https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022015-08-18T05:23:09ZOpen Information Security FoundationSuricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=54452015-08-18T05:23:09ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Victor Julien</i></li><li><strong>Target version</strong> set to <i>3.0RC1</i></li></ul><p>Strange error. It works for me on Ubuntu 14.04. Any chance you can find out what that error is?</p>
<p>On the --enable-pie option, I think it's a good idea.</p> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=55372015-09-28T16:13:18ZAlexander Gozman
<ul></ul><p>Something's wrong with CFLAGS, -fPIC should solve the problem: <a class="external" href="https://github.com/inliniac/suricata/pull/1664">https://github.com/inliniac/suricata/pull/1664</a></p> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=55382015-09-28T16:17:30ZShawn Webbshawn.webb@hardenedbsd.org
<ul></ul><p>Alexander Gozman wrote:</p>
<blockquote>
<p>Something's wrong with CFLAGS, -fPIC should solve the problem: <a class="external" href="https://github.com/inliniac/suricata/pull/1664">https://github.com/inliniac/suricata/pull/1664</a></p>
</blockquote>
<p>You'll likely also need to add -fPIE to CFLAGS.</p> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=55392015-09-29T12:42:52ZAlexander Gozman
<ul></ul><p>Shawn Webb wrote:</p>
<blockquote>
<p>Alexander Gozman wrote:</p>
<blockquote>
<p>Something's wrong with CFLAGS, -fPIC should solve the problem: <a class="external" href="https://github.com/inliniac/suricata/pull/1664">https://github.com/inliniac/suricata/pull/1664</a></p>
</blockquote>
<p>You'll likely also need to add -fPIE to CFLAGS.</p>
</blockquote>
<p>Sure, but it's better to add -pie to LDFLAGS. I've mentioned -fPIC 'cause in the error log you've attached a compiler gave a hint about it.</p> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=55422015-09-30T07:54:26ZAlexander Gozman
<ul></ul><p>Alexander Gozman wrote:</p>
<blockquote>
<p>Shawn Webb wrote:</p>
<blockquote>
<p>Alexander Gozman wrote:</p>
<blockquote>
<p>Something's wrong with CFLAGS, -fPIC should solve the problem: <a class="external" href="https://github.com/inliniac/suricata/pull/1664">https://github.com/inliniac/suricata/pull/1664</a></p>
</blockquote>
<p>You'll likely also need to add -fPIE to CFLAGS.</p>
</blockquote>
<p>Sure, but it's better to add -pie just to LDFLAGS (adding it to CFLAGS makes no sense). I've mentioned -fPIC 'cause in the error log you've attached a compiler gave a hint about it.</p>
</blockquote> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=55652015-10-12T13:59:36ZAlexander Gozman
<ul><li><strong>Due date</strong> set to <i>10/08/2015</i></li><li><strong>Assignee</strong> changed from <i>Victor Julien</i> to <i>Alexander Gozman</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=55732015-10-14T10:14:41ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li></ul><p>Thanks all!</p> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=61012016-01-12T07:40:46ZShawn Webbshawn.webb@hardenedbsd.org
<ul><li><strong>File</strong> <a href="/attachments/1161">2016-01-12_suricata-3.0.r3.log</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1161/2016-01-12_suricata-3.0.r3.log">2016-01-12_suricata-3.0.r3.log</a> added</li></ul><p>After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.</p> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=61072016-01-13T06:39:13ZAlexander Gozman
<ul><li><strong>File</strong> <a href="/attachments/1163">suricata-3.0.r3.log</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1163/suricata-3.0.r3.log">suricata-3.0.r3.log</a> added</li></ul><p>Shawn Webb wrote:</p>
<blockquote>
<p>After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.</p>
</blockquote>
<p>I can not reproduce the issue :( I've installed HardenedBSD-CURRENT and built suricata from ports and with poudriere, with and without --enable-pie. Everything went good without any errors. I've attached the build log from poudriere, maybe it'll make things a bit more clear.</p> Suricata - Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)https://redmine.openinfosecfoundation.org/issues/1527?journal_id=61082016-01-13T07:34:04ZShawn Webbshawn.webb@hardenedbsd.org
<ul></ul><p>Alexander Gozman wrote:</p>
<blockquote>
<p>Shawn Webb wrote:</p>
<blockquote>
<p>After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.</p>
</blockquote>
<p>I can not reproduce the issue :( I've installed HardenedBSD-CURRENT and built suricata from ports and with poudriere, with and without --enable-pie. Everything went good without any errors. I've attached the build log from poudriere, maybe it'll make things a bit more clear.</p>
</blockquote>
<p>It appears I was being too aggressive with CFLAGS. Simply using --enable-pie with configure made it work. I had forced CFLAGS=-fPIE and LDFLAGS=-pie before, which is simply too aggressive. On the bright side, I also enabled RELRO and suricata works. So on HardenedBSD, we now have suricata compiled as a PIE with RELRO+BIND_NOW.</p>
<p>Thanks for the hard work! I really appreciate it.</p>