|
| From: | Ludovic Courtès |
| Subject: | Hardening |
| Date: | Wed, 30 Dec 2015 17:06:30 +0100 |
| User-agent: | Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Alex Vong <address@hidden> skribis:
> address@hidden (Ludovic Courtès) writes:
[...]
>> Alex Vong <address@hidden> skribis:
>>
>>> From 6ad35e245c374ff828f167bb3467ce68559ccefd Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <address@hidden>
>>> Date: Sat, 31 Oct 2015 19:44:13 +0800
>>> Subject: [PATCH 1/2] Add (guix build build-flags).
>>>
>>> A module to manipulate build flags, similar to dpkg-buildflags.
>>>
>>> * guix/build/build-flags.scm: New file.
>>> * Makefile.am (MODULES): Register it.
>>
>> [...]
>>
>>> +;;; Module to manipulate build flags, similar to dpkg-buildflags.
>>
>> It doesn’t really help to refer to dpkg-buildflags, at least for me. ;-)
>>
> Sure, I should have elaborated more on it. What I am looking for are
> ways to avoid repeating a lot of flags in different packages, something
> like `use this set of flags, please'. For example, in Debian, if you
> type
>
> $ dpkg-buildflags --get CFLAGS
>
> you get
>
> -g -O2 -fstack-protector-strong -Wformat -Werror=format-security
>
> which are thr default flags to be exported during package
> build. Moroever, maintainer can alter the default behaviour by setting
> DEB_BUILD_MAINT_OPTIONS. For example,
>
> $ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags --get CFLAGS
>
> will return
>
> -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security
I see.
My comment was more about the code itself, whose documentation should be
self-contained as much as possible.
[...]
>> I’ve been thinking we should experiment with these various options. The
>> way I’d do it now would be by running:
>>
>> ./configure x y z CPPFLAGS=-D_FORTIFY_SOURCE=2 CFLAGS=-fstack-protector
>>
>> This would be just automatically added to #:configure-flags in
>> gnu-build-system.scm.
>>
>> Of course, some packages would ignore them and others would break, but
>> that’s part of the game. It largely have to be approached on a
>> case-by-case basis.
>>
> Yes, I grep for `fstack-protector-strong' in the guix code base and no
> matches are found. It appears no packages are setting this flag
> currently. I think this flag (perhaps also a couple others) should be
> set by default since they help protect against buffer overflow
> <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
I definitely agree, that’s something I’ve been wanting to try out.
The question is more how. Do we change the default #:configure-flags
for ‘gnu-build-system’ to something like:
'("CPPFLAGS=-D_FORTIFY_SOURCE=2"
"CFLAGS=-O2 -g -fstack-protector-strong")
?
That sounds like a good starting point, but I expect that (1) one third
of the packages will fail to build, and (2) another third of the
packages will not get these flags, for instance because they pass their
own #:configure-flags.
IOW, it will take a whole rebuild to find out exactly what’s going on
and to fix any issues.
Would you like to start working on it? Then we could create a branch,
have Hydra build it, and incrementally fix things.
Thanks,
Ludo’.
| [Prev in Thread] | Current Thread | [Next in Thread] |