Hi Henrique, On Thu, Dec 24, 2009 at 03:25:32PM -0200, Henrique de Moraes Holschuh wrote: > On Thu, 24 Dec 2009, Kees Cook wrote: > > That's certainly a viable plan. This is kind of the approach we took in > > Ubuntu for the PIE feature. We also considered packages with a less than > > stellar security history. The list of packages built with PIE in Ubuntu > > is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE ) > > > > amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4 > > amavisd-new is perl, does that need PIE? Or do you mean the C utilities > (which are not network services but on the other hand are not > performance-sensitive anyway so might as well enable it just in case)?
Right, though there are two ELFs in amavisd-new-milter. PIE is not the only benefit, it's just the only non-default hardening feature in Ubuntu, so we had an explicit list of programs that we wanted to be more complete with. > Anyway, I'd appreciate a bug report against amavisd-new with whatever > information is pertinent about PIE, if you guys want us to add it to the > package. I already opened it in August when I added the patch for it in Ubuntu. :) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542722 > > I couldn't agree more. See /usr/share/hardening-includes/hardening.make > > for details, but a package trying to avoid the hardening flags could just > > set DEB_BUILD_HARDENING=0 in debian/rules. > > Can we get a standard DEB_BUILD_OPTIONS while that is still possible? DEB_BUILD_OPTIONS are external to the build, so I'm a bit unclear on the benefit. Usually it's just for doing specialize builds (like noopt, nostrip) or tweaking build behavior (parallel=N). I'd be happy to implement the logic anyway, since it might help with debugging specific build issues. I actually did this (though there are no users of it) in dpkg-buildpackage in Ubuntu: Additionally, when used with the hardening-wrapper package, the values "hardening" and "nohardening" will be converted into their respective DEB_BUILD_HARDENING values. The "hardening" option can also include (optionally prefixed with "no") the following sub-options: "stackprotector" "format" "fortify" "pie" "relro" For example, DEB_BUILD_OPTIONS=hardening=nopie would cause DEB_BUILD_HARDENING_PIE=0 to be set, or DEB_BUILD_OPTIONS=nohardening would cause DEB_BUILD_HARDENING=0 to be set. I could easily move this logic into hardening.make too. Does that sound good? -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
