The following commit has been merged in the master branch:
commit f3bb7d4939ae95cf44c89e8f599e7ed5da431e57
Author: Raphaël Hertzog <hert...@debian.org>
Date: Wed Jul 27 22:10:49 2011 +0200
dpkg-buildflags: emit hardening build flags by default
All the hardening build flags supported by hardening-includes
are supported except that PIE is not enabled by default (just like
the corresponding gcc patch doesn't enable it by default).
Inspired by the work of Kees Cook <k...@debian.org>.
diff --git a/debian/changelog b/debian/changelog
index 06d7dbb..977d27d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -102,6 +102,9 @@ dpkg (1.16.1) UNRELEASED; urgency=low
* Fix dpkg's handling of a hardlink pointing to a conffile. Closes: #638291
* Add example of extend-diff-ignore's usage in dpkg-source(1).
Closes: #640198
+ * dpkg-buildflags now returns hardening flags by default. Closes: #489771
+ They can be individually enabled/disabled via DEB_BUILD_MAINT_OPTIONS,
+ see dpkg-buildflags(1). Thanks to Kees Cook for his help.
[ Guillem Jover ]
* Install deb-src-control(5) man pages in dpkg-dev. Closes: #620520
diff --git a/scripts/Dpkg/BuildFlags.pm b/scripts/Dpkg/BuildFlags.pm
index 9bc473a..6112a9f 100644
--- a/scripts/Dpkg/BuildFlags.pm
+++ b/scripts/Dpkg/BuildFlags.pm
@@ -84,6 +84,7 @@ sub load_vendor_defaults {
FFLAGS => 'vendor',
LDFLAGS => 'vendor',
};
+ # The Debian vendor hook will add hardening build flags
run_vendor_hook("update-buildflags", $self);
}
diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index 2cc2c78..54f406c 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -1,4 +1,8 @@
-# Copyright © 2009 Raphaël Hertzog <hert...@debian.org>
+# Copyright © 2009-2011 Raphaël Hertzog <hert...@debian.org>
+#
+# Hardening build flags handling derived from work of:
+# Copyright © 2009-2011 Kees Cook <k...@debian.org>
+# Copyright © 2007-2008 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -21,8 +25,13 @@ use warnings;
our $VERSION = "0.01";
use base qw(Dpkg::Vendor::Default);
+
+use Dpkg::Gettext;
+use Dpkg::ErrorHandling;
use Dpkg::Control::Types;
use Dpkg::Vendor::Ubuntu;
+use Dpkg::BuildOptions;
+use Dpkg::Arch qw(get_host_arch debarch_to_debtriplet);
=encoding utf8
@@ -62,9 +71,86 @@ sub run_hook {
foreach my $bug (@$b) {
$$textref .= "Bug-Ubuntu: https://bugs.launchpad.net/bugs/$bug\n";;
}
+ } elsif ($hook eq "update-buildflags") {
+ $self->add_hardening_flags(@params);
} else {
return $self->SUPER::run_hook($hook, @params);
}
}
+sub add_hardening_flags {
+ my ($self, $flags) = @_;
+ my $arch = get_host_arch();
+ my ($abi, $os, $cpu) = debarch_to_debtriplet($arch);
+
+ # Decide what's enabled
+ my %use_feature = (
+ "pie" => 0,
+ "stackprotector" => 1,
+ "fortify" => 1,
+ "format" => 1,
+ "relro" => 1,
+ "bindnow" => 1
+ );
+ my $opts = Dpkg::BuildOptions->new(envvar => "DEB_BUILD_MAINT_OPTIONS");
+ foreach my $feature (split(",", $opts->get("hardening") // "")) {
+ $feature = lc($feature);
+ if ($feature =~ s/^([+-])//) {
+ my $value = ($1 eq "+") ? 1 : 0;
+ if ($feature eq "all") {
+ $use_feature{$_} = $value foreach keys %use_feature;
+ } else {
+ if (exists $use_feature{$feature}) {
+ $use_feature{$feature} = $value;
+ } else {
+ warning(_g("unknown hardening feature: %s"), $feature);
+ }
+ }
+ } else {
+ warning(_g("incorrect value in hardening option of " .
+ "DEB_BUILD_MAINT_OPTIONS: %s"), $feature);
+ }
+ }
+
+ # PIE
+ if ($use_feature{"pie"} and
+ $os =~ /^(linux|knetbsd|hurd)$/ and
+ $cpu !~ /^(hppa|m68k|mips|mipsel|avr32)$/) {
+ # Only on linux/knetbsd/hurd (see #430455 and #586215)
+ # Disabled on hppa, m68k (#451192), mips/mipsel (#532821), avr32
+ # (#574716)
+ $flags->append("CFLAGS", "-fPIE");
+ $flags->append("CXXFLAGS", "-fPIE");
+ $flags->append("LDFLAGS", "-fPIE -pie");
+ }
+ # Stack protector
+ if ($use_feature{"stackprotector"} and
+ $cpu !~ /^(ia64|alpha|mips|mipsel|hppa)$/ and $arch ne "arm") {
+ # Stack protector disabled on ia64, alpha, mips, mipsel, hppa.
+ # "warning: -fstack-protector not supported for this target"
+ # Stack protector disabled on arm (ok on armel).
+ # compiler supports it incorrectly (leads to SEGV)
+ $flags->append("CFLAGS", "-fstack-protector --param=ssp-buffer-size=4");
+ $flags->append("CXXFLAGS", "-fstack-protector
--param=ssp-buffer-size=4");
+ }
+ # Fortify
+ if ($use_feature{"fortify"}) {
+ $flags->append("CFLAGS", "-D_FORTIFY_SOURCE=2");
+ $flags->append("CXXFLAGS", "-D_FORTIFY_SOURCE=2");
+ }
+ # Format
+ if ($use_feature{"format"}) {
+ $flags->append("CFLAGS", "-Wformat -Wformat-security
-Werror=format-security");
+ $flags->append("CXXFLAGS", "-Wformat -Wformat-security
-Werror=format-security");
+ }
+ # Relro
+ if ($use_feature{"relro"} and $cpu !~ /^(ia64|hppa|avr32)$/) {
+ $flags->append("LDFLAGS", "-Wl,-z,relro");
+ }
+ # Bindnow
+ if ($use_feature{"bindnow"}) {
+ $flags->append("LDFLAGS", "-Wl,-z,now");
+ }
+}
+
1;
diff --git a/scripts/Dpkg/Vendor/Ubuntu.pm b/scripts/Dpkg/Vendor/Ubuntu.pm
index a07aa53..f3ead0a 100644
--- a/scripts/Dpkg/Vendor/Ubuntu.pm
+++ b/scripts/Dpkg/Vendor/Ubuntu.pm
@@ -94,6 +94,7 @@ sub run_hook {
} elsif ($hook eq "update-buildflags") {
my $flags = shift @params;
+
if (debarch_eq(get_host_arch(), 'ppc64')) {
for my $flag (qw(CFLAGS CXXFLAGS FFLAGS)) {
$flags->set($flag, '-g -O3', 'vendor');
@@ -102,6 +103,9 @@ sub run_hook {
# Per https://wiki.ubuntu.com/DistCompilerFlags
$flags->set('LDFLAGS', '-Wl,-Bsymbolic-functions', 'vendor');
+ # Run the Debian hook to add hardening flags
+ $self->SUPER::run_hook($hook, $flags);
+
# Allow control of hardening-wrapper via dpkg-buildpackage
DEB_BUILD_OPTIONS
my $build_opts = Dpkg::BuildOptions->new();
my $hardening;
--
dpkg's main repository
--
To UNSUBSCRIBE, email to debian-dpkg-cvs-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
