The following commit has been merged in the master branch: commit f3bb7d4939ae95cf44c89e8f599e7ed5da431e57 Author: Raphaël Hertzog <hert...@debian.org> Date: Wed Jul 27 22:10:49 2011 +0200
dpkg-buildflags: emit hardening build flags by default All the hardening build flags supported by hardening-includes are supported except that PIE is not enabled by default (just like the corresponding gcc patch doesn't enable it by default). Inspired by the work of Kees Cook <k...@debian.org>. diff --git a/debian/changelog b/debian/changelog index 06d7dbb..977d27d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -102,6 +102,9 @@ dpkg (1.16.1) UNRELEASED; urgency=low * Fix dpkg's handling of a hardlink pointing to a conffile. Closes: #638291 * Add example of extend-diff-ignore's usage in dpkg-source(1). Closes: #640198 + * dpkg-buildflags now returns hardening flags by default. Closes: #489771 + They can be individually enabled/disabled via DEB_BUILD_MAINT_OPTIONS, + see dpkg-buildflags(1). Thanks to Kees Cook for his help. [ Guillem Jover ] * Install deb-src-control(5) man pages in dpkg-dev. Closes: #620520 diff --git a/scripts/Dpkg/BuildFlags.pm b/scripts/Dpkg/BuildFlags.pm index 9bc473a..6112a9f 100644 --- a/scripts/Dpkg/BuildFlags.pm +++ b/scripts/Dpkg/BuildFlags.pm @@ -84,6 +84,7 @@ sub load_vendor_defaults { FFLAGS => 'vendor', LDFLAGS => 'vendor', }; + # The Debian vendor hook will add hardening build flags run_vendor_hook("update-buildflags", $self); } diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index 2cc2c78..54f406c 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -1,4 +1,8 @@ -# Copyright © 2009 Raphaël Hertzog <hert...@debian.org> +# Copyright © 2009-2011 Raphaël Hertzog <hert...@debian.org> +# +# Hardening build flags handling derived from work of: +# Copyright © 2009-2011 Kees Cook <k...@debian.org> +# Copyright © 2007-2008 Canonical, Ltd. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -21,8 +25,13 @@ use warnings; our $VERSION = "0.01"; use base qw(Dpkg::Vendor::Default); + +use Dpkg::Gettext; +use Dpkg::ErrorHandling; use Dpkg::Control::Types; use Dpkg::Vendor::Ubuntu; +use Dpkg::BuildOptions; +use Dpkg::Arch qw(get_host_arch debarch_to_debtriplet); =encoding utf8 @@ -62,9 +71,86 @@ sub run_hook { foreach my $bug (@$b) { $$textref .= "Bug-Ubuntu: https://bugs.launchpad.net/bugs/$bug\n"; } + } elsif ($hook eq "update-buildflags") { + $self->add_hardening_flags(@params); } else { return $self->SUPER::run_hook($hook, @params); } } +sub add_hardening_flags { + my ($self, $flags) = @_; + my $arch = get_host_arch(); + my ($abi, $os, $cpu) = debarch_to_debtriplet($arch); + + # Decide what's enabled + my %use_feature = ( + "pie" => 0, + "stackprotector" => 1, + "fortify" => 1, + "format" => 1, + "relro" => 1, + "bindnow" => 1 + ); + my $opts = Dpkg::BuildOptions->new(envvar => "DEB_BUILD_MAINT_OPTIONS"); + foreach my $feature (split(",", $opts->get("hardening") // "")) { + $feature = lc($feature); + if ($feature =~ s/^([+-])//) { + my $value = ($1 eq "+") ? 1 : 0; + if ($feature eq "all") { + $use_feature{$_} = $value foreach keys %use_feature; + } else { + if (exists $use_feature{$feature}) { + $use_feature{$feature} = $value; + } else { + warning(_g("unknown hardening feature: %s"), $feature); + } + } + } else { + warning(_g("incorrect value in hardening option of " . + "DEB_BUILD_MAINT_OPTIONS: %s"), $feature); + } + } + + # PIE + if ($use_feature{"pie"} and + $os =~ /^(linux|knetbsd|hurd)$/ and + $cpu !~ /^(hppa|m68k|mips|mipsel|avr32)$/) { + # Only on linux/knetbsd/hurd (see #430455 and #586215) + # Disabled on hppa, m68k (#451192), mips/mipsel (#532821), avr32 + # (#574716) + $flags->append("CFLAGS", "-fPIE"); + $flags->append("CXXFLAGS", "-fPIE"); + $flags->append("LDFLAGS", "-fPIE -pie"); + } + # Stack protector + if ($use_feature{"stackprotector"} and + $cpu !~ /^(ia64|alpha|mips|mipsel|hppa)$/ and $arch ne "arm") { + # Stack protector disabled on ia64, alpha, mips, mipsel, hppa. + # "warning: -fstack-protector not supported for this target" + # Stack protector disabled on arm (ok on armel). + # compiler supports it incorrectly (leads to SEGV) + $flags->append("CFLAGS", "-fstack-protector --param=ssp-buffer-size=4"); + $flags->append("CXXFLAGS", "-fstack-protector --param=ssp-buffer-size=4"); + } + # Fortify + if ($use_feature{"fortify"}) { + $flags->append("CFLAGS", "-D_FORTIFY_SOURCE=2"); + $flags->append("CXXFLAGS", "-D_FORTIFY_SOURCE=2"); + } + # Format + if ($use_feature{"format"}) { + $flags->append("CFLAGS", "-Wformat -Wformat-security -Werror=format-security"); + $flags->append("CXXFLAGS", "-Wformat -Wformat-security -Werror=format-security"); + } + # Relro + if ($use_feature{"relro"} and $cpu !~ /^(ia64|hppa|avr32)$/) { + $flags->append("LDFLAGS", "-Wl,-z,relro"); + } + # Bindnow + if ($use_feature{"bindnow"}) { + $flags->append("LDFLAGS", "-Wl,-z,now"); + } +} + 1; diff --git a/scripts/Dpkg/Vendor/Ubuntu.pm b/scripts/Dpkg/Vendor/Ubuntu.pm index a07aa53..f3ead0a 100644 --- a/scripts/Dpkg/Vendor/Ubuntu.pm +++ b/scripts/Dpkg/Vendor/Ubuntu.pm @@ -94,6 +94,7 @@ sub run_hook { } elsif ($hook eq "update-buildflags") { my $flags = shift @params; + if (debarch_eq(get_host_arch(), 'ppc64')) { for my $flag (qw(CFLAGS CXXFLAGS FFLAGS)) { $flags->set($flag, '-g -O3', 'vendor'); @@ -102,6 +103,9 @@ sub run_hook { # Per https://wiki.ubuntu.com/DistCompilerFlags $flags->set('LDFLAGS', '-Wl,-Bsymbolic-functions', 'vendor'); + # Run the Debian hook to add hardening flags + $self->SUPER::run_hook($hook, $flags); + # Allow control of hardening-wrapper via dpkg-buildpackage DEB_BUILD_OPTIONS my $build_opts = Dpkg::BuildOptions->new(); my $hardening; -- dpkg's main repository -- To UNSUBSCRIBE, email to debian-dpkg-cvs-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org