Bug#835146: dpkg: please enable bindow hardening flag by default
Hi! On Fri, 2022-06-17 at 16:04:27 +0200, Christian Göttsche wrote: > With LTO being considered to be enabled by default [1] can this please > also get another deliberation. If you want to see this enabled by default, please bring it up again on debian-devel. AFAIR last time there was push back. Thanks, Guillem
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi, For the record I'm not working on this anymore. Feel free to either close the bug or pick the work up from here. IMO there is not much to worry about enabling bindnow since Ubuntu enabled it in 16.10. Cheers, Balint [1] https://wiki.ubuntu.com/ToolChain%20/CompilerFlags/#A-Wl.2C-z.2Cnow Dr. Markus Waldeck ezt írta (időpont: 2017. aug. 17., Cs, 16:31): > > Hi all, > > PIE made it into Strech. > > But bindnow is still open > even after it was activated for a short time > (and packages were build with it). > > May I ask for the planning for Buster? > > Thanks in advance! > > Dr. Markus Waldeck
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi all, PIE made it into Strech. But bindnow is still open even after it was activated for a short time (and packages were build with it). May I ask for the planning for Buster? Thanks in advance! Dr. Markus Waldeck
Bug#835146: dpkg: please enable bindow hardening flag by default
2016-12-19 1:07 GMT+01:00 Christian Hofstaedtler: > * Bálint Réczey [161219 00:06]: >> I have uploaded a fixed package with the attached patch to DELAYED/10. > > Given dpkg/1.18.16 has entered sid, your upload will likely fail... Yes, Guillem mentioned it in his email to debian-devel: https://lists.debian.org/debian-devel/2016/12/msg00416.html Cheers, Balint
Bug#835146: dpkg: please enable bindow hardening flag by default
* Bálint Réczey[161219 00:06]: > I have uploaded a fixed package with the attached patch to DELAYED/10. Given dpkg/1.18.16 has entered sid, your upload will likely fail... Best, -- christian hofstaedtler
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi Matthias, 2016-12-14 15:09 GMT+01:00 Matthias Klose: > On 14.12.2016 13:58, Bálint Réczey wrote: >> Hi All, >> >> 2016-11-06 13:20 GMT+01:00 Bálint Réczey : >>> Hi Guillem, >>> >>> 2016-10-27 23:49 GMT+02:00 Bálint Réczey : Hi, 2016-10-26 13:46 GMT+02:00 Bálint Réczey : > Hi, > > 2016-10-26 5:00 GMT+02:00 Guillem Jover : >> Hi! >> >> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >>> where PIE is enabled by default. I think enabling bindnow from dpkg >>> would be better through the hardening flags because packages could >>> disable it in a nicer and already established way. >> >> Hmm, I don't get why bindnow was enabled by default in gcc, while >> relro (I'd assume) is not enabled by default, or is that enabled by >> default now too? > > Default relro is enabled only on Ubuntu among other flags. Enabling > bindnow was Matthias' change and we did not discuss it in advance. > > http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 > >> >> IMO either relro + bindnow should be enabled in gcc, or neither >> should. I'm fine either way, but I find having a hardened compiler >> is actually good, because it gives also hardened output for >> non-packaged builds! > > I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. > In the original patches I wanted to follow Debian's practice of setting > flags from dpkg, but there are pros and cons on each side. > Setting relro + bindnow in GCC probably results less FTBS-s in packages > where flags are not passed properly, while it makes harder to disable > the flags from d/rules. > > I would like to see bindnow enabled in Stretch and the first phase of > the freeze is near. Could you two (Matthias and Guillem) please find the > variant which would please both of you? For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it seems dpkg can set both. >>> >>> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you >>> for that. >>> Is there any particular reason for not enabling bindnow as well? >>> >>> Do you plan enabling it for Stretch? >> >> I have uploaded a fixed package with the attached patch to DELAYED/10. > > that enables bindnow on any architecture whether pie is enabled or not. is > this > intended? Yes, relro is enabled by default on all architectures, too. Cheers, Balint
Bug#835146: dpkg: please enable bindow hardening flag by default
On 14.12.2016 13:58, Bálint Réczey wrote: > Hi All, > > 2016-11-06 13:20 GMT+01:00 Bálint Réczey: >> Hi Guillem, >> >> 2016-10-27 23:49 GMT+02:00 Bálint Réczey : >>> Hi, >>> >>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey : Hi, 2016-10-26 5:00 GMT+02:00 Guillem Jover : > Hi! > > On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >> where PIE is enabled by default. I think enabling bindnow from dpkg >> would be better through the hardening flags because packages could >> disable it in a nicer and already established way. > > Hmm, I don't get why bindnow was enabled by default in gcc, while > relro (I'd assume) is not enabled by default, or is that enabled by > default now too? Default relro is enabled only on Ubuntu among other flags. Enabling bindnow was Matthias' change and we did not discuss it in advance. http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 > > IMO either relro + bindnow should be enabled in gcc, or neither > should. I'm fine either way, but I find having a hardened compiler > is actually good, because it gives also hardened output for > non-packaged builds! I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. In the original patches I wanted to follow Debian's practice of setting flags from dpkg, but there are pros and cons on each side. Setting relro + bindnow in GCC probably results less FTBS-s in packages where flags are not passed properly, while it makes harder to disable the flags from d/rules. I would like to see bindnow enabled in Stretch and the first phase of the freeze is near. Could you two (Matthias and Guillem) please find the variant which would please both of you? >>> >>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it >>> seems dpkg can set both. >> >> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you >> for that. >> Is there any particular reason for not enabling bindnow as well? >> >> Do you plan enabling it for Stretch? > > I have uploaded a fixed package with the attached patch to DELAYED/10. that enables bindnow on any architecture whether pie is enabled or not. is this intended? Matthias
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi All, 2016-11-06 13:20 GMT+01:00 Bálint Réczey: > Hi Guillem, > > 2016-10-27 23:49 GMT+02:00 Bálint Réczey : >> Hi, >> >> 2016-10-26 13:46 GMT+02:00 Bálint Réczey : >>> Hi, >>> >>> 2016-10-26 5:00 GMT+02:00 Guillem Jover : Hi! On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: > For the record gcc-6/6.2.0-7 enabled bindnow for the architectures > where PIE is enabled by default. I think enabling bindnow from dpkg > would be better through the hardening flags because packages could > disable it in a nicer and already established way. Hmm, I don't get why bindnow was enabled by default in gcc, while relro (I'd assume) is not enabled by default, or is that enabled by default now too? >>> >>> Default relro is enabled only on Ubuntu among other flags. Enabling >>> bindnow was Matthias' change and we did not discuss it in advance. >>> >>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 >>> IMO either relro + bindnow should be enabled in gcc, or neither should. I'm fine either way, but I find having a hardened compiler is actually good, because it gives also hardened output for non-packaged builds! >>> >>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. >>> In the original patches I wanted to follow Debian's practice of setting >>> flags from dpkg, but there are pros and cons on each side. >>> Setting relro + bindnow in GCC probably results less FTBS-s in packages >>> where flags are not passed properly, while it makes harder to disable >>> the flags from d/rules. >>> >>> I would like to see bindnow enabled in Stretch and the first phase of >>> the freeze is near. Could you two (Matthias and Guillem) please find the >>> variant which would please both of you? >> >> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it >> seems dpkg can set both. > > I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you > for that. > Is there any particular reason for not enabling bindnow as well? > > Do you plan enabling it for Stretch? I have uploaded a fixed package with the attached patch to DELAYED/10. Cheers, Balint diff -Nru dpkg-1.18.15/debian/changelog dpkg-1.18.15+nmu1/debian/changelog --- dpkg-1.18.15/debian/changelog 2016-11-16 03:28:05.0 +0100 +++ dpkg-1.18.15+nmu1/debian/changelog 2016-12-14 13:42:35.0 +0100 @@ -1,3 +1,10 @@ +dpkg (1.18.15+nmu1) unstable; urgency=medium + + * Non-maintainer upload. + * Make dpkg-buildflags enable bindnow by default (Closes: #835146) + + -- Balint Reczey Wed, 14 Dec 2016 13:40:17 +0100 + dpkg (1.18.15) unstable; urgency=medium [ Guillem Jover ] diff -Nru dpkg-1.18.15/man/dpkg-buildflags.man dpkg-1.18.15+nmu1/man/dpkg-buildflags.man --- dpkg-1.18.15/man/dpkg-buildflags.man 2016-11-14 00:54:13.0 +0100 +++ dpkg-1.18.15+nmu1/man/dpkg-buildflags.man 2016-12-14 13:40:13.0 +0100 @@ -339,7 +339,7 @@ . .TP .B bindnow -This setting (disabled by default) adds +This setting (enabled by default) adds .B \-Wl,\-z,now to \fBLDFLAGS\fP. During program load, all dynamic symbols are resolved, allowing for the entire PLT to be marked read-only (due to \fBrelro\fP diff -Nru dpkg-1.18.15/scripts/Dpkg/Vendor/Debian.pm dpkg-1.18.15+nmu1/scripts/Dpkg/Vendor/Debian.pm --- dpkg-1.18.15/scripts/Dpkg/Vendor/Debian.pm 2016-11-14 00:54:14.0 +0100 +++ dpkg-1.18.15+nmu1/scripts/Dpkg/Vendor/Debian.pm 2016-12-14 13:40:08.0 +0100 @@ -287,7 +287,7 @@ fortify => 1, format => 1, relro => 1, - bindnow => 0, + bindnow => 1, ); my %builtin_feature = ( pie => 1,
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi Guillem, 2016-10-27 23:49 GMT+02:00 Bálint Réczey: > Hi, > > 2016-10-26 13:46 GMT+02:00 Bálint Réczey : >> Hi, >> >> 2016-10-26 5:00 GMT+02:00 Guillem Jover : >>> Hi! >>> >>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where PIE is enabled by default. I think enabling bindnow from dpkg would be better through the hardening flags because packages could disable it in a nicer and already established way. >>> >>> Hmm, I don't get why bindnow was enabled by default in gcc, while >>> relro (I'd assume) is not enabled by default, or is that enabled by >>> default now too? >> >> Default relro is enabled only on Ubuntu among other flags. Enabling >> bindnow was Matthias' change and we did not discuss it in advance. >> >> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 >> >>> >>> IMO either relro + bindnow should be enabled in gcc, or neither >>> should. I'm fine either way, but I find having a hardened compiler >>> is actually good, because it gives also hardened output for >>> non-packaged builds! >> >> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. >> In the original patches I wanted to follow Debian's practice of setting >> flags from dpkg, but there are pros and cons on each side. >> Setting relro + bindnow in GCC probably results less FTBS-s in packages >> where flags are not passed properly, while it makes harder to disable >> the flags from d/rules. >> >> I would like to see bindnow enabled in Stretch and the first phase of >> the freeze is near. Could you two (Matthias and Guillem) please find the >> variant which would please both of you? > > For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it > seems dpkg can set both. I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you for that. Is there any particular reason for not enabling bindnow as well? Do you plan enabling it for Stretch? Cheers, Balint
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi, 2016-10-26 13:46 GMT+02:00 Bálint Réczey: > Hi, > > 2016-10-26 5:00 GMT+02:00 Guillem Jover : >> Hi! >> >> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >>> where PIE is enabled by default. I think enabling bindnow from dpkg >>> would be better through the hardening flags because packages could >>> disable it in a nicer and already established way. >> >> Hmm, I don't get why bindnow was enabled by default in gcc, while >> relro (I'd assume) is not enabled by default, or is that enabled by >> default now too? > > Default relro is enabled only on Ubuntu among other flags. Enabling > bindnow was Matthias' change and we did not discuss it in advance. > > http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 > >> >> IMO either relro + bindnow should be enabled in gcc, or neither >> should. I'm fine either way, but I find having a hardened compiler >> is actually good, because it gives also hardened output for >> non-packaged builds! > > I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. > In the original patches I wanted to follow Debian's practice of setting > flags from dpkg, but there are pros and cons on each side. > Setting relro + bindnow in GCC probably results less FTBS-s in packages > where flags are not passed properly, while it makes harder to disable > the flags from d/rules. > > I would like to see bindnow enabled in Stretch and the first phase of > the freeze is near. Could you two (Matthias and Guillem) please find the > variant which would please both of you? For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it seems dpkg can set both. Cheers, Balint
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi, 2016-10-26 5:00 GMT+02:00 Guillem Jover: > Hi! > > On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >> where PIE is enabled by default. I think enabling bindnow from dpkg >> would be better through the hardening flags because packages could >> disable it in a nicer and already established way. > > Hmm, I don't get why bindnow was enabled by default in gcc, while > relro (I'd assume) is not enabled by default, or is that enabled by > default now too? Default relro is enabled only on Ubuntu among other flags. Enabling bindnow was Matthias' change and we did not discuss it in advance. http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 > > IMO either relro + bindnow should be enabled in gcc, or neither > should. I'm fine either way, but I find having a hardened compiler > is actually good, because it gives also hardened output for > non-packaged builds! I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. In the original patches I wanted to follow Debian's practice of setting flags from dpkg, but there are pros and cons on each side. Setting relro + bindnow in GCC probably results less FTBS-s in packages where flags are not passed properly, while it makes harder to disable the flags from d/rules. I would like to see bindnow enabled in Stretch and the first phase of the freeze is near. Could you two (Matthias and Guillem) please find the variant which would please both of you? Cheers, Balint
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi! On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: > For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where > PIE is enabled by default. I think enabling bindnow from dpkg would be > better through the hardening flags because packages could disable it > in a nicer and already established way. Hmm, I don't get why bindnow was enabled by default in gcc, while relro (I'd assume) is not enabled by default, or is that enabled by default now too? IMO either relro + bindnow should be enabled in gcc, or neither should. I'm fine either way, but I find having a hardened compiler is actually good, because it gives also hardened output for non-packaged builds! Thanks, Guillem
Bug#835146: dpkg: please enable bindow hardening flag by default
Hi Guillem, For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where PIE is enabled by default. I think enabling bindnow from dpkg would be better through the hardening flags because packages could disable it in a nicer and already established way. Cheers, Balint 2016-10-10 14:06 GMT+02:00 Balint Reczey: > Dear Guillem, > > On Tue, 23 Aug 2016 00:14:25 +0200 Balint Reczey > wrote: > ... >> Dear Guillem, >> >> As a continuation of the discussions [1][2] on debian-devel I'm >> attaching the simple patch that implements enabling the bindnow >> hardening flags. >> >> I'm continuing with the rebuild/autopkgtest tests according to >> the Dpkg FAQ, hence the moreinfo tag. > > The rebuild (with PIE and bindnow enabled) resulted ~1000 FTBFS > cases from which all seem to be related to enabling PIE by > default [3]. > > ~70 of the filed related bugs [4] are still open. > > Since the rebuild was run with tests enabled this seems to be a > good indication that we can expect very few breakages from > enabling bindnow by default. > > Running autopkgtest would need more work as AFAIK there is no > automated method for doing it like rebuilds [5]. > > I'm wondering if you find the autopkgtest round necessary for > this change. > > Cheers, > Balint > >> >> Cheers, >> Balint >> >> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html >> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html > > [3] https://wiki.debian.org/Hardening/PIEByDefaultTransition > [4] > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906=balint%40balintreczey.hu;dist=unstable > [5] https://wiki.debian.org/qa.debian.org/ArchiveTesting
Bug#835146: dpkg: please enable bindow hardening flag by default
Dear Guillem, On Tue, 23 Aug 2016 00:14:25 +0200 Balint Reczeywrote: ... > Dear Guillem, > > As a continuation of the discussions [1][2] on debian-devel I'm > attaching the simple patch that implements enabling the bindnow > hardening flags. > > I'm continuing with the rebuild/autopkgtest tests according to > the Dpkg FAQ, hence the moreinfo tag. The rebuild (with PIE and bindnow enabled) resulted ~1000 FTBFS cases from which all seem to be related to enabling PIE by default [3]. ~70 of the filed related bugs [4] are still open. Since the rebuild was run with tests enabled this seems to be a good indication that we can expect very few breakages from enabling bindnow by default. Running autopkgtest would need more work as AFAIK there is no automated method for doing it like rebuilds [5]. I'm wondering if you find the autopkgtest round necessary for this change. Cheers, Balint > > Cheers, > Balint > > [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html > [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html [3] https://wiki.debian.org/Hardening/PIEByDefaultTransition [4] https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906=balint%40balintreczey.hu;dist=unstable [5] https://wiki.debian.org/qa.debian.org/ArchiveTesting
Bug#835146: dpkg: please enable bindow hardening flag by default
Package: dpkg Version: 1.18.10 Severity: wishlist Tags: patch moreinfo Dear Guillem, As a continuation of the discussions [1][2] on debian-devel I'm attaching the simple patch that implements enabling the bindnow hardening flags. I'm continuing with the rebuild/autopkgtest tests according to the Dpkg FAQ, hence the moreinfo tag. Cheers, Balint [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html >From 93059236f0559649e052a1cae00ff7a5ba4cab05 Mon Sep 17 00:00:00 2001 From: Balint ReczeyDate: Sun, 3 Jul 2016 21:12:09 +0200 Subject: [PATCH 1/2] Use bindnow hardening flag by default --- scripts/Dpkg/Vendor/Debian.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index ebb1750..f8854e2 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -277,7 +277,7 @@ sub _add_hardening_flags { fortify => 1, format => 1, relro => 1, - bindnow => 0, + bindnow => 1, ); # Adjust features based on user or maintainer's desires. -- 2.1.4