Bug#792502: ocaml: obey hardening LDFLAGS
Package: ocaml
Version: 4.01.0-5
Severity: minor
Tags: patch
Dear Maintainer,
See discussion on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702349
I am including a patch that enables the relro and bindnow hardening flags for
OCaml and packages compiled by ocaml.
I haven't submitted the patch upstream yet, there is only this bugreport asking
for LDFLAGS and having CCLINKFLAGS as solution for ocamlyacc only:
http://caml.inria.fr/mantis/view.php?id=4698
There is also this bug about CFLAGS (which can be useful for hardening C stubs
perhaps?):
http://caml.inria.fr/mantis/view.php?id=3664
My patch simply sets CCLINKFLAGS based on LDFLAGS and includes CCLINKFLAGS into
MKEXE/MKDLL/MKMAINDLL, which AFAICT
are the cmdlines used to build executables and shared libraries by
ocamlc/ocamlopt.
Should I submit the patch upstream, or would it require more modifications to
support Debian's hardening features?
Output of hardening-check before the patch:
/usr/bin/ocamlopt.opt:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: no, not found!
Immediate binding: no, not found!
Output of hardening-check after the patch:
../ocamlopt.opt:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Running lintian on the newly built packages don't show the hardening-no-relro
warning anymore:
$ lintian ../*.deb
W: ocaml-nox: binary-without-manpage usr/bin/ocamlbuild
W: ocaml-mode: binary-without-manpage usr/bin/ocamltags
N: 1 tag overridden (1 warning)
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (900, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages ocaml depends on:
ii libx11-dev 2:1.6.2-3
ii ocaml-base [ocaml-base-4.01.0] 4.01.0-5
ii ocaml-base-nox 4.01.0-5
ii ocaml-nox [ocaml-nox-4.01.0] 4.01.0-5
ocaml recommends no packages.
Versions of packages ocaml suggests:
ii tcl-dev 8.6.0+8
pn tk-dev <none>
-- no debconf information
--- a/debian/patches/0010-Obey-ldflags.patch 1970-01-01 02:00:00.000000000 +0200
+++ b/debian/patches/0010-Obey-ldflags.patch 2015-07-15 15:59:20.600661858 +0300
@@ -0,0 +1,34 @@
+Description: use CCLINKFLAGS for linking all executables and shared libraries
+ This allows packagers to set additional linker flags for executables and shared
+ libraries created by OCaml, and for the OCaml tools themselves.
+ OCaml code can be linked with various C stubs and C libraries that would
+ benefit from using hardening link flags, such as -Wl,-z,relro.
+---
+
+Origin: other
+Bug-Debian: https://bugs.debian.org/702349
+Forwarded: no
+Last-Update: <2015-07-15>
+
+--- ocaml-4.02.1.orig/configure
++++ ocaml-4.02.1/configure
+@@ -739,6 +739,8 @@ if test $with_sharedlibs = "yes"; then
+ shared_libraries_supported=true;;
+ esac
+ fi
++mksharedlib="$mksharedlib $CCLINKFLAGS"
++mkexe="$mkexe $CCLINKFLAGS"
+
+ if test -z "$mkmaindll"; then
+ mkmaindll=$mksharedlib
+--- ocaml-4.02.1.orig/tools/Makefile.shared
++++ ocaml-4.02.1/tools/Makefile.shared
+@@ -278,7 +278,7 @@ beforedepend:: opnames.ml
+
+ objinfo_helper$(EXE): objinfo_helper.c ../config/s.h
+ $(BYTECC) -o objinfo_helper$(EXE) $(BYTECCCOMPOPTS) \
+- objinfo_helper.c $(LIBBFD_LINK)
++ objinfo_helper.c $(LIBBFD_LINK) $(CCLINKFLAGS)
+
+ OBJINFO=../compilerlibs/ocamlcommon.cma \
+ ../compilerlibs/ocamlbytecomp.cma \
diff -rNu ../o/ocaml-4.02.1/debian/patches/series debian/patches/series
--- a/debian/patches/series 2014-11-20 17:48:56.000000000 +0200
+++ b/debian/patches/series 2015-07-15 16:07:10.622247953 +0300
@@ -7,3 +7,4 @@
0007-Tune-resource-usage-of-some-tests.patch
0008-Native-backtraces-don-t-work-on-powerpc-and-sparc.patch
0009-Fix-asmcomp-tests-on-sparc.patch
+0010-Obey-ldflags.patch
--- a/debian/rules 2015-02-16 12:37:56.000000000 +0200
+++ b/debian/rules 2015-07-15 15:54:11.360881817 +0300
@@ -59,6 +59,9 @@
export OCAML_OPT_ARCH
export OCAML_STDLIB_DIR
+export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
+export CCLINKFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
+
CONFIGURE_OPTS := \
--host $(DEB_BUILD_GNU_TYPE)\
--with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \
Reply to: