From 1622f5a39c3a3b407487c38fd6ad3faa626f898f Mon Sep 17 00:00:00 2001
From: Mario Fetka <mario.fetka@gmail.com>
Date: Wed, 29 Apr 2026 09:52:29 +0200
Subject: [PATCH] Hardening ncpfs

---
 Make.rules.in       | 13 ++++++++++++-
 ipx-1.0/Makefile.in |  7 +++----
 ipxdump/Makefile.in |  5 ++---
 sutil/Makefile.in   |  7 +++----
 util/Makefile.in    |  8 ++++----
 5 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/Make.rules.in b/Make.rules.in
index 6b8bd61..730e2b8 100644
--- a/Make.rules.in
+++ b/Make.rules.in
@@ -38,12 +38,23 @@ endif
 
 INCLUDES := -I$(top_srcdir)/include -I$(top_srcdir)/intl -I$(top_builddir)/include
 
+# Default hardening flags.  They are intentionally overridable so that
+# distro/package builds can provide their own policy, for example:
+#   make HARDEN_CFLAGS= HARDEN_LDFLAGS=
+HARDEN_CPPFLAGS ?=
+HARDEN_CFLAGS ?= -O2 -fstack-protector-strong -fstack-clash-protection -D_FORTIFY_SOURCE=3
+HARDEN_LDFLAGS ?= -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
+
+PIE_CFLAGS ?= -fPIE
+PIE_LDFLAGS ?= -pie
+
+CFLAGS_OPTIONS += $(HARDEN_CPPFLAGS) $(HARDEN_CFLAGS)
 CFLAGS_OPTIONS += @CFLAGS@
 CFLAGS_OPTIONS += $(CWARN)
 CFLAGS_DEFINES := -DN_PLAT_LINUX -DLOCALEDIR=\"${localedir}\" -DNCPFS_VERSION=\"${VERSION}\" -DNCPFS_PACKAGE=\"${PACKAGE}\"
 
 CCFLAGS := $(CFLAGS_DEFINES) $(CFLAGS_OPTIONS) $(INCLUDES)
-LDFLAGS := @LDFLAGS@
+LDFLAGS := $(HARDEN_LDFLAGS) @LDFLAGS@
 
 # If your system is ELF, either also do a 'make install', or append the util/
 # directory where the dynamic library resides to the environment
diff --git a/ipx-1.0/Makefile.in b/ipx-1.0/Makefile.in
index 316c56e..d12ce6d 100644
--- a/ipx-1.0/Makefile.in
+++ b/ipx-1.0/Makefile.in
@@ -9,7 +9,6 @@ vpath %.c ${this_srcdir}
 vpath %.8 ${this_srcdir}
 
 LIBS = @INTLLIBS@ @LIBS@
-LDFLAGS = @LDFLAGS@
 
 O_UTILS = ipx_configure.o ipx_cmd.o
 O_UTIIPX = ipx_interface.o ipx_internal_net.o ipx_route.o
@@ -26,7 +25,7 @@ ALL_OBJECTS := $(O_UTIIPX) $(O_UTILS) ipxutil.o
 all: $(UTILS) $(UTIIPX) $(MAN8GZ)
 
 $(ALL_OBJECTS): %.o: %.c
-	$(CC) $(CFLAGS) $(CCFLAGS) $(CFLAGS_$@) -o $@ -c $<
+	$(CC) $(CFLAGS) $(CCFLAGS) $(CFLAGS_$@) $(PIE_CFLAGS) -o $@ -c $<
 
 %.d: %.c
 	set -e; $(CC) -M $(CFLAGS) $(CCFLAGS) $(CFLAGS_$(@:.d=.o)) $< \
@@ -34,10 +33,10 @@ $(ALL_OBJECTS): %.o: %.c
 		[ -s $@ ] || rm -f $@
 
 $(UTIIPX): %: %.o ipxutil.o
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(addsuffix .o,$@) ipxutil.o ${LIBS}
+	$(CC) $(CFLAGS) $(LDFLAGS) $(PIE_LDFLAGS) -o $@ $(addsuffix .o,$@) ipxutil.o ${LIBS}
 
 $(UTILS): %: %.o
-	$(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) ${LIBS}
+	$(CC) $(CFLAGS) $(LDFLAGS) $(PIE_LDFLAGS) -o $@ $(addsuffix .o,$@) ${LIBS}
 
 $(MAN8GZ): %.gz: %
 	gzip -9 -c $< >$@
diff --git a/ipxdump/Makefile.in b/ipxdump/Makefile.in
index dffb4ce..a38efce 100644
--- a/ipxdump/Makefile.in
+++ b/ipxdump/Makefile.in
@@ -11,7 +11,6 @@ ncp_if_ether_support = @ncp_if_ether_support@
 OBJECTS= ipxutil.o
 
 ALL_OBJECTS := $(EXEC:%=%.o) $(OBJECTS)
-LDFLAGS = @LDFLAGS@
 
 .PHONY : all install dep clean mrproper distclean
 .PHONY : dist tgz
@@ -25,7 +24,7 @@ install: $(EXEC)
 ifeq ($(ncp_if_ether_support),yes)
 
 $(EXEC): %: %.o $(OBJECTS)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(addsuffix .o,$@) $(OBJECTS)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(PIE_LDFLAGS) -o $@ $(addsuffix .o,$@) $(OBJECTS)
 
 else
 .PHONY ipxdump ipxparse
@@ -40,7 +39,7 @@ clean:
 modules:
 
 $(ALL_OBJECTS): %.o: %.c
-	$(CC) $(CFLAGS) $(CCFLAGS) $(CFLAGS_$@) -o $@ -c $<
+	$(CC) $(CFLAGS) $(CCFLAGS) $(CFLAGS_$@) $(PIE_CFLAGS) -o $@ -c $<
 
 %.d: %.c
 	set -e; $(CC) -M $(CFLAGS) $(CCFLAGS) $(CFLAGS_$(@:.d=.o)) $< \
diff --git a/sutil/Makefile.in b/sutil/Makefile.in
index eabd0bb..31c3dfb 100644
--- a/sutil/Makefile.in
+++ b/sutil/Makefile.in
@@ -14,13 +14,12 @@ USE_KERNEL = @USE_KERNEL@
 NDS_SUPPORT = @NDS_SUPPORT@
 
 LIBS = @INTLLIBS@ @LIBICONV@ @LIBS@
-LDFLAGS := @LDFLAGS@
 
 # environ in ncpmount
 CCFLAGS += -D_GNU_SOURCE
 
-PIE_CFLAGS = -fpie
-PIE_LDFLAGS = -pie
+PIE_CFLAGS ?= -fPIE
+PIE_LDFLAGS ?= -pie
 
 O_UTILS := nwsfind.o
 ifeq ($(USE_KERNEL),1)
@@ -74,7 +73,7 @@ ncplogin: ncpm_common.o mount_login.o
 ncpmap: ncpm_common.o
 
 ncpmap.o: %.o: ncplogin.c
-	$(CC) $(CFLAGS) $(LDFLAGS) $(CCFLAGS) $(CFLAGS_$@) $(PIE_CFLAGS) -o $@ -c $<
+	$(CC) $(CFLAGS) $(CCFLAGS) $(CFLAGS_$@) $(PIE_CFLAGS) -o $@ -c $<
 
 ncpmap.d: %.d: ncplogin.c
 	set -e; $(CC) -M $(CFLAGS) $(CCFLAGS) $(CFLAGS_$(@:.d=.o)) $< \
diff --git a/util/Makefile.in b/util/Makefile.in
index 2f2e068..3bfe6fa 100644
--- a/util/Makefile.in
+++ b/util/Makefile.in
@@ -15,7 +15,6 @@ NDS_SUPPORT = @NDS_SUPPORT@
 MOUNT2 = @MOUNT2@
 
 LIBS = @INTLLIBS@ @LIBICONV@ @LIBS@
-LDFLAGS = @LDFLAGS@
 
 O_OTHER = dsqueue.o
 O_USERUTILS = slist.o pqlist.o nwfsinfo.o pserver.o nprint.o nsend.o \
@@ -82,7 +81,7 @@ install-dev:
 	make -C $(NCPLIB_DIR) libncp.$(shlibext)
 
 $(O_USERUTILS) $(O_SBINUTILS) $(O_OTHER) ncptest.o: %.o: %.c
-	$(CC) $(CFLAGS) $(LDFLAGS) $(CCFLAGS) $(CFLAGS_$@) -o $@ -c $<
+	$(CC) $(CFLAGS) $(CCFLAGS) $(CFLAGS_$@) $(PIE_CFLAGS) -o $@ -c $<
 
 %.d: %.c
 	set -e; $(CC) -M $(CFLAGS) $(CCFLAGS) $(CFLAGS_$(@:.d=.o)) $< \
@@ -93,10 +92,11 @@ $(O_USERUTILS) $(O_SBINUTILS) $(O_OTHER) ncptest.o: %.o: %.c
 pqstat nwpqjob nprint: dsqueue.o
 
 $(UTILS): %: %.o $(LIBDEP)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(addsuffix .o,$@) $(ADDOBJS_$@) -L$(NCPLIB_DIR) -lncp ${LIBS}
+	$(CC) $(CFLAGS) $(LDFLAGS) $(PIE_LDFLAGS) -o $@ $(addsuffix .o,$@) $(ADDOBJS_$@) -L$(NCPLIB_DIR) -lncp ${LIBS}
 
 ipx_probe: ipx_probe.c
-	$(CC) $(CFLAGS) $(LDFLAGS) $(CCFLAGS) -o ipx_probe ipx_probe.c ${LIBS}
+	 $(CC) $(CFLAGS) $(CCFLAGS) $(PIE_CFLAGS) $(LDFLAGS) $(PIE_LDFLAGS) -o ipx_probe ipx_probe.c ${LIBS}
+
 
 dep: