Bug#792502: ocaml: obey hardening LDFLAGS

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#792502: ocaml: obey hardening LDFLAGS
From: Török Edwin <edwin@etorok.net>
Date: Wed, 15 Jul 2015 16:33:23 +0300
Message-id: <[🔎] 20150715133323.24609.65147.reportbug@debian.home.lan>
Reply-to: Török Edwin <edwin@etorok.net>, 792502@bugs.debian.org

Package: ocaml
Version: 4.01.0-5
Severity: minor
Tags: patch

Dear Maintainer,

See discussion on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702349

I am including a patch that enables the relro and bindnow hardening flags for
OCaml and packages compiled by ocaml.

I haven't submitted the patch upstream yet, there is only this bugreport asking
for LDFLAGS and having CCLINKFLAGS as solution for ocamlyacc only:
http://caml.inria.fr/mantis/view.php?id=4698
There is also this bug about CFLAGS (which can be useful for hardening C stubs
perhaps?):
http://caml.inria.fr/mantis/view.php?id=3664

My patch simply sets CCLINKFLAGS based on LDFLAGS and includes CCLINKFLAGS into
MKEXE/MKDLL/MKMAINDLL, which AFAICT
are the cmdlines used to build executables and shared libraries by
ocamlc/ocamlopt.

Should I submit the patch upstream, or would it require more modifications to
support Debian's hardening features?

Output of hardening-check before the patch:
/usr/bin/ocamlopt.opt:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

Output of hardening-check after the patch:
../ocamlopt.opt:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

Running lintian on the newly built packages don't show the hardening-no-relro
warning anymore:
$ lintian ../*.deb
W: ocaml-nox: binary-without-manpage usr/bin/ocamlbuild
W: ocaml-mode: binary-without-manpage usr/bin/ocamltags
N: 1 tag overridden (1 warning)



-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages ocaml depends on:
ii  libx11-dev                      2:1.6.2-3
ii  ocaml-base [ocaml-base-4.01.0]  4.01.0-5
ii  ocaml-base-nox                  4.01.0-5
ii  ocaml-nox [ocaml-nox-4.01.0]    4.01.0-5

ocaml recommends no packages.

Versions of packages ocaml suggests:
ii  tcl-dev  8.6.0+8
pn  tk-dev   <none>

-- no debconf information

--- a/debian/patches/0010-Obey-ldflags.patch	1970-01-01 02:00:00.000000000 +0200
+++ b/debian/patches/0010-Obey-ldflags.patch	2015-07-15 15:59:20.600661858 +0300
@@ -0,0 +1,34 @@
+Description: use CCLINKFLAGS for linking all executables and shared libraries
+ This allows packagers to set additional linker flags for executables and shared
+ libraries created by OCaml, and for the OCaml tools themselves.
+ OCaml code can be linked with various C stubs and C libraries that would
+ benefit from using hardening link flags, such as -Wl,-z,relro.
+---
+
+Origin: other
+Bug-Debian: https://bugs.debian.org/702349
+Forwarded: no
+Last-Update: <2015-07-15>
+
+--- ocaml-4.02.1.orig/configure
++++ ocaml-4.02.1/configure
+@@ -739,6 +739,8 @@ if test $with_sharedlibs = "yes"; then
+       shared_libraries_supported=true;;
+   esac
+ fi
++mksharedlib="$mksharedlib $CCLINKFLAGS"
++mkexe="$mkexe $CCLINKFLAGS"
+ 
+ if test -z "$mkmaindll"; then
+   mkmaindll=$mksharedlib
+--- ocaml-4.02.1.orig/tools/Makefile.shared
++++ ocaml-4.02.1/tools/Makefile.shared
+@@ -278,7 +278,7 @@ beforedepend:: opnames.ml
+ 
+ objinfo_helper$(EXE): objinfo_helper.c ../config/s.h
+ 	$(BYTECC) -o objinfo_helper$(EXE) $(BYTECCCOMPOPTS) \
+-          objinfo_helper.c $(LIBBFD_LINK)
++          objinfo_helper.c $(LIBBFD_LINK) $(CCLINKFLAGS)
+ 
+ OBJINFO=../compilerlibs/ocamlcommon.cma \
+         ../compilerlibs/ocamlbytecomp.cma \
diff -rNu ../o/ocaml-4.02.1/debian/patches/series debian/patches/series
--- a/debian/patches/series	2014-11-20 17:48:56.000000000 +0200
+++ b/debian/patches/series	2015-07-15 16:07:10.622247953 +0300
@@ -7,3 +7,4 @@
 0007-Tune-resource-usage-of-some-tests.patch
 0008-Native-backtraces-don-t-work-on-powerpc-and-sparc.patch
 0009-Fix-asmcomp-tests-on-sparc.patch
+0010-Obey-ldflags.patch
--- a/debian/rules	2015-02-16 12:37:56.000000000 +0200
+++ b/debian/rules	2015-07-15 15:54:11.360881817 +0300
@@ -59,6 +59,9 @@
 export OCAML_OPT_ARCH
 export OCAML_STDLIB_DIR
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
+export CCLINKFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
+
 CONFIGURE_OPTS := \
   --host $(DEB_BUILD_GNU_TYPE)\
   --with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \

Reply to:

Prev by Date: Processed: tagging 583265
Next by Date: Processed: Re: Bug#702349: Info received (Bug#702349: lintian should not complain about hardening for package written in pure Ocaml)
Previous by thread: Processed: tagging 583265
Next by thread: Processed: Re: Bug#702349: Info received (Bug#702349: lintian should not complain about hardening for package written in pure Ocaml)
Index(es):
- Date
- Thread