Hello,
I checked how looks binary shipped in several popular distributions
(ppa:vbernat/haproxy-2.4, docker haproxytech/haproxy-ubuntu, docker
haproxy).
are we aware of those security features ? shall we move them to Makefile ?
or is it up to distribution ?
ppa:vbernat/haproxy-2.4
[root@fedora haproxy-bionic]# ~ilia/checksec.sh/checksec --file=haproxy
RELRO STACK CANARY NXPIE RPATH
RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabledPIE enabled No RPATH
No RUNPATH No Symbols Yes 12 26 haproxy
BinSkim:
Analyzing 'haproxy'...
Analysis completed successfully.
docker haproxytech/haproxy-ubuntu
[fedora haproxy-docker]# ~ilia/checksec.sh/checksec --file=haproxy-tech
RELRO STACK CANARY NXPIE RPATH
RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabledPIE enabled No RPATH
No RUNPATH 5664) Symbols Yes 12 26 haproxy-tech
BinSkim
Analyzing 'haproxy-tech'...
/home/ilia/haproxy-docker/haproxy-tech: error BA3004: 'haproxy-tech' is
using debugging dwarf version '4'. The dwarf version 5 contains more
information and should be used. To enable the debugging version 5 use
'-gdwarf-5'.
Analysis completed successfully.
docker haproxy
[ilia@fedora checksec.sh]$ ./checksec
--file=/home/ilia/haproxy-docker/haproxy
RELRO STACK CANARY NXPIE RPATH
RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabledPIE enabled No RPATH
No RUNPATH 5926) Symbols Yes 0 20 /home/ilia/haproxy-docker/haproxy
BinSkim
/home/ilia/haproxy-docker/haproxy: error BA3003: The stack protector was
not found in 'haproxy'. This may be because '--stack-protector-strong' was
not used, or because it was explicitly disabled by '-fno-stack-protectors'.
Modules did not meet the criteria: slz.c, ev_poll.c, ev_epoll.c, cpuset.c,
ssl_sample.c, ssl_sock.c, ssl_crtlist.c, ssl_ckch.c, ssl_utils.c,
cfgparse-ssl.c, hlua.c, hlua_fcn.c, service-prometheus.c, namespace.c,
mux_h2.c, mux_fcgi.c, http_ana.c, mux_h1.c, stream.c, tcpcheck.c, stats.c,
flt_spoe.c, server.c, tools.c, sample.c, log.c, backend.c, stick_table.c,
cfgparse.c, peers.c, cli.c, pattern.c, resolvers.c, proxy.c, http_htx.c,
check.c, cache.c, cfgparse-listen.c, haproxy.c, http_act.c,
stream_interface.c, http_fetch.c, listener.c, dns.c, connection.c,
tcp_rules.c, debug.c, sink.c, payload.c, mux_pt.c, filters.c, fcgi-app.c,
server_state.c, vars.c, map.c, cfgparse-global.c, task.c, flt_http_comp.c,
session.c, sock.c, cfgcond.c, flt_trace.c, acl.c, trace.c, http_rules.c,
queue.c, mjson.c, h2.c, h1.c, mworker.c, lb_chash.c, ring.c, activity.c,
tcp_sample.c, proto_tcp.c, htx.c, h1_htx.c, extcheck.c, channel.c,
proto_sockpair.c, fd.c, compression.c, mqtt.c, tcp_act.c, raw_sock.c,
frontend.c, http_conv.c, xprt_handshake.c, pool.c, applet.c, mailers.c,
lb_fwrr.c, lb_fwlc.c, lb_fas.c, proto_uxst.c, http.c, action.c, protocol.c,
thread.c, sock_unix.c, proto_udp.c, lb_map.c, sock_inet.c, lru.c,
cfgparse-tcp.c, cfgdiag.c, proto_uxdg.c, ev_select.c, cfgparse-unix.c,
uri_normalizer.c, ebmbtree.c, sha1.c, time.c, signal.c, mworker-prog.c,
hpack-dec.c, fix.c, arg.c, eb64tree.c, chunk.c, shctx.c, regex.c, fcgi.c,
eb32tree.c, eb32sctree.c, dynbuf.c, uri_auth.c, hpack-tbl.c, ebimtree.c,
auth.c, ebsttree.c, ebistree.c, base64.c, wdt.c, pipe.c, http_acl.c,
hpack-enc.c, dict.c, dgram.c, init.c, hpack-huff.c, freq_ctr.c, ebtree.c,
hash.c, version.c, errors.c, http_client.c
/home/ilia/haproxy-docer/haproxy: error BA3004: 'haproxy' is using
debugging dwarf version '4'. The dwarf version 5 contains more information
and should be used. To enable the debugging version 5 use '-gdwarf-5'.
/home/ilia/haproxy-docer/haproxy: error BA3005: The Stack Clash Protection
is missing from this binary, so the stack from 'haproxy' can clash/colide
with another memory region. Ensure you are compiling with the compiler
flags '-fstack-clash-protection' to address this.
Modules did not meet the criteria: slz.c, ev_poll.c, ev_epoll.c, cpuset.c,
ssl_sample.c, ssl_sock.c, ssl_crtlist.c, ssl_ckch.c, ssl_utils.c,
cfgparse-ssl.c, hlua.c, hlua_fcn.c, service-prometheus.c, namespace.c,
mux_h2.c, mux_fcgi.c, http_ana.c, mux_h1.c, stream.c, tcpcheck.c, stats.c,
flt_spoe.c, server.c, tools.c, sample.c, log.c, backend.c, stick_table.c,
cfgparse.c, peers.c, cli.c, pattern.c, resolvers.c, proxy.c, http_htx.c,
check.c, cache.c, cfgparse-listen.c, haproxy.c, http_act.c,
stream_interface.c, http_fetch.c, listener.c, dns.c, connection.c,
tcp_rules.c, debug.c, sink.c, payload.c, mux_pt.c, filters.c, fcgi-app.c,
server_state.c, vars.c, map.c, cfgparse-global.c, task.c, flt_http_comp.c,
session.c, sock.c, cfgcond.c, flt_trace.c, acl.c, trace.c, http_rules.c,
queue.c, mjson.c, h2.c, h1.c, mworker.c, lb_chash.c, ring.c, activity.c,
tcp_sample.c, proto_tcp.c, htx.c, h1_htx.c, extcheck.c, channel.c,
pr