Bug#653191: Please enable hardened build flags through dpkg-buildpackage

Moritz Mühlenhoff jmm at inutil.org
Sat Jan 14 12:34:45 UTC 2012 

On Sun, Jan 01, 2012 at 10:59:28AM +0100, Mike Hommey wrote:
> On Sat, Dec 31, 2011 at 03:20:27PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Dec 26, 2011 at 08:43:18AM +0100, Mike Hommey wrote:
> > > On Sat, Dec 24, 2011 at 11:40:02PM +0100, Moritz Muehlenhoff wrote:
> > > > Package: iceweasel
> > > > Version: 9.0.1-1
> > > > Severity: wishlist
> > > > 
> > > > Please source the hardened build flags from dpkg-buildflags for
> > > > CPPFLAGS, CXXFLAGS and LDFLAGS for the iceweasel build.
> > > 
> > > FWIW, dpkg-buildflags is extremely unuseful for that, because it mixes
> > > hardening flags with other flags.
> > 
> > Is that because you use a different optimization level other than
> > O2? 
> > 
> > I've noticed that issue with a couple of packages, so I'm considering to
> > submit a patch for dpkg-buildflags, but I'd like to know if you see
> > different issues?

DEB_CFLAGS_MAINT_APPEND can be used to select different optimisation levels,
see 653846.
 
> Yeah basically I like that the old way of doing hardening didn't mess
> with other flags. Though I'm not sure I like that there's not much of a
> fine grained tuning. 

dpkg-buildflags support fine-grained tuning, e.g. relro can be disabled by
this:

jmm at pisco:~$ DEB_BUILD_MAINT_OPTIONS="hardening=-relro" dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
CPPFLAGS=-D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
FFLAGS=-g -O2
LDFLAGS=

jmm at pisco:~$ dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
CPPFLAGS=-D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
FFLAGS=-g -O2
LDFLAGS=-Wl,-z,relro

> For instance, I'm not sure -z relro buys anything
> worth, while it may have a significant startup performance impact on big
> applications. 

IIRC you work on startup performance at Mozilla, so I won't argue with
you on that :-)

But it would be nice if you could enable the protected stack and fortified
source features for iceweasel and iceape.

> (and if I'm not mistaken, -z relro actually makes things
> not work with selinux, seeing how selinux already breaks the mprotect
> that removes the write bit on code sections after text relocations)

I'm not aware of such problems. Many high-profile apps in Debian have used
relro for quite some time and Ubuntu has it enabled it distro-wide for at
least two releases.

(Support for selinux in Debian is marginal at best, anyway.)

Cheers,
        Moritz

More information about the pkg-mozilla-maintainers mailing list