table of contents
dpkg-buildflags(1) | dpkg suite | dpkg-buildflags(1) |
NAME¶
dpkg-buildflags - returns build flags to use during package buildSYNOPSIS¶
dpkg-buildflags [option...] [command]DESCRIPTION¶
dpkg-buildflags is a tool to retrieve compilation flags to use during build of Debian packages. The default flags are defined by the vendor but they can be extended/overriden in several ways:- 1.
- system-wide with /etc/dpkg/buildflags.conf;
- 2.
- for the current user with $XDG_CONFIG_HOME/dpkg/buildflags.conf where $XDG_CONFIG_HOME defaults to $HOME/.config;
- 3.
- temporarily by the user with environment variables (see section ENVIRONMENT);
- 4.
- dynamically by the package maintainer with environment variables set via debian/rules (see section ENVIRONMENT).
- SET flag value
- Override the flag named flag to have the value value.
- STRIP flag value
- Strip from the flag named flag all the build flags listed in value.
- APPEND flag value
- Extend the flag named flag by appending the options given in value. A space is prepended to the appended value if the flag's current value is non-empty.
- PREPEND flag value
- Extend the flag named flag by prepending the options given in value. A space is appended to the prepended value if the flag's current value is non-empty.
COMMANDS¶
- --dump
- Print to standard output all compilation flags and their values. It prints one flag per line separated from its value by an equal sign (" flag=value"). This is the default action.
- --list
- Print the list of flags supported by the current vendor (one per line). See the SUPPORTED FLAGS section for more information about them.
- --status
- Display any information that can be useful to explain the
behaviour of dpkg-buildflags: relevant environment variables,
current vendor, state of all feature flags. Also print the resulting
compiler flags with their origin.
- --export=format
- Print to standard output shell (if format is sh) or make (if format is make) commands that can be used to export all the compilation flags in the environment. If format is configure then the output can be used on a ./configure command-line. If the format value is not given, sh is assumed. Only compilation flags starting with an upper case character are included, others are assumed to not be suitable for the environment.
- --get flag
- Print the value of the flag on standard output. Exits with 0 if the flag is known otherwise exits with 1.
- --origin flag
- Print the origin of the value that is returned by --get. Exits with 0 if the flag is known otherwise exits with 1. The origin can be one of the following values:
- vendor
- the original flag set by the vendor is returned;
- system
- the flag is set/modified by a system-wide configuration;
- user
- the flag is set/modified by a user-specific configuration;
- env
- the flag is set/modified by an environment-specific configuration.
- --query-features area
- Print the features enabled for a given area. The only currently recognized area is hardening. Exits with 0 if the area is known otherwise exits with 1.
- The output format is RFC822 header-style, with one section per feature. For example:
-
Feature: pie Enabled: no Feature: stackprotector Enabled: yes
- --help
- Show the usage message and exit.
- --version
- Show the version and exit.
SUPPORTED FLAGS¶
- CFLAGS
- Options for the C compiler. The default value set by the vendor includes -g and the default optimization level (-O2 usually, or -O0 if the DEB_BUILD_OPTIONS environment variable defines noopt).
- CPPFLAGS
- Options for the C preprocessor. Default value: empty.
- CXXFLAGS
- Options for the C++ compiler. Same as CFLAGS.
- FFLAGS
- Options for the Fortran compiler. Same as CFLAGS.
- LDFLAGS
- Options passed to the compiler when linking executables or shared objects (if the linker is called directly, then -Wl and , have to be stripped from these options). Default value: empty.
FILES¶
- /etc/dpkg/buildflags.conf
- System wide configuration file.
- $XDG_CONFIG_HOME/dpkg/buildflags.conf or $HOME/.config/dpkg/buildflags.conf
- User configuration file.
ENVIRONMENT¶
There are 2 sets of environment variables doing the same operations, the first one (DEB_ flag_op) should never be used within debian/rules. It's meant for any user that wants to rebuild the source package with different build flags. The second set (DEB_ flag_MAINT_op) should only be used in debian/rules by package maintainers to change the resulting build flags.- DEB_flag_SET
- DEB_flag_MAINT_SET This variable can be used to force the value returned for the given flag.
- DEB_flag_STRIP
- DEB_flag_MAINT_STRIP This variable can be used to provide a space separated list of options that will be stripped from the set of flags returned for the given flag.
- DEB_flag_APPEND
- DEB_flag_MAINT_APPEND This variable can be used to append supplementary options to the value returned for the given flag.
- DEB_flag_PREPEND
- DEB_flag_MAINT_PREPEND This variable can be used to prepend supplementary options to the value returned for the given flag.
- DEB_BUILD_MAINT_OPTIONS
- This variable can be used to disable/enable various hardening build flags through the hardening option. See the HARDENING section for details.
HARDENING¶
Several compile-time options (detailed below) can be used to help harden a resulting binary against memory corruption attacks, or provide additional warning messages during compilation. Except as noted below, these are enabled by default for architectures that support them. Each hardening feature can be enabled and disabled in the DEB_BUILD_MAINT_OPTIONS environment variable's hardening value with the "+" and "-" modifier. For example, to enable the "pie" feature and disable the "fortify" feature you can do this in debian/rules:export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify The special feature all can be used to enable or disable all hardening features at the same time. Thus disabling everything and enabling only "format" and "fortify" can be achieved with:
export DEB_BUILD_MAINT_OPTIONS=hardening=-all,+format,+fortify
- format
- This setting (enabled by default) adds -Wformat -Werror=format-security to CFLAGS and CXXFLAGS. This will warn about improper format string uses, and will fail when format functions are used in a way that represent possible security problems. At present, this warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf(foo); instead of printf("%s", foo); This may be a security hole if the format string came from untrusted input and contains "%n".
- fortify
- This setting (enabled by default) adds
-D_FORTIFY_SOURCE=2 to CPPFLAGS. During code generation the
compiler knows a great deal of information about buffer sizes (where
possible), and attempts to replace insecure unlimited length buffer
function calls with length-limited ones. This is especially useful for
old, crufty code. Additionally, format strings in writable memory that
contain '%n' are blocked. If an application depends on such a format
string, it will need to be worked around.
- stackprotector
- This setting (enabled by default) adds -fstack-protector
--param=ssp-buffer-size=4 to CFLAGS and CXXFLAGS. This
adds safety checks against stack overwrites. This renders many potential
code injection attacks into aborting situations. In the best case this
turns code injection vulnerabilities into denial of service or into
non-issues (depending on the application).
- relro
- This setting (enabled by default) adds -Wl,-z,relro to LDFLAGS. During program load, several ELF memory sections need to be written to by the linker. This flags the loader to turn these sections read-only before turning over control to the program. Most notably this prevents GOT overwrite attacks. If this option is disabled, bindnow will become disabled as well.
- bindnow
- This setting (disabled by default) adds -Wl,-z,now to LDFLAGS. During program load, all dynamic symbols are resolved, allowing for the entire PLT to be marked read-only (due to relro above). The option cannot become enabled if relro is not enabled.
- pie
- This setting (disabled by default) adds -fPIE to
CFLAGS and CXXFLAGS, and -fPIE -pie to
LDFLAGS. Position Independent Executable are needed to take
advantage of Address Space Layout Randomization, supported by some kernel
versions. While ASLR can already be enforced for data areas in the stack
and heap (brk and mmap), the code areas must be compiled as
position-independent. Shared libraries already do this (-fPIC), so they
gain ASLR automatically, but binary .text regions need to be build PIE to
gain ASLR. When this happens, ROP (Return Oriented Programming) attacks
are much harder since there are no static locations to bounce off of
during a memory corruption attack.
2012-04-03 | Debian Project |