[Bug 1452115] Re: Python interpreter binary is not compiled as PIE

Alex Murray Mon, 28 Feb 2022 19:11:01 -0800

For posterity - this is how I did the analysis above:

# download the current python3.9 source package and rebuild it with PIE enabled
apt source python3.9
cd python3.9-3.9.10/
sed -i "/export DEB_BUILD_MAINT_OPTIONS=hardening=-pie/d" debian/rules
dch -i -D jammy "Enable PIE (LP: #1452115)"
update-maintainer
# sbuild assumes you already have a jammy-amd64 schroot setup
sbuild



# use a LXD VM for testing
lxc launch --vm images:ubuntu/jammy sec-jammy-amd64

# stop the VM and disable UEFI secure boot
lxc stop sec-jammy-amd64

# ensure secureboot is not used so we can use the msr module later
lxc config set set-jammy-amd64 security.secureboot=false

lxc start sec-jammy-amd64

# make sure VM has full disk allocated
lxc exec sec-jammy-amd64 -- growpart /dev/sda 2
lxc exec sec-jammy-amd64 -- resize2fs /dev/sda2
lxc file push ../*.deb sec-jammy-amd64/root/

lxc shell sec-jammy-amd64

# then inside the LXD VM install and run pyperformance with and without the new 
python3.9
apt install python3-pip
pip3 install pyperformance

# tune for system performance
modprobe msr
python3.9 -m pyperf system tune

# get baseline numbers without PIE
pyperformance run --python=/usr/bin/python3.9 -o py3.9.json

# install our debs we built above that have PIE enabled
apt install ./python3.9_3.9.10-2ubuntu1_amd64.deb  
./libpython3.9-stdlib_3.9.10-2ubuntu1_amd64.deb 
./python3.9-minimal_3.9.10-2ubuntu1_amd64.deb 
./libpython3.9-minimal_3.9.10-2ubuntu1_amd64.deb 
./libpython3.9_3.9.10-2ubuntu1_amd64.deb 
./libpython3.9-dev_3.9.10-2ubuntu1_amd64.deb  
./python3.9-dev_3.9.10-2ubuntu1_amd64.deb

# check they have PIE
apt install devscripts
hardening-check /usr/bin/python3.9

# re-run pyperformance with PIE
pyperformance run --python=/usr/bin/python3.9 -o py3.9-pie.json

# and compare the results
python3 -m pyperf compare_to py3.9.json py3.9-pie.json --table

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115

Title:
  Python interpreter binary is not compiled as PIE

To manage notifications about this bug go to:
https://bugs.launchpad.net/python/+bug/1452115/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1452115] Re: Python interpreter binary is not compiled as PIE

Reply via email to