Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

To: Niels Thykier <niels@thykier.net>
Cc: "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>, debian-policy@lists.debian.org
Subject: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
From: Bálint Réczey <balint@balintreczey.hu>
Date: Sun, 15 May 2016 21:45:55 +0200
Message-id: <[🔎] CAK0Odpz148VAtR4mSh3gWUmnjnGToaAJbeDWfa7NmZBBO0O_1Q@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] 5738C4C2.6020907@thykier.net>
References: <[🔎] CAK0Odpw3LjhZdAqOBvo91Vv5O4DzpzR23_zHxLYdux5OvNGRXw@mail.gmail.com> <[🔎] 5738C4C2.6020907@thykier.net>

Hi Niels,

2016-05-15 20:49 GMT+02:00 Niels Thykier <niels@thykier.net>:
> Bálint Réczey:
>> Hi,
>>
>> [...]
>>
>
> Hi,
>
>> I think making PIE and bindnow default in dpkg (at least for amd64) would be
>> perfect release goals for Stretch.
>>
>
> I support the end goal, but I suspect we should enable PIE by default
> via GCC-6's new configure switch[1].  Assuming it does what I hope, then
> it will work better than enabling PIE via dpkg-buildflags.
>
>  * The major issue with PIE by default is that it is not compatible
>    with -fPIC (and presumably also -static), which causes FTBFS or
>    broken ELF binaries.
>
>  * Assuming the GCC option does what I hope, then it would automatically
>    disable PIE for irrelevant outputs.
>
> My assumption seems to be aligned with the approach taking by Ubuntu.

I agree that it would be the easier way and I also tried building packages with
patched GCC 5 setting PIE as default with success, but we have a CTTE
decision which says that we should set hardening flags through dpkg:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688

>
>> This would make Debian on par with Fedora and Ubuntu in that regard.
>>
>
> FTR, Fedora seems to have some special logic for adding PIE only to
> executables.
>
>> We briefly discussed that with Guillem in a related bug report:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812783#42
>>
>> I think the next step could be an archive rebuild with the changed defaults
>> if we would like to pursue this:
>> https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F
>>
>> I planned starting a discussion on debian-devel about PIE + bindnow,
>> too, after checking
>> all the packages which contain statically compiled binaries because
>> they may need patching
>> to disable PIE flags based on Lunar's post:
>> https://people.debian.org/~lunar/blog/posts/aslr_now/
>>
>> Cheers,
>> Balint
>>
>>>[...]
>
> In summary:
>
>  * I would welcome bindnow by default via dpkg-buildflags.
>
>  * I would also love to have PIE as default for Stretch although I fear
>    dpkg-buildflags is the wrong approach for that particular flag.

I would be happy with either of the approaches.

Cheers,
Balint

>
> Thanks,
> ~Niels
>
> [1] https://gcc.gnu.org/gcc-6/changes.html
>
> """The --enable-default-pie configure option enables generation of PIE
> by default."""

Reply to:

Follow-Ups:
- Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Iustin Pop <iustin@debian.org>
- Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Guillem Jover <guillem@debian.org>

References:
- PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Next by Date: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Previous by thread: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Next by thread: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Index(es):
- Date
- Thread