Bug#561887: more hardening, offload PIE build-time logic
Package: openssh
Version: 1:5.1p1-8
Severity: wishlist
Tags: patch
Since openssh is the duly designated PIE testing package, I have an update
for how PIE (and other hardening options) can be applied to the openssh
build. This is based on the logic developed for the hardening-wrapper,
but instead produces Makefile variables that can be used in the build's
CFLAGS and LDFLAGS, available in the new binary package
"hardening-includes".
The primary benefit here is that this lets us centralize the arch-specific
logic needed to tune the hardening compiler flags. (To that end, I
double-checked the mips(el) issues with PIE/PIC, and it wasn't clear if
PIC needed to be explicitly added to PIE or not. As such, I left that
portion out of the general include, and left it as-is in openssh.
On to the patch! Hopefully this makes sense. Another benefit is
gaining the other hardening options (fortify source, relro, bindnow).
Let me know if the design could be improved or if you see any other
deficiencies.
Thanks,
-Kees
--
Kees Cook @debian.org
diff -u openssh-5.1p1/debian/control openssh-5.1p1/debian/control
--- openssh-5.1p1/debian/control
+++ openssh-5.1p1/debian/control
@@ -2,7 +2,7 @@
Section: net
Priority: standard
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.0.1), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sh4 sparc], libkrb5-dev | heimdal-dev
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.0.1), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sh4 sparc], libkrb5-dev | heimdal-dev, hardening-includes
Standards-Version: 3.7.3
Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.org>
diff -u openssh-5.1p1/debian/changelog openssh-5.1p1/debian/changelog
--- openssh-5.1p1/debian/changelog
+++ openssh-5.1p1/debian/changelog
@@ -1,3 +1,9 @@
+openssh (1:5.1p1-9) unstable; urgency=low
+
+ * debian/{rules,control}: use hardening-includes for hardening logic.
+
+ -- Kees Cook <kees@debian.org> Sun, 20 Dec 2009 03:46:41 -0800
+
openssh (1:5.1p1-8) unstable; urgency=low
* Build with just -fPIC on mips/mipsel, not -fPIE as well (thanks, LIU Qi;
diff -u openssh-5.1p1/debian/rules openssh-5.1p1/debian/rules
--- openssh-5.1p1/debian/rules
+++ openssh-5.1p1/debian/rules
@@ -3,6 +3,8 @@
# Uncomment this to turn on verbose mode.
# export DH_VERBOSE=1
+include /usr/share/hardening-includes/hardening.make
+
# This has to be exported to make some magic below work.
export DH_OPTIONS
@@ -44,12 +46,6 @@
PIC_CFLAGS := -fPIC
PIC_LDFLAGS := -fPIC
endif
- ifeq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:m68k:mips:mipsel:))
- # Use position-independent executables to take advantage of address space
- # layout randomisation. TODO: This should be done in configure.
- PIE_CFLAGS := -fPIE
- PIE_LDFLAGS := -fPIE -pie
- endif
endif
# Change the version string to include the Debian version
@@ -100,7 +96,7 @@
confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Compiler flags.
-cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(PIE_CFLAGS)
+cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(HARDENING_CFLAGS)
cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
cflags_udeb := -Os
@@ -109,8 +105,8 @@
confflags_udeb += --with-cflags='$(cflags_udeb)'
# Linker flags.
-ifneq ($(PIC_LDFLAGS)$(PIE_LDFLAGS),)
-confflags += --with-ldflags='$(strip $(PIC_LDFLAGS) $(PIE_LDFLAGS))'
+ifneq ($(PIC_LDFLAGS)$(HARDENING_LDFLAGS),)
+confflags += --with-ldflags='$(strip $(PIC_LDFLAGS) $(HARDENING_LDFLAGS))'
endif
build: build-deb build-udeb
Reply to: