Re: Enabling hardened build flags for Wheezy

[Russ Allbery <rra@debian.org>]

Patrick Matthäi <pmatthaei@debian.org> writes:

> I fully support the hardening goal.
> May it be an option to add lintian errors (also non-fatal errors on
> ftp-master side) about missing-hardening-build in the future?

> It may be too late for Wheezy to force packages to build with hardened
> build flags, but we should start with it as soon as possible IMHO.

It's a little tricky because hardening-check is prone to false positives
(through no fault of its own; it's just a limitation of what one can
check).

For example:

windlord:~> hardening-check /usr/bin/remctl 
/usr/bin/remctl:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

but that binary is indeed stack-protected (built with the appropriate
options).  It just never allocates any substantial amount of data off the
stack, so there's non need to add the stack protection.

Fortify Source functions has a similar problem.  Not every function call
can be protected, so it's possible to have all of the calls in a
particular binary be ones that happen to not be protectable, and hence get
a false positive for a binary that's built properly.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>