Re: Switch on compiler hardening defaults

To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: Petter Reinholdtsen <pere@hungry.com>, debian-devel@lists.debian.org
Subject: Re: Switch on compiler hardening defaults
From: Kees Cook <kees@debian.org>
Date: Thu, 24 Dec 2009 16:35:46 -0800
Message-id: <[🔎] 20091225003546.GA16532@outflux.net>
In-reply-to: <[🔎] 20091224172532.GA24627@khazad-dum.debian.net>
References: <20091025185525.GI6711@outflux.net> <4AEDD920.2060604@debian.org> <20091105044004.GL26691@outflux.net> <slrnhgoh2h.2es.jmm@inutil.org> <[🔎] 20091221023037.GR5396@outflux.net> <[🔎] 2fld428n6fb.fsf@login1.uio.no> <[🔎] 20091224083203.GG5353@outflux.net> <[🔎] 20091224172532.GA24627@khazad-dum.debian.net>

Hi Henrique,

On Thu, Dec 24, 2009 at 03:25:32PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Dec 2009, Kees Cook wrote:
> > That's certainly a viable plan.  This is kind of the approach we took in
> > Ubuntu for the PIE feature.  We also considered packages with a less than
> > stellar security history.  The list of packages built with PIE in Ubuntu
> > is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE )
> > 
> >  amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
> 
> amavisd-new is perl, does that need PIE?  Or do you mean the C utilities
> (which are not network services but on the other hand are not
> performance-sensitive anyway so might as well enable it just in case)?

Right, though there are two ELFs in amavisd-new-milter.  PIE is not
the only benefit, it's just the only non-default hardening feature in
Ubuntu, so we had an explicit list of programs that we wanted to be more
complete with.

> Anyway, I'd appreciate a bug report against amavisd-new with whatever
> information is pertinent about PIE, if you guys want us to add it to the
> package.

I already opened it in August when I added the patch for it in Ubuntu.  :)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542722

> > I couldn't agree more.  See /usr/share/hardening-includes/hardening.make
> > for details, but a package trying to avoid the hardening flags could just
> > set DEB_BUILD_HARDENING=0 in debian/rules.
> 
> Can we get a standard DEB_BUILD_OPTIONS while that is still possible?

DEB_BUILD_OPTIONS are external to the build, so I'm a bit unclear on the
benefit.  Usually it's just for doing specialize builds (like noopt,
nostrip) or tweaking build behavior (parallel=N).  I'd be happy to
implement the logic anyway, since it might help with debugging specific
build issues.  I actually did this (though there are no users of it) in
dpkg-buildpackage in Ubuntu:

  Additionally, when used with the hardening-wrapper package,
  the values "hardening" and "nohardening" will be converted into
  their respective DEB_BUILD_HARDENING values.  The "hardening"
  option can also  include (optionally  prefixed with "no") the
  following sub-options:  "stackprotector" "format" "fortify" "pie"
  "relro"   For example, DEB_BUILD_OPTIONS=hardening=nopie would cause
  DEB_BUILD_HARDENING_PIE=0 to be set, or DEB_BUILD_OPTIONS=nohardening
  would cause DEB_BUILD_HARDENING=0 to be set.

I could easily move this logic into hardening.make too.  Does that sound
good?

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

Follow-Ups:
- Re: Switch on compiler hardening defaults
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: Switch on compiler hardening defaults
  - From: Kees Cook <kees@debian.org>
- Re: Switch on compiler hardening defaults
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Switch on compiler hardening defaults
  - From: Kees Cook <kees@debian.org>
- Re: Switch on compiler hardening defaults
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Work-needing packages report for Dec 25, 2009
Next by Date: Bug#562511: ITP: python-tracer -- Centralized trace management using sys.settrace
Previous by thread: Re: Switch on compiler hardening defaults
Next by thread: Re: Switch on compiler hardening defaults
Index(es):
- Date
- Thread