On Mon, 03 Feb 2014 17:42:35 +0100 =?ISO-8859-1?Q?St=E9phane_Glondu?= <glo...@debian.org> wrote: > Le 06/01/2014 16:24, Moritz Muehlenhoff a écrit : > >> Le 05/03/2013 16:35, Niels Thykier a écrit : > >>> Does ELF binaries produced by "pure" Ocaml have any distinct feature > >>> that can be used to tell them apart from any other ELF binary? > >> > >> ELF binaries produced by the OCaml compiler always include a bit of C > >> code (the runtime), so they are never actually "pure". > >> > >> I don't think that the lintian tag (whatever its level) should be > >> removed at the moment. I am not planning to have a deeper looker at this > >> issue before next release or next debconf, though. > > > > Could you please add a note to https://wiki.debian.org/HardeningWalkthrough > > that while Ocaml packages produce ELF binaries they are not covered by > > the hardening effort? > > I just did that. > > BTW, the OCaml build system is quite messy and it will take longer than > expected to "fix" it for hardening... >
The attached patch fixes some of the relro lintian warnings for the executables themselves, but these still remain for the .cmxs,.so and objinfo_helper: W: ocaml-base: hardening-no-relro usr/lib/ocaml/graphics.cmxs W: ocaml-base: hardening-no-relro usr/lib/ocaml/stublibs/dllgraphics.so W: ocaml-nox: hardening-no-relro usr/lib/ocaml/objinfo_helper W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/bigarray.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/nums.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/str.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllbigarray.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllcamlstr.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllnums.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllthreads.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllunix.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllvmthreads.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/unix.cmxs FWIW 'hardening-check ocamlopt.opt' now says: ocamlopt.opt: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Although perhaps it'd be better to patch configure to include CCLINKFLAGS in $nativecclinkopts, in objinfo_helper's build command, and in the flag used for linking .so and .cmxs (haven't found its name yet though). What do you think?
diff -ru ../o/ocaml-4.02.1/debian/rules debian/rules --- ../o/ocaml-4.02.1/debian/rules 2015-02-16 12:37:56.000000000 +0200 +++ debian/rules 2015-07-15 12:39:58.477250079 +0300 @@ -59,12 +59,18 @@ export OCAML_OPT_ARCH export OCAML_STDLIB_DIR +export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow +LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS) +# for ocamlyacc +export CCLINKFLAGS=$(LDFLAGS) + CONFIGURE_OPTS := \ --host $(DEB_BUILD_GNU_TYPE)\ --with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \ -libdir $(DEB_TEST_BUILD_PREFIX)$(OCAML_STDLIB_DIR) \ -x11lib "$(shell pkg-config --variable=libdir x11)" \ -mandir $(DEB_TEST_BUILD_PREFIX)/usr/share/man \ + -dllibs "$(LDFLAGS)" CONFIGURE_SED := \ -e "/LIBBFD_LINK/s%-lbfd%-Wl,-Bstatic -lbfd -Wl,-Bdynamic%" \