Re: Switch on compiler hardening defaults
[dropped debian-gcc from the CCs as this is probably rather off topic now]
Hi Petter,
On Mon, Dec 21, 2009 at 08:16:08AM +0100, Petter Reinholdtsen wrote:
> [Kees Cook]
> > As an example, I have a debdiff against openssh to use it:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
> >
> > With the new package, the arch-specific logic for hardening defaults
> > is in one place, and a maintainer can selectively disable anything they
> > don't want on by default.
>
> This might be a good compromise to get network services hardened
> without changing the default build system. Is there a plan for which
That's certainly a viable plan. This is kind of the approach we took in
Ubuntu for the PIE feature. We also considered packages with a less than
stellar security history. The list of packages built with PIE in Ubuntu
is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE )
amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
ipsec-tools mysql-dfsg-5.1 nagios3 nagios-plugins ntp openbsd-inetd
openldap openssh postfix postgreqsl-8.3 samba sendmail squid wireshark
xinetd
Many of these (and others) are already building in Debian with
hardening-wrapper:
aria2 bind9 bird confget cookietool cups dma donkey grap hexer hfsprogs
isoquery jd jed kaptain libdebug limo mysql-dfsg-5.1 nast postfix
postgresql-8.3 postgresql-8.4 prips quagga robodoc rtpproxy ser slrn
squid strongswan switchsh tnftp wireshark worker xmahjongg zoem
And built with hardening-includes:
openbsd-inetd
> packages to convert first? A patch for my netplan package would be
> most welcome. :) I guess starting with the most popular ones is a good
> idea, and realise netplan is not one of these. :)
Well, every package is a little different in how CFLAGS and LDFLAGS get
passed into the upstream build, so there isn't a strict recipe. Probably
the most common would be to declare CFLAGS and LDFLAGS to the "configure"
environment. For example in debian/rules:
include /usr/share/hardening-includes/hardening.make
CFLAGS += $(HARDENING_CFLAGS)
LDFLAGS += $(HARDENING_LDFLAGS)
...
binary-arch: ...
...
CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" ./configure
...
You can check the results of the build with "hardening-check" (in
hardening-includes version 1.19). See its manpage for more details.
> Personally I would prefer the build default to change instead, and a
> mechanism to disable in per package for those that can't use the
> hardening defaults, but realise it might be a risky path to take.
I couldn't agree more. See /usr/share/hardening-includes/hardening.make
for details, but a package trying to avoid the hardening flags could just
set DEB_BUILD_HARDENING=0 in debian/rules.
-Kees
--
Kees Cook @debian.org
Reply to: