Debian: how to use blhc to solve hardening issues when packaging

UPDATE: this post was originally published on Sep. 7, 2015. I did a full review on Sep. 5, 2017. This revision is full compliant with Debian 9 and dpkg 1.18.13 or latter.

Implementing the hardening

When packaging in Debian, is very common to see some lintian messages as ‘hardening-no-relro‘ and ‘hardening-no-fortify-functions‘ in softwares written in C or C++. To solve these issues, we can use the ‘blhc‘ tool (apt-get install blhc).

Please, get the revision 1.11-9 of the icmpinfo package. You can get this revision from http://snapshot.debian.org or from http://eriberto.pro.br/debian/icmpinfo. As a shortcut, you can use the following command:

$ dget -u http://eriberto.pro.br/debian/icmpinfo/icmpinfo_1.11-9.dsc

The icmpinfo 1.11-9 is almost clean for lintian (in 2015-09-07, Standards-Version 3.9.6). The most relevant problem is:

W: icmpinfo: hardening-no-relro usr/sbin/icmpinfo

To track the problem I will use blhc over the .build file:

$ blhc icmpinfo_1.11-9_amd64.build
LDFLAGS missing (-Wl,-z,relro): cc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -o icmpinfo recvping.o print.o err.o icmpinfo.o pid.o

Note that the problem is some missing options (-Wl,-z,relro) for LDFLAGS when building icmpinfo (for newbies, in GCC, -o is used to indicate the name to be used for the final binary after the compilation). If you are using the DebHelper compat 9 (debian/compat=9) and the DebHelper 9 (debhelper >= 9 in Build-Depends field in d/control), some variables as CFLAGS, LDFLAGS, CPPFLAGS and CXXFLAGS will be automatically passed during calls to dh_auto_* programs (yes, you should use the new and reduced debian/rules format – as an example, see the debian/rules of the icmpinfo 1.11-9; if you still having doubts, $ man dh).

Now, we need discover the reason why the LDFLAGS is being changed between its generation by the Debian build system and its utilization by the upstream’s source code. So, we need to check the upstream’s Makefile.

There is inside Makefile (after a ‘quilt push -a’, to apply all current patches):

LDFLAGS= $(CFLAGS)

OBJECTS= recvping.o print.o err.o icmpinfo.o pid.o
TARGET = icmpinfo

$(TARGET): $(OBJECTS)
 $(CC) $(LDFLAGS) -o $@ $(OBJECTS) $(LDLIBS)

Hummm… The LDFLAGS content generated by Debian is being dropped by Makefile because it is saying that “LDFLAGS = CFLAGS content”. This line is a problem because the upstream Makefile needs to take and use the CFLAGS and LDFLAGS independently. To fix the issue, you can use this patch:

--- icmpinfo-1.11.orig/Makefile
+++ icmpinfo-1.11/Makefile
@@ -20,13 +20,13 @@ VERS = 1.11
 
 RM = rm -f
 
-LDFLAGS= $(CFLAGS)
+#LDFLAGS= $(CFLAGS)
 
 OBJECTS= recvping.o print.o err.o icmpinfo.o pid.o
 TARGET = icmpinfo
 
 $(TARGET): $(OBJECTS)
- $(CC) $(LDFLAGS) -o $@ $(OBJECTS) $(LDLIBS)
+ $(CC) $(LDFLAGS) $(CFLAGS) -o $@ $(OBJECTS) $(LDLIBS)
 
 tgz: clean
 rm -f CHECKSUMS.asc

After a ‘debuild’, we have a new lintian:

I: icmpinfo: hardening-no-bindnow usr/sbin/icmpinfo

There is a simple way to fix this message. We

needed to add the following line to debian/rules:

export DEB_BUILD_MAINT_OPTIONS = hardening=+all

If you still seeing lintians about the hardening, use the following options in blhc (>= 0.07+20170817+gita232d32) to get a deep analysis:

blhc --all --debian --arch=amd64 ../icmpinfo_1.11-9_amd64.build

For more details, see the bug #845339 on Debian.

More examples

Let me to show other example. I will use the mac-robber 1.02-5 (however, I disabled the Makefile.patch in debian/patches/series). After a debuild, the following lintian messages are presented:

I: mac-robber: hardening-no-fortify-functions usr/bin/mac-robber
I: mac-robber: hardening-no-bindnow usr/bin/mac-robber

Using blhc:

$ blhc ../mac-robber_1.02-5_amd64.build 
CFLAGS missing (-g -O2 -fstack-protector-strong -Wformat -Werror=format-security): gcc -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c
LDFLAGS missing (-Wl,-z,relro): gcc -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c

We need to verify what is the problem in Makefile with CFLAGS, CPPFLAGS and LDFLAGS when generating the binary ‘mac-robber’ (just recalling, -o mac-robber in GCC command). See:

linux_notstatic: 
 $(CC) -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c

There are no references to CFLAGS, CPPFLAGS and LDFLAGS. To solve the problem, we need patch the Makefile to make this:

linux_notstatic: 
 $(CC) $(CFLAGS) $(LDFLAGS) $(CPPFLAGS) -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c

As last example, is possible that the Makefile is overriding the content sent by DebHelper when building. See this line from a hypothetical Makefile:

CFLAGS = -g -Wall

As you can see, the Makefile is redefining CFLAGS; consequently, it is discarding any previous content sent by DebHelper. To solve this issue, we can use the following patch:

-CFLAGS = -g -Wall
+CFLAGS += -g -Wall

So, the content received from DebHelper will be added to ‘-g -Wall’.

Default parameters

As curiosity, to see the basic parameters created by DebHelper as hardening, use the command:

$ dpkg-buildflags

To see the all parameters, use the command:

$ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags

More information

More information about the hardening can be viewed at two places:

https://wiki.debian.org/Hardening

https://wiki.debian.org/HardeningWalkthrough

I hope this help. Enjoy!

4 comentários em “Debian: how to use blhc to solve hardening issues when packaging”

Giovani Ferreira quarta-feira, 9 setembro 2015 em 19:25

Great post Eriberto. It helped me to better understand the hardening and blhc tool. Thank you.
Eriberto quinta-feira, 1 outubro 2015 em 20:38

Thanks Giovani!
Alejandro domingo, 4 outubro 2015 em 22:58

Thanks for your post. It is very useful. Cheers!
Eriberto domingo, 4 outubro 2015 em 23:00

Thanks Alejandro! Enjoy.