Re: Bug#552688: Please decide how Debian should enable hardening build flags

To: debian-ctte@lists.debian.org
Subject: Re: Bug#552688: Please decide how Debian should enable hardening build flags
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 28 Jul 2011 23:44:56 -0700
Message-id: <[🔎] 20110729064455.GC10101@virgil.dodds.net>
Mail-followup-to: debian-ctte@lists.debian.org
In-reply-to: <[🔎] 20110728203402.GV4946@outflux.net>
References: <20101120151829.GB4506@rivendell.home.ouaza.com> <[🔎] 20110726213227.GF8766@rivendell.home.ouaza.com> <[🔎] 20110727215639.GB9465@rivendell.home.ouaza.com> <[🔎] 20110728203402.GV4946@outflux.net>

On Thu, Jul 28, 2011 at 01:34:02PM -0700, Kees Cook wrote:
> - non-PIC .a file relocation
>   Using PIE by default means that packages shipping non-PIC .a files
>   suddenly produce relocatable .a files. If a package that links against
>   them isn't building as PIE too, it will FTBFS.

Isn't such a FTBFS a toolchain bug?  There's no reason in principle why a
PIC .a being linked into a non-PIE executable can't have those relocations
fixed up at build time - and this has in fact always worked in the past.

Or do you maybe mean the opposite, where an existing non-PIC .a tries to be
linked into a PIE executable?  In that case there's information missing and
yes, it will fail to link.

> > The current implementation in my branch is that PIE is disabled by defaut
> > but if you set DEB_BUILD_HARDENING_PIE=1 then it will be used. This was
> > easily done on top of the compatibility layer with
> > hardening-includes/hardening-wrapper but I'm not convinced it's an
> > interface we want to use for this transition.

> If someone chose to build-dep on hardening-wrapper/hardening-includes, they
> expect to have built PIE, so I think that the dpkg-buildflags default
> should likely depend on that in some way.

Although dpkg-buildflags should provide a mechanism to allow system-level
configuration (perhaps through a .d directory in /etc), the difficulty of
auto-enabling this upon installation of the hardening-* packages is that it
means building other packages which *don't* build-depend on it will give
different output in the event the hardening-* packages happen to be
installed - such as on a maintainer's system.  We don't want all the other
packages in the archive to have to build-conflict with hardening-* to avoid
"mis"builds!

> There's a lot of ways to do this. I'm not sure what is best. What's
> important to me is that maintainers that were using h-w/i don't suddenly
> end up with builds that aren't PIE, since they explicitly chose to build
> with PIE (unless they also explicitly chose to disable it).

I would presume that the existing interfaces could be left in place, and
dropped only when they're no longer needed.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Kees Cook <kees@debian.org>

Prev by Date: Bug#552688: Please decide how Debian should enable hardening build flags
Next by Date: Bug#552688: Please decide how Debian should enable hardening build flags
Previous by thread: Bug#552688: Please decide how Debian should enable hardening build flags
Next by thread: Re: Bug#552688: Please decide how Debian should enable hardening build flags
Index(es):
- Date
- Thread