On Tuesday 06 March 2012 08:27 PM, Simon Ruderich wrote:
> The LDFLAGS hardening flags are not applied everywhere, some
> files don't use hardening flags.
>
> An updated 0009-hardened-build-flags.patch is attached which
> enables it for all files by setting LDFLAGS in ./Makefile.inc
> which is included by all Makefiles. $(shell ..) is used instead
> of `..` because it's already used in other Makefiles.
hello Simon,
That patch didn't apply clean. I have redone it and here's the patch and
the result.
rrs@champaran:/tmp/Debian-Build/Result/temp$ find -type f \( -executable
-o -name \*.so\* \) -exec hardening-check {} +
./lib/libmultipath.so.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libprioweightedpath.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libcheckcciss_tur.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libprioconst.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libcheckemc_clariion.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libprioemc.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libpriohds.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libpriordac.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libprioontap.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libcheckdirectio.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libpriohp_sw.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libprioiet.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libpriodatacore.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libcheckreadsector0.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libchecktur.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libprioalua.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libcheckhp_sw.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libcheckrdac.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
./lib/multipath/libpriorandom.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
readelf: Error: Unable to read in 0x2020 bytes of section headers
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start
readelf: Error: Unable to read in 0x2020 bytes of section headers
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start
./sbin/multipath:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
./sbin/multipathd:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
Please let me know if it satisfies the hardening build flags requirements.
Ritesh
--
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."
>From d46bb8ffa676445da9d3179a691cb8a9c9038ad3 Mon Sep 17 00:00:00 2001
From: Ritesh Raj Sarraf <[email protected]>
Date: Mon, 12 Mar 2012 12:42:29 +0530
Subject: [PATCH] Fix hardening build flags
---
debian/patches/0009-hardened-build-flags.patch | 25 ++++++++++++-----------
1 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/debian/patches/0009-hardened-build-flags.patch b/debian/patches/0009-hardened-build-flags.patch
index 10e4dc1..f61190e 100644
--- a/debian/patches/0009-hardened-build-flags.patch
+++ b/debian/patches/0009-hardened-build-flags.patch
@@ -1,37 +1,38 @@
Multipath Hardening Patch
Index: multipath-tools/kpartx/Makefile
===================================================================
---- multipath-tools.orig/kpartx/Makefile 2012-02-10 17:43:42.222462296 +0530
-+++ multipath-tools/kpartx/Makefile 2012-03-05 23:24:52.391915132 +0530
+--- multipath-tools.orig/kpartx/Makefile 2012-03-12 12:28:56.914148797 +0530
++++ multipath-tools/kpartx/Makefile 2012-03-12 12:39:06.505171593 +0530
@@ -12,7 +12,7 @@
CFLAGS += -DLIBDM_API_COOKIE
endif
-LDFLAGS = -ldevmapper
-+LDFLAGS = `dpkg-buildflags --get LDFLAGS` -ldevmapper
++LDFLAGS += $(shell dpkg-buildflags --get LDFLAGS) -ldevmapper
OBJS = bsd.o dos.o kpartx.o solaris.o unixware.o dasd.o sun.o \
gpt.o mac.o crc32.o lopart.o xstrncpy.o devmapper.o
EXEC = kpartx
Index: multipath-tools/Makefile.inc
===================================================================
---- multipath-tools.orig/Makefile.inc 2012-02-10 17:43:42.222462296 +0530
-+++ multipath-tools/Makefile.inc 2012-03-05 23:25:58.160241232 +0530
-@@ -36,8 +36,9 @@
+--- multipath-tools.orig/Makefile.inc 2012-03-12 12:28:56.914148797 +0530
++++ multipath-tools/Makefile.inc 2012-03-12 12:38:23.568958684 +0530
+@@ -36,8 +36,10 @@
GZIP = /bin/gzip -9 -c
INSTALL_PROGRAM = install
-OPTFLAGS = -pipe -g -Wall -Wunused -Wstrict-prototypes
-CFLAGS = $(OPTFLAGS) -fPIC -DLIB_STRING=\"${LIB}\"
+OPTFLAGS = -pipe -Wall -Wunused -Wstrict-prototypes
-+CFLAGS = `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get CPPFLAGS` $(OPTFLAGS) -fPIC -DLIB_STRING=\"${LIB}\"
++CFLAGS = $(shell dpkg-buildflags --get CFLAGS) $(shell dpkg-buildflags --get CPPFLAGS) $(OPTFLAGS) -fPIC -DLIB_STRING=\"${LIB}\"
++LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
+
SHARED_FLAGS = -shared
%.o: %.c
Index: multipath-tools/multipathd/Makefile
===================================================================
---- multipath-tools.orig/multipathd/Makefile 2012-03-05 23:21:21.886871295 +0530
-+++ multipath-tools/multipathd/Makefile 2012-03-05 23:27:26.168677659 +0530
+--- multipath-tools.orig/multipathd/Makefile 2012-03-12 12:29:27.954302713 +0530
++++ multipath-tools/multipathd/Makefile 2012-03-12 12:29:28.466305251 +0530
@@ -6,7 +6,7 @@
# basic flags setting
#
@@ -43,14 +44,14 @@ Index: multipath-tools/multipathd/Makefile
#
Index: multipath-tools/multipath/Makefile
===================================================================
---- multipath-tools.orig/multipath/Makefile 2012-02-10 17:43:42.230462346 +0530
-+++ multipath-tools/multipath/Makefile 2012-03-05 23:26:48.148489144 +0530
+--- multipath-tools.orig/multipath/Makefile 2012-03-12 12:28:56.914148797 +0530
++++ multipath-tools/multipath/Makefile 2012-03-12 12:40:48.061675186 +0530
@@ -7,7 +7,7 @@
OBJS = main.o
CFLAGS += -I$(multipathdir)
-LDFLAGS += -lpthread -ldevmapper -ldl -L$(multipathdir) -lmultipath
-+LDFLAGS += `dpkg-buildflags --get LDFLAGS` -lpthread -ldevmapper -ldl -lmultipath -L$(multipathdir)
++LDFLAGS += $(shell dpkg-buildflags --get LDFLAGS) -lpthread -ldevmapper -ldl -lmultipath -L$(multipathdir)
EXEC = multipath
--
1.7.9.1
