NAME¶
hardened-ld - linker wrapper to enforce hardening toolchain improvements
SYNOPSIS¶
export DEB_BUILD_HARDENING=1
ld ...
DESCRIPTION¶
The
hardened-ld wrapper is normally used by calling
ld as usual
with
DEB_BUILD_HARDENING set to 1. It will configure the necessary
toolchain hardening features. By default, all features are enabled. If a given
feature does not work correctly and needs to be disabled, the corresponding
environment variables mentioned below can be set to 0.
ENVIRONMENT¶
- DEB_BUILD_HARDENING=1
- Enable hardening features.
- DEB_BUILD_HARDENING_DEBUG=1
- Print the full resulting gcc command line to STDERR before calling
gcc.
- DEB_BUILD_HARDENING_RELRO=0
- Don't mark ELF sections read-only after start. See README.Debian for
details.
- DEB_BUILD_HARDENING_BINDNOW=0
- Don't mark ELF loader for start-up dynamic resolution. See README.Debian
for details.
NOTES¶
System-wide settings can be added to
/etc/hardening-wrapper.conf, one per
line.
The real
ld is renamed
ld.real, and a diversion is registered with
dpkg-divert(1). Thus
hardened-ld's idea of the default
ld
is dictated by whatever package installed
/usr/bin/ld.
SEE ALSO¶
hardened-cc(1) ld(1)