dpkg-buildflags: emit hardening build flags by default

All the hardening build flags supported by hardening-includes
are supported except that PIE is not enabled by default (just like
the corresponding gcc patch doesn't enable it by default).

Inspired by the work of Kees Cook <kees@debian.org>.

debian/changelog

@@ -102,6 +102,9 @@ dpkg (1.16.1) UNRELEASED; urgency=low
   * Fix dpkg's handling of a hardlink pointing to a conffile. Closes: #638291
   * Add example of extend-diff-ignore's usage in dpkg-source(1).
     Closes: #640198
+  * dpkg-buildflags now returns hardening flags by default. Closes: #489771
+    They can be individually enabled/disabled via DEB_BUILD_MAINT_OPTIONS,
+    see dpkg-buildflags(1). Thanks to Kees Cook for his help.
 
   [ Guillem Jover ]
   * Install deb-src-control(5) man pages in dpkg-dev. Closes: #620520

scripts/Dpkg/BuildFlags.pm

@@ -84,6 +84,7 @@ sub load_vendor_defaults {
 	FFLAGS   => 'vendor',
 	LDFLAGS  => 'vendor',
     };
+    # The Debian vendor hook will add hardening build flags
     run_vendor_hook("update-buildflags", $self);
 }
 

scripts/Dpkg/Vendor/Debian.pm

@@ -1,4 +1,8 @@
-# Copyright © 2009 Raphaël Hertzog <hertzog@debian.org>
+# Copyright © 2009-2011 Raphaël Hertzog <hertzog@debian.org>
+#
+# Hardening build flags handling derived from work of:
+# Copyright © 2009-2011 Kees Cook <kees@debian.org>
+# Copyright © 2007-2008 Canonical, Ltd.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,8 +25,13 @@ use warnings;
 our $VERSION = "0.01";
 
 use base qw(Dpkg::Vendor::Default);
+
+use Dpkg::Gettext;
+use Dpkg::ErrorHandling;
 use Dpkg::Control::Types;
 use Dpkg::Vendor::Ubuntu;
+use Dpkg::BuildOptions;
+use Dpkg::Arch qw(get_host_arch debarch_to_debtriplet);
 
 =encoding utf8
 
@@ -62,9 +71,86 @@ sub run_hook {
 	foreach my $bug (@$b) {
 	    $$textref .= "Bug-Ubuntu: https://bugs.launchpad.net/bugs/$bug\n";
 	}
+    } elsif ($hook eq "update-buildflags") {
+	$self->add_hardening_flags(@params);
     } else {
         return $self->SUPER::run_hook($hook, @params);
     }
 }
 
+sub add_hardening_flags {
+    my ($self, $flags) = @_;
+    my $arch = get_host_arch();
+    my ($abi, $os, $cpu) = debarch_to_debtriplet($arch);
+
+    # Decide what's enabled
+    my %use_feature = (
+	"pie" => 0,
+	"stackprotector" => 1,
+	"fortify" => 1,
+	"format" => 1,
+	"relro" => 1,
+	"bindnow" => 1
+    );
+    my $opts = Dpkg::BuildOptions->new(envvar => "DEB_BUILD_MAINT_OPTIONS");
+    foreach my $feature (split(",", $opts->get("hardening") // "")) {
+	$feature = lc($feature);
+	if ($feature =~ s/^([+-])//) {
+	    my $value = ($1 eq "+") ? 1 : 0;
+	    if ($feature eq "all") {
+		$use_feature{$_} = $value foreach keys %use_feature;
+	    } else {
+		if (exists $use_feature{$feature}) {
+		    $use_feature{$feature} = $value;
+		} else {
+		    warning(_g("unknown hardening feature: %s"), $feature);
+		}
+	    }
+	} else {
+	    warning(_g("incorrect value in hardening option of " .
+	               "DEB_BUILD_MAINT_OPTIONS: %s"), $feature);
+	}
+    }
+
+    # PIE
+    if ($use_feature{"pie"} and
+	$os =~ /^(linux|knetbsd|hurd)$/ and
+	$cpu !~ /^(hppa|m68k|mips|mipsel|avr32)$/) {
+	# Only on linux/knetbsd/hurd (see #430455 and #586215)
+	# Disabled on hppa, m68k (#451192), mips/mipsel (#532821), avr32
+	# (#574716)
+	$flags->append("CFLAGS", "-fPIE");
+	$flags->append("CXXFLAGS", "-fPIE");
+	$flags->append("LDFLAGS", "-fPIE -pie");
+    }
+    # Stack protector
+    if ($use_feature{"stackprotector"} and
+	$cpu !~ /^(ia64|alpha|mips|mipsel|hppa)$/ and $arch ne "arm") {
+	# Stack protector disabled on ia64, alpha, mips, mipsel, hppa.
+	#   "warning: -fstack-protector not supported for this target"
+	# Stack protector disabled on arm (ok on armel).
+	#   compiler supports it incorrectly (leads to SEGV)
+	$flags->append("CFLAGS", "-fstack-protector --param=ssp-buffer-size=4");
+	$flags->append("CXXFLAGS", "-fstack-protector --param=ssp-buffer-size=4");
+    }
+    # Fortify
+    if ($use_feature{"fortify"}) {
+	$flags->append("CFLAGS", "-D_FORTIFY_SOURCE=2");
+	$flags->append("CXXFLAGS", "-D_FORTIFY_SOURCE=2");
+    }
+    # Format
+    if ($use_feature{"format"}) {
+	$flags->append("CFLAGS", "-Wformat -Wformat-security -Werror=format-security");
+	$flags->append("CXXFLAGS", "-Wformat -Wformat-security -Werror=format-security");
+    }
+    # Relro
+    if ($use_feature{"relro"} and $cpu !~ /^(ia64|hppa|avr32)$/) {
+	$flags->append("LDFLAGS", "-Wl,-z,relro");
+    }
+    # Bindnow
+    if ($use_feature{"bindnow"}) {
+	$flags->append("LDFLAGS", "-Wl,-z,now");
+    }
+}
+
 1;

scripts/Dpkg/Vendor/Ubuntu.pm

@@ -94,6 +94,7 @@ sub run_hook {
 
     } elsif ($hook eq "update-buildflags") {
 	my $flags = shift @params;
+
 	if (debarch_eq(get_host_arch(), 'ppc64')) {
 	    for my $flag (qw(CFLAGS CXXFLAGS FFLAGS)) {
 		$flags->set($flag, '-g -O3', 'vendor');
@@ -102,6 +103,9 @@ sub run_hook {
 	# Per https://wiki.ubuntu.com/DistCompilerFlags
 	$flags->set('LDFLAGS', '-Wl,-Bsymbolic-functions', 'vendor');
 
+	# Run the Debian hook to add hardening flags
+	$self->SUPER::run_hook($hook, $flags);
+
 	# Allow control of hardening-wrapper via dpkg-buildpackage DEB_BUILD_OPTIONS
 	my $build_opts = Dpkg::BuildOptions->new();
 	my $hardening;