[DSE-Dev] Bug#665320: policycoreutils: Hardening flags missing

Simon Ruderich simon at ruderich.org
Fri Mar 23 01:06:28 UTC 2012 

Package: policycoreutils
Version: 2.1.10-5
Severity: important
Tags: patch

Dear Maintainer,

The hardening flags are missing in multiple places because the
build system ignores them; CPPFLAGS is completely ignored.

The following _and_ the attached patch fix the issue. It also
enables all hardening options which were already used by some
files - this enables them for the complete package.

diff -Nru policycoreutils-2.1.10/debian/rules policycoreutils-2.1.10/debian/rules
--- policycoreutils-2.1.10/debian/rules	2012-03-06 10:38:57.000000000 +0100
+++ policycoreutils-2.1.10/debian/rules	2012-03-23 01:58:12.000000000 +0100
@@ -10,6 +10,14 @@
 #export SHLIBDIR=$${DESTDIR}/lib/${DEB_HOST_MULTIARCH}
 #export LIBBASE=lib/${DEB_HOST_MULTIARCH}
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags. dpkg_buildflags is necessary because $(shell ..)
+# doesn't use local environment variables.
+dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS=$(DEB_BUILD_MAINT_OPTIONS) dpkg-buildflags
+export DEB_CFLAGS_MAINT_APPEND = $(shell $(dpkg_buildflags) --get CPPFLAGS)
+
 %:
 	dh $@ --with python2
 

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/sbin/restorecond /usr/sbin/setsebool /usr/sbin/semodule ...
    /usr/sbin/restorecond:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/sbin/setsebool:
     Position Independent Executable: yes
     Stack protected: no, not found!
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: yes
    /usr/sbin/semodule:
     Position Independent Executable: yes
     Stack protected: no, not found!
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: yes
    ...

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0013-use_dpkg_buildflags.patch
Type: text/x-diff
Size: 1197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20120323/ddd400bf/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20120323/ddd400bf/attachment-0001.pgp>

More information about the SELinux-devel mailing list