Linker wrapper to enforce hardening toolchain improvements
export DEB_BUILD_HARDENING=1
ld ...
The hardened-ld wrapper is normally used by calling ld as usual with DEB_BUILD_HARDENING set to 1. It will configure the necessary toolchain hardening features. By default, all features are enabled. If a given feature does not work correctly and needs to be disabled, the corresponding environment variables mentioned below can be set to 0.
Enable hardening features.
Print the full resulting gcc command line to STDERR before calling gcc.
Don't mark ELF sections read-only after start. See README.Debian for details.
Don't mark ELF loader for start-up dynamic resolution. See README.Debian for details.
System-wide settings can be added to /etc/hardening-wrapper.conf, one per line.
The real ld is renamed ld.real, and a diversion is registered with dpkg-divert(1). Thus hardened-ld's idea of the default ld is dictated by whatever package installed /usr/bin/ld.
hardened-cc(1) ld(1)