Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
- To: 702349@bugs.debian.org
- Subject: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
- From: Török Edwin <edwin@skylable.com>
- Date: Wed, 15 Jul 2015 12:56:06 +0300
- Message-id: <[🔎] 55A62E36.3080303@skylable.com>
- Reply-to: Török Edwin <edwin@skylable.com>, 702349@bugs.debian.org
- In-reply-to: <52EFC6FB.2060101@debian.org>
- References: <CAF=n8MKDX0yQK9oOkUdRHnxRN7x_Ltgwif=zR3tNsg5R7bO-GA@mail.gmail.com> <513610B5.6090505@thykier.net> <51364E0D.3020205@crans.org> <20140106152438.GB31243@inutil.org> <52EFC6FB.2060101@debian.org> <52EFC6FB.2060101@debian.org>
On Mon, 03 Feb 2014 17:42:35 +0100 =?ISO-8859-1?Q?St=E9phane_Glondu?= <glondu@debian.org> wrote:
> Le 06/01/2014 16:24, Moritz Muehlenhoff a écrit :
> >> Le 05/03/2013 16:35, Niels Thykier a écrit :
> >>> Does ELF binaries produced by "pure" Ocaml have any distinct feature
> >>> that can be used to tell them apart from any other ELF binary?
> >>
> >> ELF binaries produced by the OCaml compiler always include a bit of C
> >> code (the runtime), so they are never actually "pure".
> >>
> >> I don't think that the lintian tag (whatever its level) should be
> >> removed at the moment. I am not planning to have a deeper looker at this
> >> issue before next release or next debconf, though.
> >
> > Could you please add a note to https://wiki.debian.org/HardeningWalkthrough
> > that while Ocaml packages produce ELF binaries they are not covered by
> > the hardening effort?
>
> I just did that.
>
> BTW, the OCaml build system is quite messy and it will take longer than
> expected to "fix" it for hardening...
>
The attached patch fixes some of the relro lintian warnings for the executables themselves, but these still remain for the .cmxs,.so and objinfo_helper:
W: ocaml-base: hardening-no-relro usr/lib/ocaml/graphics.cmxs
W: ocaml-base: hardening-no-relro usr/lib/ocaml/stublibs/dllgraphics.so
W: ocaml-nox: hardening-no-relro usr/lib/ocaml/objinfo_helper
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/bigarray.cmxs
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/nums.cmxs
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/str.cmxs
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllbigarray.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllcamlstr.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllnums.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllthreads.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllunix.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllvmthreads.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/unix.cmxs
FWIW 'hardening-check ocamlopt.opt' now says:
ocamlopt.opt:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Although perhaps it'd be better to patch configure to include CCLINKFLAGS in $nativecclinkopts, in objinfo_helper's build command, and in the flag used for linking .so and .cmxs
(haven't found its name yet though). What do you think?
diff -ru ../o/ocaml-4.02.1/debian/rules debian/rules
--- ../o/ocaml-4.02.1/debian/rules 2015-02-16 12:37:56.000000000 +0200
+++ debian/rules 2015-07-15 12:39:58.477250079 +0300
@@ -59,12 +59,18 @@
export OCAML_OPT_ARCH
export OCAML_STDLIB_DIR
+export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
+LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
+# for ocamlyacc
+export CCLINKFLAGS=$(LDFLAGS)
+
CONFIGURE_OPTS := \
--host $(DEB_BUILD_GNU_TYPE)\
--with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \
-libdir $(DEB_TEST_BUILD_PREFIX)$(OCAML_STDLIB_DIR) \
-x11lib "$(shell pkg-config --variable=libdir x11)" \
-mandir $(DEB_TEST_BUILD_PREFIX)/usr/share/man \
+ -dllibs "$(LDFLAGS)"
CONFIGURE_SED := \
-e "/LIBBFD_LINK/s%-lbfd%-Wl,-Bstatic -lbfd -Wl,-Bdynamic%" \
Reply to: