hardened toolchain options via "hardening-wrapper"

[Kees Cook]

On Mon, Jan 28, 2008 at 07:40:35PM +0100, Tollef Fog Heen wrote:
> * Kees Cook 
> 
> | - have a central place to control hardening compiler options
> |   (implemented in the short-term as a compiler wrapper, and long-term
> |   as a change to how packaging must respect compiler flags).
> 
> DEB_BUILD_OPTIONS + changing PATH so you have gcc wrapper which
> mangles compiler flags sounds like a straightforward way of achieving
> this?  (See how ccache does this, for instance)

I wanted to catch builds that called the compiler directly (e.g. as
"/usr/bin/gcc-4.2" not just "gcc-4.2").  Perhaps this is an unfounded
worry.  At present, the wrapper works quite well, so I'd like to keep it
as-is unless there is some strong reason to change it.

> | - must be able to use compilers normally when hardening-wrapper is
> |   installed (i.e. must enable via a env variable).
> 
> DEB_BUILD_OPTIONS is an environment variable.

Yes, but I wanted to avoid "overloading" a pre-existing variable -- one
of the goals was to keep the wrapper and the build system separate --
other people should be able to enable hardening for day-to-day builds,
not just Debian packaging builds.

> | - dpkg-buildpackage in Hardy+1 should enable DEB_BUILD_HARDENING=1 when
> |   hardening-wrapper is installed.  (Allowing for "misbehaving" packages
> |   to disable all or part of the hardening in the debian/rules file via
> |   various env vars.)
> 
> I'm not really understanding the rationale for DEB_BUILD_HARDENING (as
> in, why is it a separate environment variable?); it's not in the spec.
> Could you either update the spec or write something about it here?

During UDS, there was a strong preference that there be a way to leave
hardening disabled even when the wrapper was installed.  If the wrapper's
functionality can be had via PATH mangling, that works too.

Tested patches are appreciated.  :)

-Kees

-- 
Kees Cook
Ubuntu Security Team