From 5b7e55dfac05038aad7dd55f4bc791c22e4faa08 Mon Sep 17 00:00:00 2001
From: Saikrishna Arcot <sarcot@microsoft.com>
Date: Fri, 25 Feb 2022 11:09:15 -0800
Subject: [PATCH] Package debugging and hardening for dhcpmon and dhcp6relay
 (#9862) (#10063)

Enable dbgsym package for dhcpmon.

Allow CFLAGS and LDFLAGS from environment variables to be used
in the dhcp6relay build. This makes sure that the -O2 flag from
dpkg-buildflags gets used.

Finally, enable all hardening flags in dpkg-buildflags for
dhcp6relay and dhcpmon. The change from the default set of flags is that
during linking, immediate binding of symbols is done instead of lazy
binding.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---
 rules/dhcpmon.mk            | 3 +++
 rules/docker-dhcp-relay.mk  | 2 +-
 src/dhcp6relay/Makefile     | 4 ++--
 src/dhcp6relay/debian/rules | 2 ++
 src/dhcpmon/debian/rules    | 2 ++
 5 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/rules/dhcpmon.mk b/rules/dhcpmon.mk
index 3d80d227c1..3f8f5e139b 100644
--- a/rules/dhcpmon.mk
+++ b/rules/dhcpmon.mk
@@ -6,3 +6,6 @@ SONIC_DHCPMON_PKG_NAME = dhcpmon
 SONIC_DHCPMON = sonic-$(SONIC_DHCPMON_PKG_NAME)_$(SONIC_DHCPMON_VERSION)_$(CONFIGURED_ARCH).deb
 $(SONIC_DHCPMON)_SRC_PATH = $(SRC_PATH)/$(SONIC_DHCPMON_PKG_NAME)
 SONIC_DPKG_DEBS += $(SONIC_DHCPMON)
+
+SONIC_DHCPMON_DBG = sonic-$(SONIC_DHCPMON_PKG_NAME)-dbgsym_$(SONIC_DHCPMON_VERSION)_$(CONFIGURED_ARCH).deb
+$(eval $(call add_derived_package,$(SONIC_DHCPMON),$(SONIC_DHCPMON_DBG)))
diff --git a/rules/docker-dhcp-relay.mk b/rules/docker-dhcp-relay.mk
index d1460e5cbd..1c6873ead9 100644
--- a/rules/docker-dhcp-relay.mk
+++ b/rules/docker-dhcp-relay.mk
@@ -9,7 +9,7 @@ $(DOCKER_DHCP_RELAY)_PATH = $(DOCKERS_PATH)/$(DOCKER_DHCP_RELAY_STEM)
 $(DOCKER_DHCP_RELAY)_DEPENDS += $(ISC_DHCP_RELAY) $(SONIC_DHCPMON) $(SONIC_DHCP6RELAY) $(LIBSWSSCOMMON) 
 
 $(DOCKER_DHCP_RELAY)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_DEPENDS)
-$(DOCKER_DHCP_RELAY)_DBG_DEPENDS += $(ISC_DHCP_RELAY_DBG) $(SONIC_DHCP6RELAY_DBG)
+$(DOCKER_DHCP_RELAY)_DBG_DEPENDS += $(ISC_DHCP_RELAY_DBG) $(SONIC_DHCP6RELAY_DBG) $(SONIC_DHCPMON_DBG)
 
 $(DOCKER_DHCP_RELAY)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE_PACKAGES)
 
diff --git a/src/dhcp6relay/Makefile b/src/dhcp6relay/Makefile
index 4d2eedd042..dd384452a5 100644
--- a/src/dhcp6relay/Makefile
+++ b/src/dhcp6relay/Makefile
@@ -5,7 +5,7 @@ MKDIR := mkdir
 CC := g++
 MV := mv
 LIBS := -levent -lhiredis -lswsscommon -pthread -lboost_thread -lboost_system
-CFLAGS  = -g -Wall -std=c++17 -fPIC -I $(PWD)/../sonic-swss-common/common
+CFLAGS += -Wall -std=c++17 -fPIE -I$(PWD)/../sonic-swss-common/common
 PWD := $(shell pwd)
 
 ifneq ($(MAKECMDGOALS),clean)
@@ -21,7 +21,7 @@ all: sonic-dhcp6relay
 sonic-dhcp6relay: $(OBJS)
 	@echo 'Building target: $@'
 	@echo 'Invoking: G++ Linker'
-	$(CC) -o $(DHCP6RELAY_TARGET) $(OBJS) $(LIBS) 
+	$(CC) $(LDFLAGS) -o $(DHCP6RELAY_TARGET) $(OBJS) $(LIBS)
 	@echo 'Finished building target: $@'
 	@echo ' '
 
diff --git a/src/dhcp6relay/debian/rules b/src/dhcp6relay/debian/rules
index ce2eb52beb..ac2cd63889 100755
--- a/src/dhcp6relay/debian/rules
+++ b/src/dhcp6relay/debian/rules
@@ -1,4 +1,6 @@
 #!/usr/bin/make -f
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
+
 %:
 	dh $@ --parallel
diff --git a/src/dhcpmon/debian/rules b/src/dhcpmon/debian/rules
index 00c628b662..76fc7ea1f8 100755
--- a/src/dhcpmon/debian/rules
+++ b/src/dhcpmon/debian/rules
@@ -1,5 +1,7 @@
 #!/usr/bin/make -f
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
+
 DEB_CFLAGS_APPEND=-std=gnu11
 export DEB_CFLAGS_APPEND