[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Switch on compiler hardening defaults

Hi Henrique,

On Thu, Dec 24, 2009 at 03:25:32PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Dec 2009, Kees Cook wrote:
> > That's certainly a viable plan.  This is kind of the approach we took in
> > Ubuntu for the PIE feature.  We also considered packages with a less than
> > stellar security history.  The list of packages built with PIE in Ubuntu
> > is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE )
> > 
> >  amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
> amavisd-new is perl, does that need PIE?  Or do you mean the C utilities
> (which are not network services but on the other hand are not
> performance-sensitive anyway so might as well enable it just in case)?

Right, though there are two ELFs in amavisd-new-milter.  PIE is not
the only benefit, it's just the only non-default hardening feature in
Ubuntu, so we had an explicit list of programs that we wanted to be more
complete with.

> Anyway, I'd appreciate a bug report against amavisd-new with whatever
> information is pertinent about PIE, if you guys want us to add it to the
> package.

I already opened it in August when I added the patch for it in Ubuntu.  :)

> > I couldn't agree more.  See /usr/share/hardening-includes/hardening.make
> > for details, but a package trying to avoid the hardening flags could just
> > set DEB_BUILD_HARDENING=0 in debian/rules.
> Can we get a standard DEB_BUILD_OPTIONS while that is still possible?

DEB_BUILD_OPTIONS are external to the build, so I'm a bit unclear on the
benefit.  Usually it's just for doing specialize builds (like noopt,
nostrip) or tweaking build behavior (parallel=N).  I'd be happy to
implement the logic anyway, since it might help with debugging specific
build issues.  I actually did this (though there are no users of it) in
dpkg-buildpackage in Ubuntu:

  Additionally, when used with the hardening-wrapper package,
  the values "hardening" and "nohardening" will be converted into
  their respective DEB_BUILD_HARDENING values.  The "hardening"
  option can also  include (optionally  prefixed with "no") the
  following sub-options:  "stackprotector" "format" "fortify" "pie"
  "relro"   For example, DEB_BUILD_OPTIONS=hardening=nopie would cause
  DEB_BUILD_HARDENING_PIE=0 to be set, or DEB_BUILD_OPTIONS=nohardening
  would cause DEB_BUILD_HARDENING=0 to be set.

I could easily move this logic into hardening.make too.  Does that sound


Kees Cook                                            @debian.org

Reply to: