Hi, On Tue, Nov 24, 2009 at 09:38:41PM +0100, Moritz Muehlenhoff wrote: > On 2009-11-05, Kees Cook <k...@debian.org> wrote: > > This would certainly be better than nothing, and better than the > > hardening-wrapper package, but it would require that every package in > > Debian be modified to respect external environments. Also, I think > > having the compiler itself be hardened is the bigger win. > > If doko feels uncomfortable with appyling the patches, we should use > the dpkg-buildpackage way (which I'm technically fine with). It also > has the nice side effect that we get a central place where we can > opt out architecture which don't implement a specific hardening feature. > It also allows maintainers to specifically opt out in cases where they > feel the overhead to be inacceptably high. (e.g., a number-crunching > math application).
Right. So, the main problem is that I haven't seen a way to interact between dpkg-buildpackage and the rules file itself for cases where a maintainer wants to specifically disable a portion of the hardening (like PIE) without potentially interfering with the package's upstream configured flags. Instead, I've now implemented[1] a new binary package "hardening-includes" which provides a Makefile include[2] that can be used to get the (potentially arch-specific) hardening flags. As an example, I have a debdiff against openssh to use it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887 With the new package, the arch-specific logic for hardening defaults is in one place, and a maintainer can selectively disable anything they don't want on by default. > > Out of curiosity, where can I and others find the documentation for the > > dpkg-buildpackage environment framework? We should immediately add the > > hardening options to it now for the packages that it will work on. > > See dpkg-buildpackage(1) in the section "ENVIRONMENT VARIABLES" Yeah, maybe I'm dense, but I didn't see a good way to selectively disable portions of the flags. It seems like it's better suited to things like -O2, etc (which it's doing already). > What flags do you intend to enable? -Wformat, -Wformat-security, > -D_FORTIFY_SOURCE=2 and -fstack-protector ? Also -fPIE/-fPIE -pie, -Wl,-z,relro, -Wl,-z,now I've also started work on a very simple hardening characteristic checker[3] that just looks for everything and reports back. This can be used to validate a built binary, etc. > Could you file a bug against dpkg-dev? If this approach works, perhaps debhelper could do the include automatically in a full dh 7 style rules file? -Kees [1] http://packages.qa.debian.org/h/hardening-wrapper/news/20091220T121706Z.html [2] http://svn.debian.org/wsvn/hardening/hardening-wrapper/hardening.make [3] http://svn.debian.org/wsvn/hardening/hardening-wrapper/hardening-check -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-gcc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
