Package: policycoreutils Version: 2.1.10-5 Severity: important Tags: patch Dear Maintainer,
The hardening flags are missing in multiple places because the
build system ignores them; CPPFLAGS is completely ignored.
The following _and_ the attached patch fix the issue. It also
enables all hardening options which were already used by some
files - this enables them for the complete package.
diff -Nru policycoreutils-2.1.10/debian/rules
policycoreutils-2.1.10/debian/rules
--- policycoreutils-2.1.10/debian/rules 2012-03-06 10:38:57.000000000 +0100
+++ policycoreutils-2.1.10/debian/rules 2012-03-23 01:58:12.000000000 +0100
@@ -10,6 +10,14 @@
#export SHLIBDIR=$${DESTDIR}/lib/${DEB_HOST_MULTIARCH}
#export LIBBASE=lib/${DEB_HOST_MULTIARCH}
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags. dpkg_buildflags is necessary because $(shell ..)
+# doesn't use local environment variables.
+dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS=$(DEB_BUILD_MAINT_OPTIONS)
dpkg-buildflags
+export DEB_CFLAGS_MAINT_APPEND = $(shell $(dpkg_buildflags) --get CPPFLAGS)
+
%:
dh $@ --with python2
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/sbin/restorecond /usr/sbin/setsebool
/usr/sbin/semodule ...
/usr/sbin/restorecond:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/setsebool:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/semodule:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
...
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-03-23 Index: policycoreutils-2.1.10/setfiles/Makefile =================================================================== --- policycoreutils-2.1.10.orig/setfiles/Makefile 2012-03-23 02:05:07.981390480 +0100 +++ policycoreutils-2.1.10/setfiles/Makefile 2012-03-23 02:05:09.677390546 +0100 @@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null) -CFLAGS = -g -Werror -Wall -W +CFLAGS += -g -Werror -Wall -W override CFLAGS += -I$(PREFIX)/include LDLIBS = -lselinux -lsepol -L$(LIBDIR) Index: policycoreutils-2.1.10/sestatus/Makefile =================================================================== --- policycoreutils-2.1.10.orig/sestatus/Makefile 2012-03-23 02:05:07.981390480 +0100 +++ policycoreutils-2.1.10/sestatus/Makefile 2012-03-23 02:05:09.677390546 +0100 @@ -5,7 +5,7 @@ ETCDIR ?= $(DESTDIR)/etc LIBDIR ?= $(PREFIX)/lib -CFLAGS = -Werror -Wall -W +CFLAGS += -Werror -Wall -W override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 LDLIBS = -lselinux -L$(LIBDIR)
signature.asc
Description: Digital signature
