Bug#1113774: Disabling -fcf-protection in sudo for bookworm

To: James Addison <jay@jp-hosting.net>, 1113774@bugs.debian.org
Subject: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
From: Paul Tagliamonte <paultag@debian.org>
Date: Fri, 5 Dec 2025 09:31:49 -0500
Message-id: <[🔎] 20251205143149.GA123848@dc.cant.vote>
Reply-to: Paul Tagliamonte <paultag@debian.org>, 1113774@bugs.debian.org
In-reply-to: <[🔎] CALDQ5NxPtnDbzRB2cf9ELdqcdEy5RtnrUxVrAxR77FL1D8qmSA@mail.gmail.com>
References: <0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] CALDQ5NxPtnDbzRB2cf9ELdqcdEy5RtnrUxVrAxR77FL1D8qmSA@mail.gmail.com> <0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet>

On Fri, Dec 05, 2025 at 12:38:59PM +0000, James Addison wrote:

My reading of the thread is that fcf-protection=return can be
security-effective on 32-bit x86 processors, has no effect on binary
size, and does not introduce the compatibility issues that
fcf-protection=branch does.


[snip]

So to reformulate that as a question: why is the advice to remove the
flag completely, instead of reducing it to fcf-protection=return?

This requires kernel support to be effective - and Bookworm does nothave a kernel with that flag turned on. I understand there to be nodifference between disabling fcf-protection entirely vs return in i386for Bookworm.

The two (related) flags, as Marcos points out earlier in reply to mymisunderstanding here too, the related toggle here isCONFIG_X86_USER_SHADOW_STACK, which is required forfcf-protection=return

FWIW; these flags were set specifically in sudo upstream -- not Debian'scross-distro default flags. Upstream has since removed them, for thesame reason(s) as we resolved here. If we wanted to rebuild the distroto take advantage of the (new!) enablement of theCONFIG_X86_USER_SHADOW_STACK=yin the sid x86_64 kernel running i386 binaries (or even amd64 binaries),I reckon we'd need to do some work across the archive.


In that case we'd want to use fcf-protection=return, rather than

fcf-protection=full, as I understand it, since we can't take meaningfuladvantage of the IBT -- since the CONFIG_X86_KERNEL_IBT flag is forkernelspace not userspace, and there's no reason to turn that on foruserspace programs.

FWIW, I stand by the advice; it's good. There is no difference betweendisabling fcf-protection entirely and setting return, since no bookwormkernels will do anything different with =return.

I agree with Helmut's reading on his ctte vote, and I share itcompletely.


  paultag

--
  ⢀⣴⠾⠻⢶⣦⠀               Paul Tagliamonte <paultag>
  ⣾⠁⢠⠒⠀⣿⡁  https://people.debian.org/~paultag | https://pault.ag/
  ⢿⡄⠘⠷⠚⠋        Debian, the universal operating system.
  ⠈⠳⣄⠀⠀  4096R / FEF2 EB20 16E6 A856 B98C  E820 2DCD 6B5D E858 ADF3

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: James Addison <jay@jp-hosting.net>

References:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: James Addison <jay@jp-hosting.net>

Prev by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Previous by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Index(es):
- Date
- Thread