Am 07.11.20 um 11:00 schrieb Chris Lamb:
Hi Bernhard,
I guess attached patch would at least remove the embedded
build path from the files, which is mentioned in [2] too.
Thanks for working on this. Looking at your solution though, I believe
it implies that CFLAGS set by the dpkg-buildflags mechanism are not
being used in rr's build system.
Fixing this more general problem would resolve the reproducibility
issue, as it would imply -ffile-prefix-map and friends. It would also
solve other future problems too, so I don't think this patch is ready
to be applied as it stands.
IIRC CMake can be a bit of a pain with respecting flags, so just in
case it helps, there is some info here:
https://wiki.debian.org/Hardening
Regards,
Hell Chris,
thanks for looking into it. As I am not really sure what the hardening flags
have to look like in our case below some more details.
Are they at amd64 just what is returned by e.g. `dpkg-buildflags --get CFLAGS`
[1] ?
If yes, then they are already applied to the compilation of the .c files
and to the linking step (Command lines from a build inside amd64 testing [2]).
For these I added the -ffile-prefix-map additionally to the -fdebug-prefix-map.
That raises the question if the -fdebug should be replaced by -ffile
in the hardening flags globally? [5]
This might be needed here because __FILE__ is concatenated
with some other string constants [4].
Using -ffile-prefix-map without the -fdebug-prefix-map makes the
embedded build path disappear, too.
The other part is the compilation of the .S files.
I assume they are using e.g. -fno-stack-protector on purpose, therefore
using the hardening flags on them might break them?
Therefore I just tried adding the -Wa,--debug-prefix-map and
the embedded build path disappeared.
Kind regards,
Bernhard
[1]
benutzer@debian:~/source/rr/try1/rr-5.4.0$ dpkg-buildflags --get CPPFLAGS
-Wdate-time -D_FORTIFY_SOURCE=2
benutzer@debian:~/source/rr/try1/rr-5.4.0$ dpkg-buildflags --get CFLAGS
-g -O2 -fdebug-prefix-map=/home/benutzer/source/rr/try1/rr-5.4.0=.
-fstack-protector-strong -Wformat -Werror=format-security
benutzer@debian:~/source/rr/try1/rr-5.4.0$ dpkg-buildflags --get CXXFLAGS
-g -O2 -fdebug-prefix-map=/home/benutzer/source/rr/try1/rr-5.4.0=.
-fstack-protector-strong -Wformat -Werror=format-security
benutzer@debian:~/source/rr/try1/rr-5.4.0$ dpkg-buildflags --get LDFLAGS
-Wl,-z,relro
[2]
benutzer@debian:~/source/rr/try1/rr-5.4.0$ script -a ../build.log -c
"dpkg-buildpackage -uc"
...
cd build && cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=None
-DCMAKE_INSTALL_SYSCONFDIR=/etc -DCMAKE_INSTALL_LOCALSTATEDIR=/var
-DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON -DCMAKE_FIND_PACKAGE_NO_PACKAGE_REGISTRY=ON
-DCMAKE_INSTALL_RUNSTATEDIR=/run -DCMAKE_SKIP_INSTALL_ALL_DEPENDENCY=ON "-GUnix
Makefiles" -DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_INSTALL_LIBDIR=lib/x86_64-linux-gnu ..
...
/usr/bin/cc -DRR_VERSION=\"5.4.0\" -Drrpreload_EXPORTS
-I/home/benutzer/source/rr/try1/rr-5.4.0/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/proc-service
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/brotli/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/build -fPIC -Wall -Wextra -UDEBUG -DNDEBUG
-fno-stack-protector -g3 -U_FORTIFY_SOURCE -o
CMakeFiles/rrpreload.dir/src/preload/syscall_hook.S.o -c
/home/benutzer/source/rr/try1/rr-5.4.0/src/preload/syscall_hook.S
/usr/bin/cc -DRR_VERSION=\"5.4.0\" -Drrpreload_EXPORTS
-I/home/benutzer/source/rr/try1/rr-5.4.0/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/proc-service
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/brotli/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/build -g -O2
-fdebug-prefix-map=/home/benutzer/source/rr/try1/rr-5.4.0=. -fstack-protector-strong
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -D__USE_LARGEFILE64
-pthread -msse2 -D__MMX__ -D__SSE__ -D__SSE2__ -Wstrict-prototypes -std=gnu11 -pthread
-fPIC -Wall -Wextra -UDEBUG -DNDEBUG -fno-stack-protector -g3 -U_FORTIFY_SOURCE -o
CMakeFiles/rrpreload.dir/src/preload/syscallbuf.c.o -c
/home/benutzer/source/rr/try1/rr-5.4.0/src/preload/syscallbuf.c
/usr/bin/cc -DRR_VERSION=\"5.4.0\" -Drrpreload_EXPORTS
-I/home/benutzer/source/rr/try1/rr-5.4.0/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/proc-service
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/brotli/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/build -fPIC -Wall -Wextra -UDEBUG -DNDEBUG
-fno-stack-protector -g3 -U_FORTIFY_SOURCE -o
CMakeFiles/rrpreload.dir/src/preload/raw_syscall.S.o -c
/home/benutzer/source/rr/try1/rr-5.4.0/src/preload/raw_syscall.S
/usr/bin/cc -DRR_VERSION=\"5.4.0\" -Drrpreload_EXPORTS
-I/home/benutzer/source/rr/try1/rr-5.4.0/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/proc-service
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/brotli/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/build -g -O2
-fdebug-prefix-map=/home/benutzer/source/rr/try1/rr-5.4.0=. -fstack-protector-strong
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -D__USE_LARGEFILE64
-pthread -msse2 -D__MMX__ -D__SSE__ -D__SSE2__ -Wstrict-prototypes -std=gnu11 -pthread
-fPIC -Wall -Wextra -UDEBUG -DNDEBUG -fno-stack-protector -g3 -U_FORTIFY_SOURCE -o
CMakeFiles/rrpreload.dir/src/preload/overrides.c.o -c
/home/benutzer/source/rr/try1/rr-5.4.0/src/preload/overrides.c
/usr/bin/cc -fPIC -g -O2
-fdebug-prefix-map=/home/benutzer/source/rr/try1/rr-5.4.0=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -D__USE_LARGEFILE64 -pthread -msse2 -D__MMX__ -D__SSE__
-D__SSE2__ -Wstrict-prototypes -std=gnu11 -pthread -nostartfiles -fuse-ld=bfd
-Wl,-z,relro -Wl,-z,now -shared -Wl,-soname,librrpreload.so -o
lib/rr/librrpreload.so CMakeFiles/rrpreload.dir/src/preload/syscall_hook.S.o
CMakeFiles/rrpreload.dir/src/preload/syscallbuf.c.o
CMakeFiles/rrpreload.dir/src/preload/raw_syscall.S.o
CMakeFiles/rrpreload.dir/src/preload/overrides.c.o -ldl
...
benutzer@debian:~/source/rr/try1/rr-5.4.0$ cd build
benutzer@debian:~/source/rr/try1/rr-5.4.0/build$ grep -c /home/benutzer
lib/rr/librrpreload.so CMakeFiles/rrpreload.dir/src/preload/syscall_hook.S.o
CMakeFiles/rrpreload.dir/src/preload/syscallbuf.c.o
CMakeFiles/rrpreload.dir/src/preload/raw_syscall.S.o
CMakeFiles/rrpreload.dir/src/preload/overrides.c.o
lib/rr/librrpreload.so:15
CMakeFiles/rrpreload.dir/src/preload/syscall_hook.S.o:3
CMakeFiles/rrpreload.dir/src/preload/syscallbuf.c.o:10
CMakeFiles/rrpreload.dir/src/preload/raw_syscall.S.o:3
CMakeFiles/rrpreload.dir/src/preload/overrides.c.o:0
[3]
benutzer@debian:~/source/rr/try1/rr-5.4.0/build$ /usr/bin/cc
-Wa,--debug-prefix-map,/home/benutzer/source/rr/try1/rr-5.4.0=.
-DRR_VERSION=\"5.4.0\" -Drrpreload_EXPORTS
-I/home/benutzer/source/rr/try1/rr-5.4.0/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/proc-service
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/brotli/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/build -fPIC -Wall -Wextra -UDEBUG -DNDEBUG
-fno-stack-protector -g3 -U_FORTIFY_SOURCE -o
CMakeFiles/rrpreload.dir/src/preload/syscall_hook.S.o -c
/home/benutzer/source/rr/try1/rr-5.4.0/src/preload/syscall_hook.S
benutzer@debian:~/source/rr/try1/rr-5.4.0/build$ /usr/bin/cc
-Wa,--debug-prefix-map,/home/benutzer/source/rr/try1/rr-5.4.0=.
-DRR_VERSION=\"5.4.0\" -Drrpreload_EXPORTS
-I/home/benutzer/source/rr/try1/rr-5.4.0/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/proc-service
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/brotli/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/build -fPIC -Wall -Wextra -UDEBUG -DNDEBUG
-fno-stack-protector -g3 -U_FORTIFY_SOURCE -o
CMakeFiles/rrpreload.dir/src/preload/raw_syscall.S.o -c
/home/benutzer/source/rr/try1/rr-5.4.0/src/preload/raw_syscall.S
benutzer@debian:~/source/rr/try1/rr-5.4.0/build$ /usr/bin/cc
-DRR_VERSION=\"5.4.0\" -Drrpreload_EXPORTS
-I/home/benutzer/source/rr/try1/rr-5.4.0/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/proc-service
-I/home/benutzer/source/rr/try1/rr-5.4.0/third-party/brotli/include
-I/home/benutzer/source/rr/try1/rr-5.4.0/build -g -O2
-ffile-prefix-map=/home/benutzer/source/rr/try1/rr-5.4.0=. -fstack-protector-strong
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -D__USE_LARGEFILE64
-pthread -msse2 -D__MMX__ -D__SSE__ -D__SSE2__ -Wstrict-prototypes -std=gnu11 -pthread
-fPIC -Wall -Wextra -UDEBUG -DNDEBUG -fno-stack-protector -g3 -U_FORTIFY_SOURCE -o
CMakeFiles/rrpreload.dir/src/preload/syscallbuf.c.o -c
/home/benutzer/source/rr/try1/rr-5.4.0/src/preload/syscallbuf.c
benutzer@debian:~/source/rr/try1/rr-5.4.0/build$ grep -c /home/benutzer
lib/rr/librrpreload.so CMakeFiles/rrpreload.dir/src/preload/syscall_hook.S.o
CMakeFiles/rrpreload.dir/src/preload/syscallbuf.c.o
CMakeFiles/rrpreload.dir/src/preload/raw_syscall.S.o
CMakeFiles/rrpreload.dir/src/preload/overrides.c.olib/rr/librrpreload.so:15
CMakeFiles/rrpreload.dir/src/preload/syscall_hook.S.o:0
CMakeFiles/rrpreload.dir/src/preload/syscallbuf.c.o:0
CMakeFiles/rrpreload.dir/src/preload/raw_syscall.S.o:0
CMakeFiles/rrpreload.dir/src/preload/overrides.c.o:0
[4]
benutzer@debian:~/source/rr/try1/rr-5.4.0$ grep __FILE__
src/preload/syscallbuf.c
logmsg(__FILE__ ":" STR(__LINE__) ": Assertion `" #cond "'
failed.\n"); \
logmsg(__FILE__ ":" STR(__LINE__) ": Fatal error: " msg "\n");
\
[5]
https://gcc.gnu.org/onlinedocs/gcc/Overall-Options.html
-ffile-prefix-map=old=new
When compiling files residing in directory old, record any references
to them in the
result of the compilation as if the files resided in directory new
instead.
Specifying this option is equivalent to specifying all the individual
-f*-prefix-map options.
This can be used to make reproducible builds that are location
independent.
See also -fmacro-prefix-map and -fdebug-prefix-map.
