[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

Am 29.02.2012 23:57, schrieb Russ Allbery:
> Patrick Matthäi <pmatthaei@debian.org> writes:
>> I fully support the hardening goal.
>> May it be an option to add lintian errors (also non-fatal errors on
>> ftp-master side) about missing-hardening-build in the future?
>> It may be too late for Wheezy to force packages to build with hardened
>> build flags, but we should start with it as soon as possible IMHO.
> It's a little tricky because hardening-check is prone to false positives
> (through no fault of its own; it's just a limitation of what one can
> check).
> For example:
> windlord:~> hardening-check /usr/bin/remctl 
> /usr/bin/remctl:
>  Position Independent Executable: no, normal executable!
>  Stack protected: no, not found!
>  Fortify Source functions: yes (some protected functions found)
>  Read-only relocations: yes
>  Immediate binding: yes
> but that binary is indeed stack-protected (built with the appropriate
> options).  It just never allocates any substantial amount of data off the
> stack, so there's non need to add the stack protection.
> Fortify Source functions has a similar problem.  Not every function call
> can be protected, so it's possible to have all of the calls in a
> particular binary be ones that happen to not be protectable, and hence get
> a false positive for a binary that's built properly.

That behavious is new for me, thanks for this usefull hint!

But maybe it still would be an option to add am lintian warning
(regarding your above arguments throwing an error would not be the right
solution) about "maybe-missing-hardening"?
The maintainer would be aware about this potential problem, check his
package and if it is realy a false positive he still could overwrite it.

What do you think?

Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: