Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
tags 702349 + moreinfo thanks Hi, > lintian should not complain about hardening for package written > in pure Ocaml Any update on this? Does Lintian need to do anything anymore? :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
On Mon, 03 Feb 2014 17:42:35 +0100 =?ISO-8859-1?Q?St=E9phane_Glondu?= glo...@debian.org wrote: Le 06/01/2014 16:24, Moritz Muehlenhoff a écrit : Le 05/03/2013 16:35, Niels Thykier a écrit : Does ELF binaries produced by pure Ocaml have any distinct feature that can be used to tell them apart from any other ELF binary? ELF binaries produced by the OCaml compiler always include a bit of C code (the runtime), so they are never actually pure. I don't think that the lintian tag (whatever its level) should be removed at the moment. I am not planning to have a deeper looker at this issue before next release or next debconf, though. Could you please add a note to https://wiki.debian.org/HardeningWalkthrough that while Ocaml packages produce ELF binaries they are not covered by the hardening effort? I just did that. BTW, the OCaml build system is quite messy and it will take longer than expected to fix it for hardening... The attached patch fixes some of the relro lintian warnings for the executables themselves, but these still remain for the .cmxs,.so and objinfo_helper: W: ocaml-base: hardening-no-relro usr/lib/ocaml/graphics.cmxs W: ocaml-base: hardening-no-relro usr/lib/ocaml/stublibs/dllgraphics.so W: ocaml-nox: hardening-no-relro usr/lib/ocaml/objinfo_helper W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/bigarray.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/nums.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/str.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllbigarray.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllcamlstr.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllnums.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllthreads.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllunix.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllvmthreads.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/unix.cmxs FWIW 'hardening-check ocamlopt.opt' now says: ocamlopt.opt: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Although perhaps it'd be better to patch configure to include CCLINKFLAGS in $nativecclinkopts, in objinfo_helper's build command, and in the flag used for linking .so and .cmxs (haven't found its name yet though). What do you think? diff -ru ../o/ocaml-4.02.1/debian/rules debian/rules --- ../o/ocaml-4.02.1/debian/rules 2015-02-16 12:37:56.0 +0200 +++ debian/rules 2015-07-15 12:39:58.477250079 +0300 @@ -59,12 +59,18 @@ export OCAML_OPT_ARCH export OCAML_STDLIB_DIR +export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow +LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS) +# for ocamlyacc +export CCLINKFLAGS=$(LDFLAGS) + CONFIGURE_OPTS := \ --host $(DEB_BUILD_GNU_TYPE)\ --with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \ -libdir $(DEB_TEST_BUILD_PREFIX)$(OCAML_STDLIB_DIR) \ -x11lib $(shell pkg-config --variable=libdir x11) \ -mandir $(DEB_TEST_BUILD_PREFIX)/usr/share/man \ + -dllibs $(LDFLAGS) CONFIGURE_SED := \ -e /LIBBFD_LINK/s%-lbfd%-Wl,-Bstatic -lbfd -Wl,-Bdynamic% \
Bug#702349: Info received (Bug#702349: lintian should not complain about hardening for package written in pure Ocaml)
block 702349 by 792502 Thanks Updated patch attached, all the hardening-no-relro warnings are gone now. I've opened a bug for the ocaml package. --- a/debian/patches/0010-Obey-ldflags.patch 1970-01-01 02:00:00.0 +0200 +++ b/debian/patches/0010-Obey-ldflags.patch 2015-07-15 15:59:20.600661858 +0300 @@ -0,0 +1,34 @@ +Description: use CCLINKFLAGS for linking all executables and shared libraries + This allows packagers to set additional linker flags for executables and shared + libraries created by OCaml, and for the OCaml tools themselves. + OCaml code can be linked with various C stubs and C libraries that would + benefit from using hardening link flags, such as -Wl,-z,relro. +--- + +Origin: other +Bug-Debian: https://bugs.debian.org/702349 +Forwarded: no +Last-Update: 2015-07-15 + +--- ocaml-4.02.1.orig/configure ocaml-4.02.1/configure +@@ -739,6 +739,8 @@ if test $with_sharedlibs = yes; then + shared_libraries_supported=true;; + esac + fi ++mksharedlib=$mksharedlib $CCLINKFLAGS ++mkexe=$mkexe $CCLINKFLAGS + + if test -z $mkmaindll; then + mkmaindll=$mksharedlib +--- ocaml-4.02.1.orig/tools/Makefile.shared ocaml-4.02.1/tools/Makefile.shared +@@ -278,7 +278,7 @@ beforedepend:: opnames.ml + + objinfo_helper$(EXE): objinfo_helper.c ../config/s.h + $(BYTECC) -o objinfo_helper$(EXE) $(BYTECCCOMPOPTS) \ +- objinfo_helper.c $(LIBBFD_LINK) ++ objinfo_helper.c $(LIBBFD_LINK) $(CCLINKFLAGS) + + OBJINFO=../compilerlibs/ocamlcommon.cma \ + ../compilerlibs/ocamlbytecomp.cma \ diff -rNu ../o/ocaml-4.02.1/debian/patches/series debian/patches/series --- a/debian/patches/series 2014-11-20 17:48:56.0 +0200 +++ b/debian/patches/series 2015-07-15 16:07:10.622247953 +0300 @@ -7,3 +7,4 @@ 0007-Tune-resource-usage-of-some-tests.patch 0008-Native-backtraces-don-t-work-on-powerpc-and-sparc.patch 0009-Fix-asmcomp-tests-on-sparc.patch +0010-Obey-ldflags.patch --- a/debian/rules 2015-02-16 12:37:56.0 +0200 +++ b/debian/rules 2015-07-15 15:54:11.360881817 +0300 @@ -59,6 +59,9 @@ export OCAML_OPT_ARCH export OCAML_STDLIB_DIR +export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow +export CCLINKFLAGS=$(shell dpkg-buildflags --get LDFLAGS) + CONFIGURE_OPTS := \ --host $(DEB_BUILD_GNU_TYPE)\ --with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Le 06/01/2014 16:24, Moritz Muehlenhoff a écrit : Le 05/03/2013 16:35, Niels Thykier a écrit : Does ELF binaries produced by pure Ocaml have any distinct feature that can be used to tell them apart from any other ELF binary? ELF binaries produced by the OCaml compiler always include a bit of C code (the runtime), so they are never actually pure. I don't think that the lintian tag (whatever its level) should be removed at the moment. I am not planning to have a deeper looker at this issue before next release or next debconf, though. Could you please add a note to https://wiki.debian.org/HardeningWalkthrough that while Ocaml packages produce ELF binaries they are not covered by the hardening effort? I just did that. BTW, the OCaml build system is quite messy and it will take longer than expected to fix it for hardening... Cheers, -- Stéphane -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
On Tue, Mar 05, 2013 at 08:57:01PM +0100, Stéphane Glondu wrote: Le 05/03/2013 16:35, Niels Thykier a écrit : Does ELF binaries produced by pure Ocaml have any distinct feature that can be used to tell them apart from any other ELF binary? ELF binaries produced by the OCaml compiler always include a bit of C code (the runtime), so they are never actually pure. I don't think that the lintian tag (whatever its level) should be removed at the moment. I am not planning to have a deeper looker at this issue before next release or next debconf, though. Could you please add a note to https://wiki.debian.org/HardeningWalkthrough that while Ocaml packages produce ELF binaries they are not covered by the hardening effort? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Prach Pongpanich prach...@gmail.com writes: lintian should not complain about hardening for package written in pure Ocaml [0],[1],[2] The problem is, that even pure OCaml contains enough features that may permit arbitrary memory corruptions by an attacker. For instance, String.unsafe_blit has no bounds checks, Obj.magic is an unsafe cast, Marshal.from_channel may break the type system, ... Moreover, it is almost impossible to avoid these unsafe functions, because they are used in the standard library. In principle I agree, that programs written in a certain subset of OCaml do not need these hardening features. However, at the moment this safe subset is not even identified... Bye, Hendrik -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Le 06/03/2013 09:37, Hendrik Tews a écrit : In principle I agree, that programs written in a certain subset of OCaml do not need these hardening features. However, at the moment this safe subset is not even identified... OCaml has a built-in notion of unsafe feature (see ocamlobjinfo output) that could serve as a starting point for that. Cheers, -- Stéphane -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
OCaml has a built-in notion of unsafe feature (see ocamlobjinfo output) that could serve as a starting point for that. Yes, I tried this on let f b = let a = abcde in let c = Obj.magic b in String.unsafe_blit c 0 a 0 5 For the .cmo, ocamlobjinfo surprisingly reports Uses unsafe features: no and for the .cmx it doesn't say anything about unsafe features. Bye, Hendrik -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Le 06/03/2013 10:48, Hendrik Tews a écrit : OCaml has a built-in notion of unsafe feature (see ocamlobjinfo output) that could serve as a starting point for that. Yes, I tried this on let f b = let a = abcde in let c = Obj.magic b in String.unsafe_blit c 0 a 0 5 For the .cmo, ocamlobjinfo surprisingly reports Uses unsafe features: no and for the .cmx it doesn't say anything about unsafe features. But Obj (obviously) uses unsafe features! Sure, Pervasives also uses unsafe features, but I was thinking about adding some kind of whitelist system. I was trying to be very cautious when I said notion and starting point and put quotes around unsafe... Cheers, -- Stéphane -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Package: lintian lintian should not complain about hardening for package written in pure Ocaml [0],[1],[2] [0] https://lists.debian.org/debian-ocaml-maint/2012/05/msg00091.html [1] http://lintian.debian.org/maintainer/debian-ocaml-ma...@lists.debian.org.html [2] http://wiki.debian.org/HardeningWalkthrough#What_is_all_this_about.3F Regrads, -- ปรัชญ์ พงษ์พานิช Prach Pongpanich http://prach-public.blogspot.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
On 2013-03-05 16:25, Prach Pongpanich wrote: Package: lintian lintian should not complain about hardening for package written in pure Ocaml [0],[1],[2] [0] https://lists.debian.org/debian-ocaml-maint/2012/05/msg00091.html [1] http://lintian.debian.org/maintainer/debian-ocaml-ma...@lists.debian.org.html [2] http://wiki.debian.org/HardeningWalkthrough#What_is_all_this_about.3F Regrads, Does ELF binaries produced by pure Ocaml have any distinct feature that can be used to tell them apart from any other ELF binary? ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Le 05/03/2013 16:35, Niels Thykier a écrit : Does ELF binaries produced by pure Ocaml have any distinct feature that can be used to tell them apart from any other ELF binary? ELF binaries produced by the OCaml compiler always include a bit of C code (the runtime), so they are never actually pure. I don't think that the lintian tag (whatever its level) should be removed at the moment. I am not planning to have a deeper looker at this issue before next release or next debconf, though. Cheers, -- Stéphane -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org