[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Switch on compiler hardening defaults

[dropped debian-gcc from the CCs as this is probably rather off topic now]

Hi Petter,

On Mon, Dec 21, 2009 at 08:16:08AM +0100, Petter Reinholdtsen wrote:
> [Kees Cook]
> > As an example, I have a debdiff against openssh to use it:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
> >
> > With the new package, the arch-specific logic for hardening defaults
> > is in one place, and a maintainer can selectively disable anything they
> > don't want on by default.
> This might be a good compromise to get network services hardened
> without changing the default build system.  Is there a plan for which

That's certainly a viable plan.  This is kind of the approach we took in
Ubuntu for the PIE feature.  We also considered packages with a less than
stellar security history.  The list of packages built with PIE in Ubuntu
is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE )

 amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
 ipsec-tools mysql-dfsg-5.1 nagios3 nagios-plugins ntp openbsd-inetd
 openldap openssh postfix postgreqsl-8.3 samba sendmail squid wireshark

Many of these (and others) are already building in Debian with

 aria2 bind9 bird confget cookietool cups dma donkey grap hexer hfsprogs
 isoquery jd jed kaptain libdebug limo mysql-dfsg-5.1 nast postfix
 postgresql-8.3 postgresql-8.4 prips quagga robodoc rtpproxy ser slrn
 squid strongswan switchsh tnftp wireshark worker xmahjongg zoem

And built with hardening-includes:


> packages to convert first?  A patch for my netplan package would be
> most welcome. :) I guess starting with the most popular ones is a good
> idea, and realise netplan is not one of these. :)

Well, every package is a little different in how CFLAGS and LDFLAGS get
passed into the upstream build, so there isn't a strict recipe.  Probably
the most common would be to declare CFLAGS and LDFLAGS to the "configure"
environment.  For example in debian/rules:

include /usr/share/hardening-includes/hardening.make


binary-arch: ...

You can check the results of the build with "hardening-check" (in
hardening-includes version 1.19).  See its manpage for more details.

> Personally I would prefer the build default to change instead, and a
> mechanism to disable in per package for those that can't use the
> hardening defaults, but realise it might be a risky path to take.

I couldn't agree more.  See /usr/share/hardening-includes/hardening.make
for details, but a package trying to avoid the hardening flags could just
set DEB_BUILD_HARDENING=0 in debian/rules.


Kees Cook                                            @debian.org

Reply to: