Re: Switch on compiler hardening defaults

To: debian-devel@lists.debian.org
Subject: Re: Switch on compiler hardening defaults
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Fri, 25 Dec 2009 11:29:59 -0200
Message-id: <[🔎] 20091225132959.GA5891@khazad-dum.debian.net>
In-reply-to: <[🔎] 20091225003546.GA16532@outflux.net>
References: <20091025185525.GI6711@outflux.net> <4AEDD920.2060604@debian.org> <20091105044004.GL26691@outflux.net> <slrnhgoh2h.2es.jmm@inutil.org> <[🔎] 20091221023037.GR5396@outflux.net> <[🔎] 2fld428n6fb.fsf@login1.uio.no> <[🔎] 20091224083203.GG5353@outflux.net> <[🔎] 20091224172532.GA24627@khazad-dum.debian.net> <[🔎] 20091225003546.GA16532@outflux.net>

On Thu, 24 Dec 2009, Kees Cook wrote:
> > Anyway, I'd appreciate a bug report against amavisd-new with whatever
> > information is pertinent about PIE, if you guys want us to add it to the
> > package.
> 
> I already opened it in August when I added the patch for it in Ubuntu.  :)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542722

Ah, thanks.  I did a quick look for "PIE", but missed "hardening".  Either I
or Alexander will get to implementing it.

> > > I couldn't agree more.  See /usr/share/hardening-includes/hardening.make
> > > for details, but a package trying to avoid the hardening flags could just
> > > set DEB_BUILD_HARDENING=0 in debian/rules.
> > 
> > Can we get a standard DEB_BUILD_OPTIONS while that is still possible?
> 
> DEB_BUILD_OPTIONS are external to the build, so I'm a bit unclear on the
> benefit.  Usually it's just for doing specialize builds (like noopt,
> nostrip) or tweaking build behavior (parallel=N).  I'd be happy to
> implement the logic anyway, since it might help with debugging specific
> build issues.  I actually did this (though there are no users of it) in
> dpkg-buildpackage in Ubuntu:

Methinks "harden" or "not-harden", overriding the default for the package
*is* a specialized build :)

>   Additionally, when used with the hardening-wrapper package,
>   the values "hardening" and "nohardening" will be converted into
>   their respective DEB_BUILD_HARDENING values.  The "hardening"
>   option can also  include (optionally  prefixed with "no") the
>   following sub-options:  "stackprotector" "format" "fortify" "pie"
>   "relro"   For example, DEB_BUILD_OPTIONS=hardening=nopie would cause
>   DEB_BUILD_HARDENING_PIE=0 to be set, or DEB_BUILD_OPTIONS=nohardening
>   would cause DEB_BUILD_HARDENING=0 to be set.
> 
> I could easily move this logic into hardening.make too.  Does that sound
> good?

I like it.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Re: Switch on compiler hardening defaults
  - From: Kees Cook <kees@debian.org>
- Re: Switch on compiler hardening defaults
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Switch on compiler hardening defaults
  - From: Kees Cook <kees@debian.org>
- Re: Switch on compiler hardening defaults
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Switch on compiler hardening defaults
  - From: Kees Cook <kees@debian.org>

Prev by Date: Processed: adjust severities
Next by Date: Re: Increasing developer productivity through tools
Previous by thread: Re: Switch on compiler hardening defaults
Next by thread: Re: Switch on compiler hardening defaults
Index(es):
- Date
- Thread