Build binaries with relro/pie/bind_now

Note that package 'annobin-plugin-gcc' should be installed on the system to build the binaries. Signed-off-by: Vector Li <[email protected]>
restraint-harness · Jan 16, 2023 · 606f3e5 · 606f3e5
1 parent 2b0d8ab
commit 606f3e5
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/src/Makefile b/src/Makefile
@@ -33,6 +33,19 @@ CFLAGS += -Wall -Werror -std=c99 $(shell pkg-config --cflags $(PACKAGES))
 # Keep this until we have Glib 2.68 in third-party module
 CFLAGS += -Wno-deprecated-declarations
 
+# XXX: Support to build binaries relro/pie/bind_now. For more,
+#      please refer to:
+#          https://github.com/restraint-harness/restraint/issues/255
+#CFLAGS += -fshort-enums
+#CFLAGS += -fcf-protection=full
+#CFLAGS += -fplugin=annobin
+#CFLAGS += -fstack-protector-strong
+#CFLAGS += -D_FORTIFY_SOURCE=3
+#CFLAGS += -D_GLIBCXX_ASSERTIONS
+CFLAGS += -Wl,-pie -fpie
+LDFLAGS += -Wl,-z,now
+LDFLAGS += -pie
+
 ifeq ($(STATIC), 1)
     # The LIBS list must start with static then followed with dynamic.
     # DYNAMICLIBS must be stripped out of THIRDPTYLIBS leaving