NAME
hardened-ld - linker wrapper to enforce hardening toolchain
improvements
SYNOPSIS
export DEB_BUILD_HARDENING=1
ld ...
DESCRIPTION
The hardened-ld wrapper is normally used by calling ld as usual with
DEB_BUILD_HARDENING set to 1. It will configure the necessary toolchain
hardening features. By default, all features are enabled. If a given
feature does not work correctly and needs to be disabled, the
corresponding environment variables mentioned below can be set to 0.
ENVIRONMENT
DEB_BUILD_HARDENING=1
Enable hardening features.
DEB_BUILD_HARDENING_DEBUG=1
Print the full resulting gcc command line to STDERR before
calling gcc.
DEB_BUILD_HARDENING_RELRO=0
Don’t mark ELF sections read-only after start. See README.Debian
for details.
DEB_BUILD_HARDENING_BINDNOW=0
Don’t mark ELF loader for start-up dynamic resolution. See
README.Debian for details.
NOTES
System-wide settings can be added to /etc/hardening-wrapper.conf, one
per line.
The real ld is renamed ld.real, and a diversion is registered with
dpkg-divert(1). Thus hardened-ld’s idea of the default ld is dictated
by whatever package installed /usr/bin/ld.
SEE ALSO
hardened-cc(1) ld(1)