Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-10-27 Thread Bálint Réczey 
2016-10-26 17:21 GMT+02:00 Bálint Réczey :
> Hi,
>
> 2016-10-26 5:41 GMT+02:00 Guillem Jover :
>> Hi!
>>
>> On Wed, 2016-10-26 at 05:08:52 +0200, Guillem Jover wrote:
>>> On Wed, 2016-09-07 at 00:48:17 +0200, Bálint Réczey wrote:
>>> > 2016-09-04 3:03 GMT+02:00 Balint Reczey :
>>> > > Many packages fail to build due to gcc ... -shared -no-pie ... failing.
>>> > > I have reported the issue to GCC but they don't seem to fix that:
>>> > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464
>>> > >
>>> > > The proposed workarounds don't seem to be viable in Debian thus I
>>> > > propose making the -pie dpkg hardening flag a noop instead of passing
>>> > > -no-pie and friends as compiler/ flags like in the proposed patch.
>>> > > This is not symmetric but consistent with Ubuntu's way of enabling PIE.
>>>
>>> Wow, that sucks, and we circle back at the situation of enabling PIE by
>>> default and shared libraries failing, but in the inverse. :)

One option would be setting CC to $(CC) -no-pie to work around GCC's
behavior, but I did not want to go this way since dpkg-buildflags did not
modify CC in the past. From pragmatic POV this would work for many
of the affected packages and would also work for clang.

Cheers,
Balint

Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-10-26 Thread Bálint Réczey 
Hi,

2016-10-26 5:41 GMT+02:00 Guillem Jover :
> Hi!
>
> On Wed, 2016-10-26 at 05:08:52 +0200, Guillem Jover wrote:
>> On Wed, 2016-09-07 at 00:48:17 +0200, Bálint Réczey wrote:
>> > 2016-09-04 3:03 GMT+02:00 Balint Reczey :
>> > > Many packages fail to build due to gcc ... -shared -no-pie ... failing.
>> > > I have reported the issue to GCC but they don't seem to fix that:
>> > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464
>> > >
>> > > The proposed workarounds don't seem to be viable in Debian thus I
>> > > propose making the -pie dpkg hardening flag a noop instead of passing
>> > > -no-pie and friends as compiler/ flags like in the proposed patch.
>> > > This is not symmetric but consistent with Ubuntu's way of enabling PIE.
>>
>> Wow, that sucks, and we circle back at the situation of enabling PIE by
>> default and shared libraries failing, but in the inverse. :)
>>
>> > I'm rebuilding all packages failed with the original patch and a good share
>> > does compile with the following additional patches.
>> >
>> > I would have preferred only the original patch, but apparently this is
>> > our best chance for enabling PIE for the archive.
>>
>> I think this is very unfortunate, and would make disabling PIE a PITA,
>> which I'd rather not inflict onto maintainers.

Yes, it is painful, but most upstreams will implement disabling PIE
anyway, since Ubuntu 16.10 is out with PIE enabled by default.
Quicker maintainers have Ubuntu patches as guides and slowly reacting
ones can just update to latest upstream.

>>
>> > I'll start filing bugs for for the packages still failing to build.
>>
>> If it's to start adding -pie then sure, otherwise I'd ask if you could
>> hold off, as I've started to combine the patch in
>> 
>> with
>> 
>> to use the specs file trick but to disable instead of enable the
>> option, which should in principle work. It's really late here, and I'm
>> going to sleep, but I'd appreciate some testing once I've got it ready
>> tomorrow or so.

I don't plan filing new bugs, don't worry. :-)

>
> Ok, I ended up finishing this up now, but I've not tested the results,
> the commit is:
>
>   
> 

This may be a better option than appending -no-pie, but I have two
concerns which you may already have considered:

If we go the -specs way we may need to update the specs for newer GCC-s'
default specs/spec syntax, but detecting and supporting several
GCC versions from dpkg could be painful.

My other concern is that clang does not support GCC's spec files thus
disabling PIE would still be an open question for people performing
rebuilds with clang and packages building with clang. I know that the
default compiler is GCC, but recompiling packages with clang revealed
some interesting issues in the past thus I would not just ignore clang
in this case.

A non-technical but relevant fact is that I reserved my free time to
work on the PIE transition in August and September, but I my next months
will be busier and I can't do many rebuilds and excessive triaging.

Cheers,
Balint

Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-10-25 Thread Guillem Jover 
Hi!

On Wed, 2016-10-26 at 05:08:52 +0200, Guillem Jover wrote:
> On Wed, 2016-09-07 at 00:48:17 +0200, Bálint Réczey wrote:
> > 2016-09-04 3:03 GMT+02:00 Balint Reczey :
> > > Many packages fail to build due to gcc ... -shared -no-pie ... failing.
> > > I have reported the issue to GCC but they don't seem to fix that:
> > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464
> > >
> > > The proposed workarounds don't seem to be viable in Debian thus I
> > > propose making the -pie dpkg hardening flag a noop instead of passing
> > > -no-pie and friends as compiler/ flags like in the proposed patch.
> > > This is not symmetric but consistent with Ubuntu's way of enabling PIE.
> 
> Wow, that sucks, and we circle back at the situation of enabling PIE by
> default and shared libraries failing, but in the inverse. :)
> 
> > I'm rebuilding all packages failed with the original patch and a good share
> > does compile with the following additional patches.
> > 
> > I would have preferred only the original patch, but apparently this is
> > our best chance for enabling PIE for the archive.
> 
> I think this is very unfortunate, and would make disabling PIE a PITA,
> which I'd rather not inflict onto maintainers.
> 
> > I'll start filing bugs for for the packages still failing to build.
> 
> If it's to start adding -pie then sure, otherwise I'd ask if you could
> hold off, as I've started to combine the patch in
> 
> with
> 
> to use the specs file trick but to disable instead of enable the
> option, which should in principle work. It's really late here, and I'm
> going to sleep, but I'd appreciate some testing once I've got it ready
> tomorrow or so.

Ok, I ended up finishing this up now, but I've not tested the results,
the commit is:

  


Thanks,
Guillem

Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-10-25 Thread Guillem Jover 
Hi!

On Wed, 2016-09-07 at 00:48:17 +0200, Bálint Réczey wrote:
> 2016-09-04 3:03 GMT+02:00 Balint Reczey :
> > Many packages fail to build due to gcc ... -shared -no-pie ... failing.
> > I have reported the issue to GCC but they don't seem to fix that:
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464
> >
> > The proposed workarounds don't seem to be viable in Debian thus I
> > propose making the -pie dpkg hardening flag a noop instead of passing
> > -no-pie and friends as compiler/ flags like in the proposed patch.
> > This is not symmetric but consistent with Ubuntu's way of enabling PIE.

Wow, that sucks, and we circle back at the situation of enabling PIE by
default and shared libraries failing, but in the inverse. :)

> I'm rebuilding all packages failed with the original patch and a good share
> does compile with the following additional patches.
> 
> I would have preferred only the original patch, but apparently this is
> our best chance for enabling PIE for the archive.

I think this is very unfortunate, and would make disabling PIE a PITA,
which I'd rather not inflict onto maintainers.

> I'll start filing bugs for for the packages still failing to build.

If it's to start adding -pie then sure, otherwise I'd ask if you could
hold off, as I've started to combine the patch in

with

to use the specs file trick but to disable instead of enable the
option, which should in principle work. It's really late here, and I'm
going to sleep, but I'd appreciate some testing once I've got it ready
tomorrow or so.

Thanks,
Guillem

Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-10-18 Thread Bálint Réczey 
Hi Guillem,

gcc-6/6.2.0-7 has just been uploaded with the changed defaults.
The list of architectures is a bit different than the one in the attaches patch.
The updated list is:
amd64 arm64 armel armhf i386 mips mipsel mips64el ppc64el s390x

Cheers,
Balint

2016-09-07 0:48 GMT+02:00 Bálint Réczey :
> Hi Guillem,
>
> I'm rebuilding all packages failed with the original patch and a good share
> does compile with the following additional patches.
>
> I would have preferred only the original patch, but apparently this is
> our best chance for enabling PIE for the archive.
>
> I'll start filing bugs for for the packages still failing to build.
>
> Cheers,
> Balint
>
> 2016-09-04 3:03 GMT+02:00 Balint Reczey :
>> Hi Guillem,
>>
>> Many packages fail to build due to gcc ... -shared -no-pie ... failing.
>> I have reported the issue to GCC but they don't seem to fix that:
>> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464
>>
>> The proposed workarounds don't seem to be viable in Debian thus I
>> propose making the -pie dpkg hardening flag a noop instead of passing
>> -no-pie and friends as compiler/ flags like in the proposed patch.
>> This is not symmetric but consistent with Ubuntu's way of enabling PIE.
>>
>> What do you think?
>>
>> Cheers,
>> Balint
>>
>> On Tue, 23 Aug 2016 00:29:00 +0200 Balint Reczey
>>  wrote:
>>> Package: dpkg
>>> Version: 1.18.10
>>> Severity: wishlist
>>> Tags: patch moreinfo
>>>
>>> Dear Guillem,
>>>
>>> As a continuation of the discussions [1][2] on debian-devel I'm
>>> attaching the simple patch that changes dpkg's pie hardening flag
>>> to adapt to GCC's new default settings proposed in #835148.
>>>
>>> I'm continuing with the rebuild/autopkgtest tests according to
>>> the Dpkg FAQ, hence the moreinfo tag.
>>>
>>> Cheers,
>>> Balint
>>>
>>> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
>>> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>>>

Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-09-06 Thread Bálint Réczey 
Hi Guillem,

I'm rebuilding all packages failed with the original patch and a good share
does compile with the following additional patches.

I would have preferred only the original patch, but apparently this is
our best chance for enabling PIE for the archive.

I'll start filing bugs for for the packages still failing to build.

Cheers,
Balint

2016-09-04 3:03 GMT+02:00 Balint Reczey :
> Hi Guillem,
>
> Many packages fail to build due to gcc ... -shared -no-pie ... failing.
> I have reported the issue to GCC but they don't seem to fix that:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464
>
> The proposed workarounds don't seem to be viable in Debian thus I
> propose making the -pie dpkg hardening flag a noop instead of passing
> -no-pie and friends as compiler/ flags like in the proposed patch.
> This is not symmetric but consistent with Ubuntu's way of enabling PIE.
>
> What do you think?
>
> Cheers,
> Balint
>
> On Tue, 23 Aug 2016 00:29:00 +0200 Balint Reczey
>  wrote:
>> Package: dpkg
>> Version: 1.18.10
>> Severity: wishlist
>> Tags: patch moreinfo
>>
>> Dear Guillem,
>>
>> As a continuation of the discussions [1][2] on debian-devel I'm
>> attaching the simple patch that changes dpkg's pie hardening flag
>> to adapt to GCC's new default settings proposed in #835148.
>>
>> I'm continuing with the rebuild/autopkgtest tests according to
>> the Dpkg FAQ, hence the moreinfo tag.
>>
>> Cheers,
>> Balint
>>
>> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
>> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>>
From 125b18d25203a5abc173421fde21c685ae9ef3e3 Mon Sep 17 00:00:00 2001
From: Balint Reczey 
Date: Sun, 4 Sep 2016 02:56:38 +0200
Subject: [PATCH 3/4] Make -pie hardening flag a noop

---
 scripts/Dpkg/Vendor/Debian.pm | 12 +---
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index 8e9a0ac..a2b4ca9 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -328,17 +328,7 @@ sub _add_hardening_flags {
 }
 
 # PIE
-if ($pie_by_default == 1 and not $use_feature{pie}) {
-	my $flag = '-fno-PIE';
-	$flags->append('CFLAGS', $flag);
-	$flags->append('OBJCFLAGS',  $flag);
-	$flags->append('OBJCXXFLAGS', $flag);
-	$flags->append('FFLAGS', $flag);
-	$flags->append('FCFLAGS', $flag);
-	$flags->append('CXXFLAGS', $flag);
-	$flags->append('GCJFLAGS', $flag);
-	$flags->append('LDFLAGS', '-fno-PIE -no-pie');
-} elsif ($pie_by_default == 0 and $use_feature{pie}) {
+if ($pie_by_default == 0 and $use_feature{pie}) {
 	my $flag = '-fPIE';
 	$flags->append('CFLAGS', $flag);
 	$flags->append('OBJCFLAGS',  $flag);
-- 
2.1.4

From 7cb9f2be91f45a20fc0a78b596da508309e90657 Mon Sep 17 00:00:00 2001
From: Balint Reczey 
Date: Mon, 5 Sep 2016 22:40:04 +0200
Subject: [PATCH 4/4] Update documentation of the pie hardening setting

---
 man/dpkg-buildflags.1 | 5 +
 1 file changed, 5 insertions(+)

diff --git a/man/dpkg-buildflags.1 b/man/dpkg-buildflags.1
index cb157c9..dd344fc 100644
--- a/man/dpkg-buildflags.1
+++ b/man/dpkg-buildflags.1
@@ -366,6 +366,11 @@ Static libraries can be used by programs or other shared libraries.
 Depending on the flags used to compile all the objects within a static
 library, these libraries will be usable by different sets of objects:
 
+On several architectures (where the performanance loss is acceptable)
+gcc generates Position Independent Executables by default. On such
+architectures both enabling and disabling the \fBpie\fP setting is
+ignored and flags are not changed.
+
 .RS
 .TP
 none
-- 
2.1.4

Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-09-03 Thread Balint Reczey 
Hi Guillem,

Many packages fail to build due to gcc ... -shared -no-pie ... failing.
I have reported the issue to GCC but they don't seem to fix that:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464

The proposed workarounds don't seem to be viable in Debian thus I
propose making the -pie dpkg hardening flag a noop instead of passing
-no-pie and friends as compiler/ flags like in the proposed patch.
This is not symmetric but consistent with Ubuntu's way of enabling PIE.

What do you think?

Cheers,
Balint

On Tue, 23 Aug 2016 00:29:00 +0200 Balint Reczey
 wrote:
> Package: dpkg
> Version: 1.18.10
> Severity: wishlist
> Tags: patch moreinfo
> 
> Dear Guillem,
> 
> As a continuation of the discussions [1][2] on debian-devel I'm
> attaching the simple patch that changes dpkg's pie hardening flag
> to adapt to GCC's new default settings proposed in #835148.
> 
> I'm continuing with the rebuild/autopkgtest tests according to
> the Dpkg FAQ, hence the moreinfo tag.
> 
> Cheers,
> Balint
> 
> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>

Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-08-22 Thread Balint Reczey 
Package: dpkg
Version: 1.18.10
Severity: wishlist
Tags: patch moreinfo

Dear Guillem,

As a continuation of the discussions [1][2] on debian-devel I'm
attaching the simple patch that changes dpkg's pie hardening flag
to adapt to GCC's new default settings proposed in #835148.

I'm continuing with the rebuild/autopkgtest tests according to
the Dpkg FAQ, hence the moreinfo tag.

Cheers,
Balint

[1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
[2] https://lists.debian.org/debian-devel/2016/08/msg00324.html

>From c0d867dcd6bffe6a504c0699e64258191e760a49 Mon Sep 17 00:00:00 2001
From: Balint Reczey 
Date: Mon, 4 Jul 2016 20:06:55 +0200
Subject: [PATCH 2/2] Dpkg::Vendor::Debian: Enable PIE by default on some
 architectures

---
 scripts/Dpkg/Vendor/Debian.pm | 19 ++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index f8854e2..8e9a0ac 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -280,6 +280,13 @@ sub _add_hardening_flags {
 	bindnow => 1,
 );
 
+# GCC enables PIE by default on some architectures
+my $pie_by_default = 0;
+if ($arch =~ /^(?:amd64|ppc64el|s390x)$/) {
+	$pie_by_default = 1;
+	$use_feature{pie} = 1;
+}
+
 # Adjust features based on user or maintainer's desires.
 $self->_parse_feature_area('hardening', \%use_feature);
 
@@ -321,7 +328,17 @@ sub _add_hardening_flags {
 }
 
 # PIE
-if ($use_feature{pie}) {
+if ($pie_by_default == 1 and not $use_feature{pie}) {
+	my $flag = '-fno-PIE';
+	$flags->append('CFLAGS', $flag);
+	$flags->append('OBJCFLAGS',  $flag);
+	$flags->append('OBJCXXFLAGS', $flag);
+	$flags->append('FFLAGS', $flag);
+	$flags->append('FCFLAGS', $flag);
+	$flags->append('CXXFLAGS', $flag);
+	$flags->append('GCJFLAGS', $flag);
+	$flags->append('LDFLAGS', '-fno-PIE -no-pie');
+} elsif ($pie_by_default == 0 and $use_feature{pie}) {
 	my $flag = '-fPIE';
 	$flags->append('CFLAGS', $flag);
 	$flags->append('OBJCFLAGS',  $flag);
-- 
2.1.4