{"id":2222,"date":"2015-09-07T21:59:26","date_gmt":"2015-09-08T00:59:26","guid":{"rendered":"http:\/\/eriberto.pro.br\/blog\/?p=2222"},"modified":"2017-09-05T15:52:20","modified_gmt":"2017-09-05T18:52:20","slug":"debian-how-to-use-blhc-to-solve-hardening-issues-when-packaging","status":"publish","type":"post","link":"https:\/\/eriberto.pro.br\/blog\/2015\/09\/07\/debian-how-to-use-blhc-to-solve-hardening-issues-when-packaging\/","title":{"rendered":"Debian: how to use blhc to solve hardening issues when packaging"},"content":{"rendered":"

UPDATE: this post was originally published on Sep. 7, 2015. I did a full review on Sep. 5, 2017. This revision is full compliant with Debian 9 and dpkg 1.18.13 or latter.<\/span><\/span><\/h3>\n

Implementing the hardening<\/h2>\n

When packaging in Debian, is very common to see some lintian messages as ‘hardening-no-relro<\/strong>‘ and ‘hardening-no-fortify-functions<\/strong>‘ in softwares written in C or C++. To solve these issues, we can use the ‘blhc<\/strong>‘ tool (apt-get install blhc).<\/p>\n

Please, get the revision 1.11-9 of the icmpinfo package. You can get this revision from http:\/\/snapshot.debian.org<\/a> or from http:\/\/eriberto.pro.br\/debian\/icmpinfo<\/a>. As a shortcut, you can use the following command:<\/p>\n

$ dget -u http:\/\/eriberto.pro.br\/debian\/icmpinfo\/icmpinfo_1.11-9.dsc<\/pre>\n
The icmpinfo 1.11-9 is almost clean for lintian (in 2015-09-07, Standards-Version 3.9.6). The most relevant problem is:<\/p>\n
W: icmpinfo: hardening-no-relro usr\/sbin\/icmpinfo<\/pre>\n
To track the problem I will use blhc<\/em> over the .build<\/em> file:<\/p>\n
$ blhc icmpinfo_1.11-9_amd64.build\r\nLDFLAGS missing (-Wl,-z,relro): cc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -o icmpinfo recvping.o print.o err.o icmpinfo.o pid.o<\/pre>\n
Note that the problem is some missing options (-Wl,-z,relro) for LDFLAGS when building icmpinfo (for newbies, in GCC, -o is used to indicate the name to be used for the final binary after the compilation). If you are using the DebHelper compat 9 (debian\/compat=9) and the DebHelper 9 (debhelper >= 9 in Build-Depends field in d\/control), some variables as CFLAGS, LDFLAGS, CPPFLAGS and CXXFLAGS will be automatically passed during calls to dh_auto_* programs (yes, you should use the new and reduced debian\/rules format – as an example, see the debian\/rules of the icmpinfo 1.11-9; if you still having doubts, $ man dh).<\/p>\n
Now, we need discover the reason why the LDFLAGS is being changed between its generation by the Debian build system and its utilization by the upstream’s source code. So, we need to check the upstream’s Makefile.<\/p>\n
There is inside Makefile (after a ‘quilt push -a’, to apply all current patches):<\/p>\n
LDFLAGS= $(CFLAGS)\r\n\r\nOBJECTS= recvping.o print.o err.o icmpinfo.o pid.o\r\nTARGET = icmpinfo\r\n\r\n$(TARGET): $(OBJECTS)\r\n $(CC) $(LDFLAGS) -o $@ $(OBJECTS) $(LDLIBS)<\/pre>\n
Hummm… The LDFLAGS content generated by Debian is being dropped by Makefile because it is saying that “LDFLAGS = CFLAGS content”. This line is a problem because the upstream Makefile needs to take and use the CFLAGS and LDFLAGS independently. To fix the issue, you can use this patch:<\/p>\n
--- icmpinfo-1.11.orig\/Makefile\r\n+++ icmpinfo-1.11\/Makefile\r\n@@ -20,13 +20,13 @@ VERS = 1.11\r\n \r\n RM = rm -f\r\n \r\n-LDFLAGS= $(CFLAGS)\r\n+#LDFLAGS= $(CFLAGS)\r\n \r\n OBJECTS= recvping.o print.o err.o icmpinfo.o pid.o\r\n TARGET = icmpinfo\r\n \r\n $(TARGET): $(OBJECTS)\r\n- $(CC) $(LDFLAGS) -o $@ $(OBJECTS) $(LDLIBS)\r\n+ $(CC) $(LDFLAGS) $(CFLAGS) -o $@ $(OBJECTS) $(LDLIBS)\r\n \r\n tgz: clean\r\n rm -f CHECKSUMS.asc<\/pre>\n
After a ‘debuild’, we have a new lintian:<\/p>\n
I: icmpinfo: hardening-no-bindnow usr\/sbin\/icmpinfo<\/pre>\n
There is a simple way to fix this message. We<\/p>\n
needed to add the following line to debian\/rules:<\/p>\n
export DEB_BUILD_MAINT_OPTIONS = hardening=+all<\/pre>\n
If you still seeing lintians about the hardening, use the following options in blhc (>= 0.07+20170817+gita232d32) to get a deep analysis:<\/p>\n
blhc --all --debian --arch=amd64 ..\/icmpinfo_1.11-9_amd64.build\r\n<\/pre>\n
For more details, see the bug #845339 on Debian.<\/p>\n
More examples<\/h2>\n
Let me to show other example. I will use the mac-robber 1.02-5 (however, I disabled the Makefile.patch in debian\/patches\/series). After a debuild, the following lintian messages are presented:<\/p>\n
I: mac-robber: hardening-no-fortify-functions usr\/bin\/mac-robber\r\nI: mac-robber: hardening-no-bindnow usr\/bin\/mac-robber<\/pre>\n
Using blhc:<\/p>\n
$ blhc ..\/mac-robber_1.02-5_amd64.build \r\nCFLAGS missing (-g -O2 -fstack-protector-strong -Wformat -Werror=format-security): gcc -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c\r\nCPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c\r\nLDFLAGS missing (-Wl,-z,relro): gcc -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c<\/pre>\n
We need to verify what is the problem in Makefile with CFLAGS, CPPFLAGS and LDFLAGS when generating the binary ‘mac-robber’ (just recalling, -o mac-robber in GCC command). See:<\/p>\n
linux_notstatic: \r\n $(CC) -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c<\/pre>\n
There are no references to CFLAGS, CPPFLAGS and LDFLAGS. To solve the problem, we need patch the Makefile to make this:<\/p>\n
linux_notstatic: \r\n $(CC) $(CFLAGS) $(LDFLAGS) $(CPPFLAGS) -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c<\/pre>\n
As last example, is possible that the Makefile is overriding the content sent by DebHelper when building. See this line from a hypothetical Makefile:<\/p>\n
CFLAGS<\/span> = -g -Wall<\/pre>\n
As you can see, the Makefile is redefining CFLAGS; consequently, it is discarding any previous content sent by DebHelper. To solve this issue, we can use the following patch:<\/p>\n
-CFLAGS<\/span> = -g -Wall\r\n+CFLAGS<\/span> += -g -Wall<\/pre>\n
So, the content received from DebHelper will be added to ‘-g -Wall’.<\/p>\n
Default parameters<\/h2>\n
As curiosity, to see the basic parameters created by DebHelper as hardening, use the command:<\/p>\n
$ dpkg-buildflags<\/pre>\n
To see the all parameters, use the command:<\/p>\n
$ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags<\/pre>\n
More information<\/h2>\n
More information about the hardening can be viewed at two places:<\/p>\n
https:\/\/wiki.debian.org\/Hardening<\/a><\/p>\n
https:\/\/wiki.debian.org\/HardeningWalkthrough<\/a><\/p>\n
I hope this help. Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"
UPDATE: this post was originally published on Sep. 7, 2015. I did a full review on Sep. 5, 2017. This revision is full compliant with Debian 9 and dpkg 1.18.13 or latter. Implementing the hardening When packaging in Debian, is very common to see some lintian messages as ‘hardening-no-relro‘ and ‘hardening-no-fortify-functions‘ in softwares written in… Continue a ler »Debian: how to use blhc to solve hardening issues when packaging<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[16],"tags":[619,616,615,40,624,620,39,613,612,611,618,617,614,621,41,44,667],"class_list":["post-2222","post","type-post","status-publish","format-standard","hentry","category-debian","tag-blhc","tag-cflags","tag-cppflags","tag-debhelper","tag-debian","tag-dpkg","tag-empacotamento","tag-g","tag-gcc","tag-hardening","tag-hardening-no-fortify-functions","tag-hardening-no-relro","tag-ldflags","tag-linux","tag-packaging","tag-pacote","tag-planet-en"],"_links":{"self":[{"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/posts\/2222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/comments?post=2222"}],"version-history":[{"count":21,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/posts\/2222\/revisions"}],"predecessor-version":[{"id":2324,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/posts\/2222\/revisions\/2324"}],"wp:attachment":[{"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/media?parent=2222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/categories?post=2222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/tags?post=2222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}