[pkg-wpa-devel] Bug#657332: Please enabled hardened build flags
Simon Ruderich
simon at ruderich.org
Sun May 13 12:17:53 UTC 2012
reopen 657332
thanks
Dear Maintainer,
The CPPFLAGS hardening flags are still missing because they are
ignored by the build system. For more hardening information
please have a look at [1], [2] and [3].
The following patch fixes the issue, it also simplifies
debian/rules. With compat=9 debhelper automatically sets the
hardening flags and exports all *FLAGS, so there's no need to set
and export them manually. The patch also enables verbose builds
to detect missing (hardening) flags.
diff -Nru wpa-1.0/debian/rules wpa-1.0/debian/rules
--- wpa-1.0/debian/rules 2012-05-11 05:59:46.000000000 +0200
+++ wpa-1.0/debian/rules 2012-05-13 14:11:19.000000000 +0200
@@ -1,13 +1,14 @@
#!/usr/bin/make -f
-CFLAGS = -MMD -Wall
-CFLAGS += $(shell dpkg-buildflags --get CFLAGS)
-CPPFLAGS += $(shell dpkg-buildflags --get CPPFLAGS)
-CXXFLAGS = $(shell dpkg-buildflags --get CXXFLAGS)
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to
+# enable the missing (hardening) flags.
+CFLAGS += -MMD -Wall $(CPPFLAGS)
+CXXFLAGS += $(CPPFLAGS)
UCFLAGS = -MMD -Wall -g -Os
-LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
BINDIR = /sbin
-V = 0
+# Display compiler commands when building the package to detect missing
+# (hardening) flags.
+V = 1
DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
@@ -15,7 +16,7 @@
CC=$(DEB_HOST_GNU_TYPE)-gcc
endif
-export CC CFLAGS CPPFLAGS CXXFLAGS LDFLAGS BINDIR V
+export CC BINDIR V
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
HOSTAPD_DOT_CONFIG := debian/config/hostapd/$(DEB_HOST_ARCH_OS)
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /sbin/wpa_supplicant /sbin/wpa_cli /usr/bin/wpa_passphrase ...
/sbin/wpa_supplicant:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/sbin/wpa_cli:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/wpa_passphrase:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
blhc needs an additional option to ignore the udeb build (which
has no hardening):
blhc --ignore-line 'cc -c -o (\S+).o -MMD -Wall -g -Os .+ \1.c' ...
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-wpa-devel/attachments/20120513/f2b26354/attachment.pgp>
More information about the Pkg-wpa-devel
mailing list