Bug#835146: dpkg: please enable bindow hardening flag by default

2022-06-26 Thread Guillem Jover 
Hi!

On Fri, 2022-06-17 at 16:04:27 +0200, Christian Göttsche wrote:
> With LTO being considered to be enabled by default [1] can this please
> also get another deliberation.

If you want to see this enabled by default, please bring it up again
on debian-devel. AFAIR last time there was push back.

Thanks,
Guillem

Bug#835146: dpkg: please enable bindow hardening flag by default

2021-12-12 Thread Bálint Réczey 
Hi,

For the record I'm not working on this anymore.

Feel free to either close the bug or pick the work up from here. IMO
there is not much to worry about enabling bindnow since Ubuntu enabled
it in 16.10.

Cheers,
Balint

[1] https://wiki.ubuntu.com/ToolChain%20/CompilerFlags/#A-Wl.2C-z.2Cnow

Dr. Markus Waldeck  ezt írta (időpont: 2017. aug. 17.,
Cs, 16:31):
>
> Hi all,
>
> PIE made it into Strech.
>
> But bindnow is still open
> even after it was activated for a short time
> (and packages were build with it).
>
> May I ask for the planning for Buster?
>
> Thanks in advance!
>
> Dr. Markus Waldeck

Bug#835146: dpkg: please enable bindow hardening flag by default

2017-08-17 Thread Dr. Markus Waldeck 
Hi all,

PIE made it into Strech.

But bindnow is still open 
even after it was activated for a short time 
(and packages were build with it).

May I ask for the planning for Buster?

Thanks in advance!

Dr. Markus Waldeck

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-12-19 Thread Bálint Réczey 
2016-12-19 1:07 GMT+01:00 Christian Hofstaedtler :
> * Bálint Réczey  [161219 00:06]:
>> I have uploaded a fixed package with the attached patch to DELAYED/10.
>
> Given dpkg/1.18.16 has entered sid, your upload will likely fail...


Yes, Guillem mentioned it in his email to debian-devel:
https://lists.debian.org/debian-devel/2016/12/msg00416.html

Cheers,
Balint

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-12-18 Thread Christian Hofstaedtler 
* Bálint Réczey  [161219 00:06]:
> I have uploaded a fixed package with the attached patch to DELAYED/10.

Given dpkg/1.18.16 has entered sid, your upload will likely fail...

Best,
-- 
christian hofstaedtler

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-12-14 Thread Bálint Réczey 
Hi Matthias,

2016-12-14 15:09 GMT+01:00 Matthias Klose :
> On 14.12.2016 13:58, Bálint Réczey wrote:
>> Hi All,
>>
>> 2016-11-06 13:20 GMT+01:00 Bálint Réczey :
>>> Hi Guillem,
>>>
>>> 2016-10-27 23:49 GMT+02:00 Bálint Réczey :
 Hi,

 2016-10-26 13:46 GMT+02:00 Bálint Réczey :
> Hi,
>
> 2016-10-26 5:00 GMT+02:00 Guillem Jover :
>> Hi!
>>
>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>>> where PIE is enabled by default. I think enabling bindnow from dpkg
>>> would be better through the hardening flags because packages could
>>> disable it in a nicer and already established way.
>>
>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>> relro (I'd assume) is not enabled by default, or is that enabled by
>> default now too?
>
> Default relro is enabled only on Ubuntu among other flags. Enabling
> bindnow was Matthias' change and we did not discuss it in advance.
>
> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>
>>
>> IMO either relro + bindnow should be enabled in gcc, or neither
>> should. I'm fine either way, but I find having a hardened compiler
>> is actually good, because it gives also hardened output for
>> non-packaged builds!
>
> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
> In the original patches I wanted to follow Debian's practice of setting
> flags from dpkg, but there are pros and cons on each side.
> Setting relro + bindnow in GCC probably results less FTBS-s in packages
> where flags are not passed properly, while it makes harder to disable
> the flags from d/rules.
>
> I would like to see bindnow enabled in Stretch and the first phase of
> the freeze is near. Could you two (Matthias and Guillem) please find the
> variant which would please both of you?

 For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
 seems dpkg can set both.
>>>
>>> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
>>> for that.
>>> Is there any particular reason for not enabling bindnow as well?
>>>
>>> Do you plan enabling it for Stretch?
>>
>> I have uploaded a fixed package with the attached patch to DELAYED/10.
>
> that enables bindnow on any architecture whether pie is enabled or not. is 
> this
> intended?

Yes, relro is enabled by default on all architectures, too.

Cheers,
Balint

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-12-14 Thread Matthias Klose 
On 14.12.2016 13:58, Bálint Réczey wrote:
> Hi All,
> 
> 2016-11-06 13:20 GMT+01:00 Bálint Réczey :
>> Hi Guillem,
>>
>> 2016-10-27 23:49 GMT+02:00 Bálint Réczey :
>>> Hi,
>>>
>>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey :
 Hi,

 2016-10-26 5:00 GMT+02:00 Guillem Jover :
> Hi!
>
> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>> where PIE is enabled by default. I think enabling bindnow from dpkg
>> would be better through the hardening flags because packages could
>> disable it in a nicer and already established way.
>
> Hmm, I don't get why bindnow was enabled by default in gcc, while
> relro (I'd assume) is not enabled by default, or is that enabled by
> default now too?

 Default relro is enabled only on Ubuntu among other flags. Enabling
 bindnow was Matthias' change and we did not discuss it in advance.

 http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134

>
> IMO either relro + bindnow should be enabled in gcc, or neither
> should. I'm fine either way, but I find having a hardened compiler
> is actually good, because it gives also hardened output for
> non-packaged builds!

 I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
 In the original patches I wanted to follow Debian's practice of setting
 flags from dpkg, but there are pros and cons on each side.
 Setting relro + bindnow in GCC probably results less FTBS-s in packages
 where flags are not passed properly, while it makes harder to disable
 the flags from d/rules.

 I would like to see bindnow enabled in Stretch and the first phase of
 the freeze is near. Could you two (Matthias and Guillem) please find the
 variant which would please both of you?
>>>
>>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
>>> seems dpkg can set both.
>>
>> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
>> for that.
>> Is there any particular reason for not enabling bindnow as well?
>>
>> Do you plan enabling it for Stretch?
> 
> I have uploaded a fixed package with the attached patch to DELAYED/10.

that enables bindnow on any architecture whether pie is enabled or not. is this
intended?

Matthias

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-12-14 Thread Bálint Réczey 
Hi All,

2016-11-06 13:20 GMT+01:00 Bálint Réczey :
> Hi Guillem,
>
> 2016-10-27 23:49 GMT+02:00 Bálint Réczey :
>> Hi,
>>
>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey :
>>> Hi,
>>>
>>> 2016-10-26 5:00 GMT+02:00 Guillem Jover :
 Hi!

 On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
> where PIE is enabled by default. I think enabling bindnow from dpkg
> would be better through the hardening flags because packages could
> disable it in a nicer and already established way.

 Hmm, I don't get why bindnow was enabled by default in gcc, while
 relro (I'd assume) is not enabled by default, or is that enabled by
 default now too?
>>>
>>> Default relro is enabled only on Ubuntu among other flags. Enabling
>>> bindnow was Matthias' change and we did not discuss it in advance.
>>>
>>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>>>

 IMO either relro + bindnow should be enabled in gcc, or neither
 should. I'm fine either way, but I find having a hardened compiler
 is actually good, because it gives also hardened output for
 non-packaged builds!
>>>
>>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
>>> In the original patches I wanted to follow Debian's practice of setting
>>> flags from dpkg, but there are pros and cons on each side.
>>> Setting relro + bindnow in GCC probably results less FTBS-s in packages
>>> where flags are not passed properly, while it makes harder to disable
>>> the flags from d/rules.
>>>
>>> I would like to see bindnow enabled in Stretch and the first phase of
>>> the freeze is near. Could you two (Matthias and Guillem) please find the
>>> variant which would please both of you?
>>
>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
>> seems dpkg can set both.
>
> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
> for that.
> Is there any particular reason for not enabling bindnow as well?
>
> Do you plan enabling it for Stretch?

I have uploaded a fixed package with the attached patch to DELAYED/10.

Cheers,
Balint
diff -Nru dpkg-1.18.15/debian/changelog dpkg-1.18.15+nmu1/debian/changelog
--- dpkg-1.18.15/debian/changelog	2016-11-16 03:28:05.0 +0100
+++ dpkg-1.18.15+nmu1/debian/changelog	2016-12-14 13:42:35.0 +0100
@@ -1,3 +1,10 @@
+dpkg (1.18.15+nmu1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Make dpkg-buildflags enable bindnow by default (Closes: #835146)
+
+ -- Balint Reczey   Wed, 14 Dec 2016 13:40:17 +0100
+
 dpkg (1.18.15) unstable; urgency=medium
 
   [ Guillem Jover ]
diff -Nru dpkg-1.18.15/man/dpkg-buildflags.man dpkg-1.18.15+nmu1/man/dpkg-buildflags.man
--- dpkg-1.18.15/man/dpkg-buildflags.man	2016-11-14 00:54:13.0 +0100
+++ dpkg-1.18.15+nmu1/man/dpkg-buildflags.man	2016-12-14 13:40:13.0 +0100
@@ -339,7 +339,7 @@
 .
 .TP
 .B bindnow
-This setting (disabled by default) adds
+This setting (enabled by default) adds
 .B \-Wl,\-z,now
 to \fBLDFLAGS\fP. During program load, all dynamic symbols are resolved,
 allowing for the entire PLT to be marked read-only (due to \fBrelro\fP
diff -Nru dpkg-1.18.15/scripts/Dpkg/Vendor/Debian.pm dpkg-1.18.15+nmu1/scripts/Dpkg/Vendor/Debian.pm
--- dpkg-1.18.15/scripts/Dpkg/Vendor/Debian.pm	2016-11-14 00:54:14.0 +0100
+++ dpkg-1.18.15+nmu1/scripts/Dpkg/Vendor/Debian.pm	2016-12-14 13:40:08.0 +0100
@@ -287,7 +287,7 @@
 	fortify => 1,
 	format => 1,
 	relro => 1,
-	bindnow => 0,
+	bindnow => 1,
 );
 my %builtin_feature = (
 pie => 1,

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-11-06 Thread Bálint Réczey 
Hi Guillem,

2016-10-27 23:49 GMT+02:00 Bálint Réczey :
> Hi,
>
> 2016-10-26 13:46 GMT+02:00 Bálint Réczey :
>> Hi,
>>
>> 2016-10-26 5:00 GMT+02:00 Guillem Jover :
>>> Hi!
>>>
>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
 For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
 where PIE is enabled by default. I think enabling bindnow from dpkg
 would be better through the hardening flags because packages could
 disable it in a nicer and already established way.
>>>
>>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>>> relro (I'd assume) is not enabled by default, or is that enabled by
>>> default now too?
>>
>> Default relro is enabled only on Ubuntu among other flags. Enabling
>> bindnow was Matthias' change and we did not discuss it in advance.
>>
>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>>
>>>
>>> IMO either relro + bindnow should be enabled in gcc, or neither
>>> should. I'm fine either way, but I find having a hardened compiler
>>> is actually good, because it gives also hardened output for
>>> non-packaged builds!
>>
>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
>> In the original patches I wanted to follow Debian's practice of setting
>> flags from dpkg, but there are pros and cons on each side.
>> Setting relro + bindnow in GCC probably results less FTBS-s in packages
>> where flags are not passed properly, while it makes harder to disable
>> the flags from d/rules.
>>
>> I would like to see bindnow enabled in Stretch and the first phase of
>> the freeze is near. Could you two (Matthias and Guillem) please find the
>> variant which would please both of you?
>
> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
> seems dpkg can set both.

I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
for that.
Is there any particular reason for not enabling bindnow as well?

Do you plan enabling it for Stretch?

Cheers,
Balint

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-10-27 Thread Bálint Réczey 
Hi,

2016-10-26 13:46 GMT+02:00 Bálint Réczey :
> Hi,
>
> 2016-10-26 5:00 GMT+02:00 Guillem Jover :
>> Hi!
>>
>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>>> where PIE is enabled by default. I think enabling bindnow from dpkg
>>> would be better through the hardening flags because packages could
>>> disable it in a nicer and already established way.
>>
>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>> relro (I'd assume) is not enabled by default, or is that enabled by
>> default now too?
>
> Default relro is enabled only on Ubuntu among other flags. Enabling
> bindnow was Matthias' change and we did not discuss it in advance.
>
> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>
>>
>> IMO either relro + bindnow should be enabled in gcc, or neither
>> should. I'm fine either way, but I find having a hardened compiler
>> is actually good, because it gives also hardened output for
>> non-packaged builds!
>
> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
> In the original patches I wanted to follow Debian's practice of setting
> flags from dpkg, but there are pros and cons on each side.
> Setting relro + bindnow in GCC probably results less FTBS-s in packages
> where flags are not passed properly, while it makes harder to disable
> the flags from d/rules.
>
> I would like to see bindnow enabled in Stretch and the first phase of
> the freeze is near. Could you two (Matthias and Guillem) please find the
> variant which would please both of you?

For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
seems dpkg can set both.

Cheers,
Balint

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-10-26 Thread Bálint Réczey 
Hi,

2016-10-26 5:00 GMT+02:00 Guillem Jover :
> Hi!
> 
> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>> where PIE is enabled by default. I think enabling bindnow from dpkg
>> would be better through the hardening flags because packages could
>> disable it in a nicer and already established way.
> 
> Hmm, I don't get why bindnow was enabled by default in gcc, while 
> relro (I'd assume) is not enabled by default, or is that enabled by 
> default now too?

Default relro is enabled only on Ubuntu among other flags. Enabling
bindnow was Matthias' change and we did not discuss it in advance.

http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134

> 
> IMO either relro + bindnow should be enabled in gcc, or neither 
> should. I'm fine either way, but I find having a hardened compiler
> is actually good, because it gives also hardened output for
> non-packaged builds!

I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
In the original patches I wanted to follow Debian's practice of setting
flags from dpkg, but there are pros and cons on each side.
Setting relro + bindnow in GCC probably results less FTBS-s in packages
where flags are not passed properly, while it makes harder to disable
the flags from d/rules.

I would like to see bindnow enabled in Stretch and the first phase of
the freeze is near. Could you two (Matthias and Guillem) please find the
variant which would please both of you?

Cheers,
Balint

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-10-25 Thread Guillem Jover 
Hi!

On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where
> PIE is enabled by default. I think enabling bindnow from dpkg would be
> better through the hardening flags because packages could disable it
> in a nicer and already established way.

Hmm, I don't get why bindnow was enabled by default in gcc, while
relro (I'd assume) is not enabled by default, or is that enabled by
default now too?

IMO either relro + bindnow should be enabled in gcc, or neither
should. I'm fine either way, but I find having a hardened compiler is
actually good, because it gives also hardened output for non-packaged
builds!

Thanks,
Guillem

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-10-19 Thread Bálint Réczey 
Hi Guillem,

For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where
PIE is enabled by default. I think enabling bindnow from dpkg would be
better through the hardening flags because packages could disable it
in a nicer and already established way.

Cheers,
Balint

2016-10-10 14:06 GMT+02:00 Balint Reczey :
> Dear Guillem,
>
> On Tue, 23 Aug 2016 00:14:25 +0200 Balint Reczey  
> wrote:
> ...
>> Dear Guillem,
>>
>> As a continuation of the discussions [1][2] on debian-devel I'm
>> attaching the simple patch that implements enabling the bindnow
>> hardening flags.
>>
>> I'm continuing with the rebuild/autopkgtest tests according to
>> the Dpkg FAQ, hence the moreinfo tag.
>
> The rebuild (with PIE and bindnow enabled) resulted ~1000 FTBFS
> cases from which all seem to be related to enabling PIE by
> default [3].
>
> ~70 of the filed related bugs [4] are still open.
>
> Since the rebuild was run with tests enabled this seems to be a
> good indication that we can expect very few breakages from
> enabling bindnow by default.
>
> Running autopkgtest would need more work as AFAIK there is no
> automated method for doing it like rebuilds [5].
>
> I'm wondering if you find the autopkgtest round necessary for
> this change.
>
> Cheers,
> Balint
>
>>
>> Cheers,
>> Balint
>>
>> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
>> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>
> [3] https://wiki.debian.org/Hardening/PIEByDefaultTransition
> [4] 
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906=balint%40balintreczey.hu;dist=unstable
> [5] https://wiki.debian.org/qa.debian.org/ArchiveTesting

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-10-10 Thread Balint Reczey 
Dear Guillem,

On Tue, 23 Aug 2016 00:14:25 +0200 Balint Reczey  wrote:
...
> Dear Guillem,
> 
> As a continuation of the discussions [1][2] on debian-devel I'm
> attaching the simple patch that implements enabling the bindnow
> hardening flags.
> 
> I'm continuing with the rebuild/autopkgtest tests according to
> the Dpkg FAQ, hence the moreinfo tag.

The rebuild (with PIE and bindnow enabled) resulted ~1000 FTBFS
cases from which all seem to be related to enabling PIE by
default [3].

~70 of the filed related bugs [4] are still open.

Since the rebuild was run with tests enabled this seems to be a
good indication that we can expect very few breakages from
enabling bindnow by default.

Running autopkgtest would need more work as AFAIK there is no
automated method for doing it like rebuilds [5].

I'm wondering if you find the autopkgtest round necessary for
this change.

Cheers,
Balint

> 
> Cheers,
> Balint
> 
> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html

[3] https://wiki.debian.org/Hardening/PIEByDefaultTransition
[4] 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906=balint%40balintreczey.hu;dist=unstable
[5] https://wiki.debian.org/qa.debian.org/ArchiveTesting

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-08-22 Thread Balint Reczey 
Package: dpkg
Version: 1.18.10
Severity: wishlist
Tags: patch moreinfo

Dear Guillem,

As a continuation of the discussions [1][2] on debian-devel I'm
attaching the simple patch that implements enabling the bindnow
hardening flags.

I'm continuing with the rebuild/autopkgtest tests according to
the Dpkg FAQ, hence the moreinfo tag.

Cheers,
Balint

[1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
[2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>From 93059236f0559649e052a1cae00ff7a5ba4cab05 Mon Sep 17 00:00:00 2001
From: Balint Reczey 
Date: Sun, 3 Jul 2016 21:12:09 +0200
Subject: [PATCH 1/2] Use bindnow hardening flag by default

---
 scripts/Dpkg/Vendor/Debian.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index ebb1750..f8854e2 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -277,7 +277,7 @@ sub _add_hardening_flags {
 	fortify => 1,
 	format => 1,
 	relro => 1,
-	bindnow => 0,
+	bindnow => 1,
 );
 
 # Adjust features based on user or maintainer's desires.
-- 
2.1.4