On Sun, Jan 01, 2012 at 10:59:28AM +0100, Mike Hommey wrote:
> On Sat, Dec 31, 2011 at 03:20:27PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Dec 26, 2011 at 08:43:18AM +0100, Mike Hommey wrote:
> > > On Sat, Dec 24, 2011 at 11:40:02PM +0100, Moritz Muehlenhoff wrote:
> > > > Package: iceweasel
> > > > Version: 9.0.1-1
> > > > Severity: wishlist
> > > >
> > > > Please source the hardened build flags from dpkg-buildflags for
> > > > CPPFLAGS, CXXFLAGS and LDFLAGS for the iceweasel build.
> > >
> > > FWIW, dpkg-buildflags is extremely unuseful for that, because it mixes
> > > hardening flags with other flags.
> >
> > Is that because you use a different optimization level other than
> > O2?
> >
> > I've noticed that issue with a couple of packages, so I'm considering to
> > submit a patch for dpkg-buildflags, but I'd like to know if you see
> > different issues?
DEB_CFLAGS_MAINT_APPEND can be used to select different optimisation levels,
see 653846.
> Yeah basically I like that the old way of doing hardening didn't mess
> with other flags. Though I'm not sure I like that there's not much of a
> fine grained tuning.
dpkg-buildflags support fine-grained tuning, e.g. relro can be disabled by
this:
jmm@pisco:~$ DEB_BUILD_MAINT_OPTIONS="hardening=-relro" dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Wformat-security -Werror=format-security
CPPFLAGS=-D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Wformat-security -Werror=format-security
FFLAGS=-g -O2
LDFLAGS=
jmm@pisco:~$ dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Wformat-security -Werror=format-security
CPPFLAGS=-D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Wformat-security -Werror=format-security
FFLAGS=-g -O2
LDFLAGS=-Wl,-z,relro
> For instance, I'm not sure -z relro buys anything
> worth, while it may have a significant startup performance impact on big
> applications.
IIRC you work on startup performance at Mozilla, so I won't argue with
you on that :-)
But it would be nice if you could enable the protected stack and fortified
source features for iceweasel and iceape.
> (and if I'm not mistaken, -z relro actually makes things
> not work with selinux, seeing how selinux already breaks the mprotect
> that removes the write bit on code sections after text relocations)
I'm not aware of such problems. Many high-profile apps in Debian have used
relro for quite some time and Ubuntu has it enabled it distro-wide for at
least two releases.
(Support for selinux in Debian is marginal at best, anyway.)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
