ASLR. When this happens, ROP (Return Oriented Programming) attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.

PIE is not compatible with -fPIC, so in general care must be taken when building shared objects. But because the PIE flags emitted get injected via gcc specs files, it should always be safe to unconditionally set them regardless of the object type being compiled or linked.

Static libraries can be used by programs or other shared libraries. Depending on the flags used to compile all the objects within a static library, these libraries will be usable by different sets of objects:

none Cannot be linked into a PIE program, nor a shared library.

-fPIE Can be linked into any program, but not a shared library (recommended).

-fPIC Can be linked into any program and shared library.

If there is a need to set these flags manually, bypassing the gcc specs injection, there are several things to take into account. Unconditionally and explicitly passing -fPIE, -fpie or -pie to a build-system using libtool is safe as these flags will get stripped when building shared libraries. Otherwise on projects that build both programs and shared libraries you might need to make sure that when building the shared libraries -fPIC is always passed last (so that it overrides any previous -PIE) to compilation flags such as CFLAGS, and -shared is passed last (so that it overrides any previous -pie) to linking flags such as LDFLAGS. Note: This should not be needed with the default gcc specs machinery.

Additionally, since PIE is implemented via a general register, some register starved architectures (but not including i386 anymore since optimizations implemented in gcc >= 5) can see performance losses of up to 15% in very text-segment-heavy application workloads; most workloads see less than 1%. Architectures with more general registers (e.g. amd64) do not see as high a worst-case penalty.

reproducible The compile-time options detailed below can be used to help improve build reproducibility or provide additional warning messages during compilation. Except as noted below, these are enabled by default for architectures that support them.

timeless This setting (enabled by default) adds -Wdate-time to CPPFLAGS. This will cause warnings when the __TIME__, __DATE__ and __TIMESTAMP__ macros are used.

fixfilepath This setting (disabled by default) adds -ffile-prefix-map=BUILDPATH=. to CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS where BUILDPATH is set to the top-level directory of the package being built. This has the effect of removing the build path from any generated file.

If both fixdebugpath and fixfilepath are set, this option takes precedence, because it is a superset of the former.

fixdebugpath This setting (enabled by default) adds -fdebug-prefix-map=BUILDPATH=. to CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS where BUILDPATH is set to the top-level directory of the package being built. This has the effect of removing the build path from any generated debug symbols.