Package: tomoyo-tools Version: 2.5.0-20120414-1 Severity: normal Tags: patch
Dear Maintainer,
The hardening flags are missing completely because the build
system ignores them. For more hardening information please have a
look at [1], [2] and [3].
The attached patch fixes the issue. It's quite big, but as the
build system overwrites all flags this is the simplest solution I
found to enable all hardening flags. If possible it should be
sent to upstream (maybe minus the $(filter-out ...) parts - which
are only necessary for PIE).
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /sbin/tomoyo-init /usr/sbin/tomoyo-sortpolicy
/usr/sbin/tomoyo-setprofile /usr/sbin/tomoyo-setlevel ...
/sbin/tomoyo-init:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/tomoyo-sortpolicy:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/tomoyo-setprofile:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/tomoyo-setlevel:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
...
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-05-27 Index: tomoyo-tools-2.5.0-20120414/Include.make =================================================================== --- tomoyo-tools-2.5.0-20120414.orig/Include.make 2012-05-27 02:13:16.935304870 +0200 +++ tomoyo-tools-2.5.0-20120414/Include.make 2012-05-27 02:13:38.000000000 +0200 @@ -1,7 +1,5 @@ -CC := gcc INSTALL := install SBINDIR := /sbin USRSBINDIR := /usr/sbin USRLIBDIR := /usr/lib MAN8 := /usr/share/man/man8 -CFLAGS := -Wall -O2 Index: tomoyo-tools-2.5.0-20120414/kernel_test/Makefile =================================================================== --- tomoyo-tools-2.5.0-20120414.orig/kernel_test/Makefile 2012-05-27 02:13:17.007304869 +0200 +++ tomoyo-tools-2.5.0-20120414/kernel_test/Makefile 2012-05-27 02:13:38.000000000 +0200 @@ -10,16 +10,14 @@ $(ALL_FILES): include.h -CC=gcc -CFLAGS=-Wall -O2 # # Tools for kernel testing. # .c: - $(CC) $(CFLAGS) -o $@ $< + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $< # # Delete all test programs. Index: tomoyo-tools-2.5.0-20120414/usr_sbin/Makefile =================================================================== --- tomoyo-tools-2.5.0-20120414.orig/usr_sbin/Makefile 2012-05-27 02:13:17.007304869 +0200 +++ tomoyo-tools-2.5.0-20120414/usr_sbin/Makefile 2012-05-27 02:22:44.315299797 +0200 @@ -14,18 +14,22 @@ @echo "Run 'yum install ncurses-devel' or 'apt-get install libncurses-dev'" sleep 10 +# -fPIE conflicts with -fPIC, disable it for libraries. +CFLAGS_PIC := $(filter-out -fPIE,$(CFLAGS)) +LDFLAGS_PIC := $(filter-out -pie,$(filter-out -fPIE,$(LDFLAGS))) + libtomoyotools.so: tomoyotools.c tomoyotools.h - $(CC) $(CFLAGS) -fPIC tomoyotools.c -shared -Wl,-soname,libtomoyotools.so.3 -o libtomoyotools.so.3.0.1 + $(CC) $(CPPFLAGS) $(CFLAGS_PIC) $(LDFLAGS_PIC) -fPIC tomoyotools.c -shared -Wl,-soname,libtomoyotools.so.3 -o libtomoyotools.so.3.0.1 ln -sf libtomoyotools.so.3.0.1 libtomoyotools.so .c: - $(CC) $(CFLAGS) -o $@ $< -ltomoyotools -L. + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $< -ltomoyotools -L. tomoyo-editpolicy: tomoyotools.h editpolicy*.c readline.h /usr/include/curses.h libtomoyotools.so - $(CC) $(CFLAGS) -o tomoyo-editpolicy editpolicy*.c -lncurses -ltomoyotools -L. -DCOLOR_ON + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o tomoyo-editpolicy editpolicy*.c -lncurses -ltomoyotools -L. -DCOLOR_ON tomoyo-queryd: tomoyotools.h tomoyo-queryd.c readline.h /usr/include/curses.h libtomoyotools.so - $(CC) $(CFLAGS) -o tomoyo-queryd tomoyo-queryd.c -lncurses -ltomoyotools -L. + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o tomoyo-queryd tomoyo-queryd.c -lncurses -ltomoyotools -L. install: all mkdir -p -m 0755 $(INSTALLDIR)$(USRLIBDIR) Index: tomoyo-tools-2.5.0-20120414/sbin/Makefile =================================================================== --- tomoyo-tools-2.5.0-20120414.orig/sbin/Makefile 2012-05-27 02:13:17.007304869 +0200 +++ tomoyo-tools-2.5.0-20120414/sbin/Makefile 2012-05-27 02:13:38.000000000 +0200 @@ -9,7 +9,7 @@ $(INSTALL) -m 0700 $(BUILD_FILES) $(INSTALLDIR)$(SBINDIR) .c: - $(CC) $(CFLAGS) -o $@ $< + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $< clean: rm -f -- $(BUILD_FILES) Index: tomoyo-tools-2.5.0-20120414/usr_lib_tomoyo/Makefile =================================================================== --- tomoyo-tools-2.5.0-20120414.orig/usr_lib_tomoyo/Makefile 2012-05-27 02:13:17.007304869 +0200 +++ tomoyo-tools-2.5.0-20120414/usr_lib_tomoyo/Makefile 2012-05-27 02:13:38.000000000 +0200 @@ -11,7 +11,7 @@ $(INSTALL) -m 0644 ../README.tomoyo ../COPYING.tomoyo $(INSTALLDIR)/$(USRLIBDIR)/tomoyo/ .c: - $(CC) $(CFLAGS) -o $@ $< + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $< clean: rm -f -- $(BUILD_FILES)
signature.asc
Description: Digital signature
