Enabling hardened build flags for Perl modules

[Dominic Hargreaves]

On Mon, Jan 02, 2012 at 01:59:49AM +0100, Moritz Muehlenhoff wrote:
> 
> root at pisco:~# hardening-check /usr/lib/perl5/auto/Imager/File/ICO/ICO.so
> /usr/lib/perl5/auto/Imager/File/ICO/ICO.so:
>  Position Independent Executable: no, regular shared library (ignored)
>  Stack protected: yes
>  Fortify Source functions: no, no protected functions found!
>  Read-only relocations: no, not found!
>  Immediate binding: no not found!
> 
> The lack of "Immediate binding" is because this flag is not part of
> the default build flags. The protected stack is due to CFLAGS. So
> that's not an error.
> 
> Fortied source functions would be present if CPPFLAGS were correctly
> passed and read-only relocations would be present due to LDFLAGS.
> 
> After a local build there exists a Makefile, which states that it was 
> auto-generated from Makefile.PL and which contains local definitions
> of LDFLAGS.
> I'm not familiar with the Perl modules build system; what do we need to
> do to adopt the dpkg-buildflags into the generated Makefiles, so that
> the arch:any modules maintainer by Pkg-Perl can be hardened?

As I understand it, the compilation flags used by standard MakeMaker
build systems come not from the build environment, but from Config.pm
(and in particular Config_heavy.pm) where they are set from the original
perl build. This is sometimes important to maintain binary compatibility
between core and XS modules (we've seen what can happen when these diverge,
in a series of bugs discovered during the perl 5.14 migration).

The perl build system itself sets up stack protected builds, and I think
what you saw above is inherited from this.

I've run a couple of experiments by amending perl's build to use
CCFLAGS, LDFLAGS and CPPFLAGS from dpkg-buildflags - essentially
passing them to Configure. The result on perl itself was that
read-only relocations were found, but that fortify source functions
were not. This may be because cppflags is not used in the way I expect
(unlike ccflags and ldflags) or that there are no fortifiable functions
being usd in the perl source, AIUI.

When I rebuilt libimager-perl with this new perl installed, I verified
that the generated Makefile included the new relro LDFLAGS, but this
isn't picked up anywhere by the build.

In summary, I think that we will indeed need to modifiy perl's build
to make use of the hardening features (other than stack protection, which
is already enabled) in XS modules, but we first need to find out how
(if at all) we should be passing CPPFLAGS to perl, and how to pass LDFLAGS
to to MakeMaker et al.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)