Setting hardening in a package: where?

[fcorbelli]

test_1.7z

run the /zp/config/fai.sh to "make"

(7.52 KiB) Downloaded 27 times

I'm trying to prepare a small package for an archiving software, but I encounter a warning message that I would like to suppress

Code: Select all

I: zpaqfranz: hardening-no-bindnow usr/bin/zpaqfranz
N:
I: hardening-no-bindnow
N:
N:   This package provides an ELF binary that lacks the "bindnow" linker
N:   flag.
N:
N:   This is needed (together with "relro") to make the "Global Offset
N:   Table" (GOT) fully read-only. The bindnow feature trades startup time
N:   for improved security. Please consider enabling this feature or
N:   consider overriding the tag (possibly with a comment about why).
N:
N:   If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N:   hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:
N:   The relevant compiler flags are set in LDFLAGS.
N:
N:   Refer to https://wiki.debian.org/Hardening for details.
N:
N:   Severity: info

I've tried putting inside rules, for some reason, it seems to be ignored
I definitely make some mistakes

Code: Select all

#!/usr/bin/make -f
export DEB_CFLAGS_MAINT_APPEND = -Wno-stringop-overflow

include /usr/share/dpkg/architecture.mk

ifeq ($(DEB_HOST_GNU_CPU), x86_64)
          DEB_CPPFLAGS_MAINT_APPEND = -DHWSHA2
endif

ifneq ($(DEB_HOST_GNU_CPU), x86_64)
          DEB_CPPFLAGS_MAINT_APPEND = -DNOJIT
endif

ifneq ($(DEB_HOST_ARCH_ENDIAN), little)
          DEB_CPPFLAGS_MAINT_APPEND = -DBIG -DNOJIT
endif

export DEB_BUILD_MAINT_OPTIONS = hardening=+all

DPKG_EXPORT_BUILDFLAGS = 1

include /usr/share/dpkg/buildflags.mk


%:
        dh $@

override_dh_auto_install:
        dh_auto_install -- prefix=/usr

[stevepusser]

Did you try

Code: Select all

export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow

[fcorbelli]

Did you try

Code: Select all

export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow

Tried now, sadly same result

I had thought it was an order problem, i.e., "overwriting" the include (something is written in the documentation), but I also tried this way, no result

I am sure that the rules file is being processed, because commenting on an exported option (to mask a gcc bug) the corresponding warning appears (this one export DEB_CFLAGS_MAINT_APPEND = -Wno-stringop-overflow)

So I would be inclined to say...
- there is some option missing [to export the variable]
- there is an "override" (somewhere) that "deletes" it
- demonic possession (which for a FreeBSD user is not to be excluded)

[fcorbelli]

I made a small virtual machine to make the error repeatable (at least I hope so)

It is a "rough" Deban 11 (on zfs), DHCP-NAT .vmdk, italian keyboard (yes... dpkg-reconfigure keyboard-configuration to change, I forgot to revert to US)

user root with password password
user franco with password pippo

In the /zp folder there is the "beta-package" for the project, in particular inside
/zp/config there is the rules file (+ others), and the script fai.sh

This will download the nightly source code (a single .cpp), delete everything and "compile" the package (of course the gpg key is missing)

Code: Select all

## get the nightly build (just for debug)
wget http://www.francocorbelli.it/zpaqfranz-debian.cpp -O /zp/zpaqfranz-58.9/sr (...)
cd /zp/
rm /zp/*
rm /zp/zpaqfranz-58.9/src/zpaqfranz =>>> no executable, just in case of a failed compile
tar -czvf zpaqfranz-58.9.tar.gz zpaqfranz-58.9/Makefile zpaqfranz-58.9/LICENSE (...)
cd zpaqfranz-58.9
rm -r debian
debmake
cd debian
cp /zp/config/* .  ===>> very quick and dirty: overwrite the debmake with my files
rm /zp/debian/*.sh ===>> dirtier delete of unwanted .sh
debuild


cd /zp
lintian --pedantic /zp/zpaqfranz_58.9-c_amd64.deb
## of course this is my key, change this line as needed
debsign  /zp/zpaqfranz_58.9-c_amd64.changes -k00000000000000

Thanks for any help

[fcorbelli]

Update

This is the last "beta" package

http://www.francocorbelli.it/zpaqfranz/ ... -test_2.7z

It's starting to look like something vaguely working, apart from the nasty hardening warning that I really don't know how to get rid of

Current rules is

Code: Select all

#!/usr/bin/make -f
export DEB_CFLAGS_MAINT_APPEND = -Wno-stringop-overflow 

include /usr/share/dpkg/architecture.mk

ifeq ($(DEB_HOST_GNU_CPU), x86_64)
          DEB_CPPFLAGS_MAINT_APPEND = -DHWSHA2
endif

ifneq ($(DEB_HOST_GNU_CPU), x86_64)
	  DEB_CPPFLAGS_MAINT_APPEND = -DNOJIT
endif

ifneq ($(DEB_HOST_ARCH_ENDIAN), little)
	  DEB_CPPFLAGS_MAINT_APPEND = -DBIG -DNOJIT
endif

export DEB_BUILD_MAINT_OPTIONS = hardening=+all

DPKG_EXPORT_BUILDFLAGS = 1

include /usr/share/dpkg/buildflags.mk


%:
	dh $@

override_dh_auto_install:
	dh_auto_install -- prefix=/usr

Edit: the only workaroud altering the Makefile like that, with a couple of -z

Code: Select all

LDADD=          -pthread -lstdc++ -lm -z relro -z now