[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Switch on compiler hardening defaults

[dropped debian-gcc from the CCs as this is probably rather off topic now]

Hi Petter,

On Mon, Dec 21, 2009 at 08:16:08AM +0100, Petter Reinholdtsen wrote:
> [Kees Cook]
> > As an example, I have a debdiff against openssh to use it:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
> >
> > With the new package, the arch-specific logic for hardening defaults
> > is in one place, and a maintainer can selectively disable anything they
> > don't want on by default.
> 
> This might be a good compromise to get network services hardened
> without changing the default build system.  Is there a plan for which

That's certainly a viable plan.  This is kind of the approach we took in
Ubuntu for the PIE feature.  We also considered packages with a less than
stellar security history.  The list of packages built with PIE in Ubuntu
is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE )

 amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
 ipsec-tools mysql-dfsg-5.1 nagios3 nagios-plugins ntp openbsd-inetd
 openldap openssh postfix postgreqsl-8.3 samba sendmail squid wireshark
 xinetd

Many of these (and others) are already building in Debian with
hardening-wrapper:

 aria2 bind9 bird confget cookietool cups dma donkey grap hexer hfsprogs
 isoquery jd jed kaptain libdebug limo mysql-dfsg-5.1 nast postfix
 postgresql-8.3 postgresql-8.4 prips quagga robodoc rtpproxy ser slrn
 squid strongswan switchsh tnftp wireshark worker xmahjongg zoem

And built with hardening-includes:

 openbsd-inetd

> packages to convert first?  A patch for my netplan package would be
> most welcome. :) I guess starting with the most popular ones is a good
> idea, and realise netplan is not one of these. :)

Well, every package is a little different in how CFLAGS and LDFLAGS get
passed into the upstream build, so there isn't a strict recipe.  Probably
the most common would be to declare CFLAGS and LDFLAGS to the "configure"
environment.  For example in debian/rules:

include /usr/share/hardening-includes/hardening.make

CFLAGS += $(HARDENING_CFLAGS)
LDFLAGS += $(HARDENING_LDFLAGS)
...

binary-arch: ...
    ...
    CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" ./configure
    ...

You can check the results of the build with "hardening-check" (in
hardening-includes version 1.19).  See its manpage for more details.

> Personally I would prefer the build default to change instead, and a
> mechanism to disable in per package for those that can't use the
> hardening defaults, but realise it might be a risky path to take.

I couldn't agree more.  See /usr/share/hardening-includes/hardening.make
for details, but a package trying to avoid the hardening flags could just
set DEB_BUILD_HARDENING=0 in debian/rules.

-Kees

-- 
Kees Cook                                            @debian.org
Reply to: