hardened toolchain options via "hardening-wrapper"
kees at ubuntu.com
Mon Jan 28 19:14:44 GMT 2008
On Mon, Jan 28, 2008 at 07:40:35PM +0100, Tollef Fog Heen wrote:
> * Kees Cook
> | - have a central place to control hardening compiler options
> | (implemented in the short-term as a compiler wrapper, and long-term
> | as a change to how packaging must respect compiler flags).
> DEB_BUILD_OPTIONS + changing PATH so you have gcc wrapper which
> mangles compiler flags sounds like a straightforward way of achieving
> this? (See how ccache does this, for instance)
I wanted to catch builds that called the compiler directly (e.g. as
"/usr/bin/gcc-4.2" not just "gcc-4.2"). Perhaps this is an unfounded
worry. At present, the wrapper works quite well, so I'd like to keep it
as-is unless there is some strong reason to change it.
> | - must be able to use compilers normally when hardening-wrapper is
> | installed (i.e. must enable via a env variable).
> DEB_BUILD_OPTIONS is an environment variable.
Yes, but I wanted to avoid "overloading" a pre-existing variable -- one
of the goals was to keep the wrapper and the build system separate --
other people should be able to enable hardening for day-to-day builds,
not just Debian packaging builds.
> | - dpkg-buildpackage in Hardy+1 should enable DEB_BUILD_HARDENING=1 when
> | hardening-wrapper is installed. (Allowing for "misbehaving" packages
> | to disable all or part of the hardening in the debian/rules file via
> | various env vars.)
> I'm not really understanding the rationale for DEB_BUILD_HARDENING (as
> in, why is it a separate environment variable?); it's not in the spec.
> Could you either update the spec or write something about it here?
During UDS, there was a strong preference that there be a way to leave
hardening disabled even when the wrapper was installed. If the wrapper's
functionality can be had via PATH mangling, that works too.
Tested patches are appreciated. :)
Ubuntu Security Team
More information about the ubuntu-devel