Bug#834044: src:ocaml: ocaml does not appear to allow all hardening flags when building other projects
Package: src:ocaml
Version: 4.02.3-7
Severity: normal
Control: affects -1 sks
Hi there! I co-maintain sks, which is built with ocaml.
As a network-facing server that links to C libraries, i'd really like
to ensure that ASLR is possible. As a step on that path, i'd like to
clean up lintian's hardening-no-pie report for sks, at least for some
common platforms.
If i pass through all the build hardening flags [0] to ocamlc,
ocamlopt, or ocamlmklib, i find i'm unable to successfully build sks
with position-independent code.
In particular, i see errors like the following:
[…]
ocamlopt -o sks -I lib -I bdb -I +cryptokit -ccopt -g -ccopt -O2 -ccopt -fdebug-prefix-map=/home/dkg/src/sks/sks=. -ccopt -fPIE -ccopt -fstack-protector-strong -ccopt -Wformat -ccopt -Werror=format-security -ccopt -O3 -ccopt -Werror-implicit-function-declaration -ccopt -I`ocamlc -ccopt -where` -ccopt -I -ccopt . -ccopt -fPIE -ccopt -pie -ccopt -Wl,-z,relro -ccopt -Wl,-z,now -ccopt -Lbdb -dtypes -inline 40 unix.cmxa str.cmxa bdb.cmxa nums.cmxa bigarray.cmxa cryptokit.cmxa crc.o pSet.cmx pMap.cmx utils.cmx heap.cmx mList.cmx mTimer.cmx mArray.cmx settings.cmx pstyle.cmx getfileopts.cmx common.cmx channel.cmx eventloop.cmx ehandlers.cmx bitstring.cmx meteredChannel.cmx number.cmx prime.cmx zZp.cmx rMisc.cmx linearAlg.cmx poly.cmx decode.cmx fqueue.cmx prefixTree.cmx msgContainer.cmx nbMsgContainer.cmx cMarshal.cmx reconMessages.cmx server.cmx client.cmx reconCS.cmx number_test.cmx decode_test.cmx poly_test.cmx Unique_time.cmx version.cmx packet.cmx parsePGP.cmx sS
tream.cmx bdbwrap.cmx key.cmx keyHash.cmx keyMerge.cmx fixkey.cmx fingerprint.cmx keydb.cmx armor.cmx dbMessages.cmx htmlTemplates.cmx wserver.cmx membership.cmx tester.cmx request.cmx stats.cmx index.cmx mRindex.cmx pTreeDB.cmx sendmail.cmx recvmail.cmx mailsync.cmx clean_keydb.cmx build.cmx fastbuild.cmx pbuild.cmx merge_keyfiles.cmx sksdump.cmx incdump.cmx dbserver.cmx reconComm.cmx recoverList.cmx catchup.cmx reconserver.cmx update_subkeys.cmx sks_do.cmx unit_tests.cmx sks.cmx
/usr/bin/ld: cannot find .: File format not recognized
/usr/bin/ld: cannot find .: File format not recognized
/usr/bin/ld: cannot find .: File format not recognized
/usr/bin/ld: /usr/lib/ocaml/libasmrun.a(startup.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/lib/ocaml/libasmrun.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
File "caml_startup", line 1:
Error: Error during linking
Makefile:180: recipe for target 'sks' failed
I don't know where the report "ld: cannot find ." comes from (or what
it means) at all.
And interestingly, ocaml ships a /usr/lib/ocaml/libasmrun_pic.a, which
it seems like should be chosen instead of /usr/lib/ocaml/libasmrun.a
if the goal is to link a position-independent executable.
If you'd like to reproduce these errors, you can try from the sks git
repo:
git clone https://anonscm.debian.org/git/pkg-sks/pkg-sks.git -b try-hardening sks
cd sks
dpkg-buildpackage -uc -us
If you see a way to resolve the issue in sks directly, feel free to
note it here and reassign this bug report to sks.
If it's something to be fixed in ocaml itself, i'd be happy to know
that too.
Regards,
--dkg
[0] passing the build hardening flags through to ocaml with sks is
done with steps like:
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
and then during make:
CAMLCFLAGS=$(foreach x, $(CFLAGS), -ccopt $(x))
[…]
ocamlopt -o sks $(CAMLCFLAGS) $(OBJS) sks.cmx
specifically, see:
https://anonscm.debian.org/git/pkg-sks/pkg-sks.git/commit/?h=try-hardening&id=6c14e206b9e494f191afa2b7179053f261090883
-- System Information:
Debian Release: stretch/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.0-rc7-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: