https://fedoraproject.org/wiki/Changes/ANNOBIN-used-by-bodhi = Annobin Used By Bodhi = == Summary == Use the annocheck program from the annobin package to produce an analysis of the security hardening of a compiled package when reviewing a Bodhi update. == Owner == * Name: Nick Clifton [https://fedoraproject.org/wiki/User:Nickc] * Email: nickc@xxxxxxxxxx == Detailed Description == The annobin package provides two components, a plugin for gcc that records details about how a program was compiled and an analyser that uses this information to produce a report on the security hardening status of the compiled program. Currently the plugin is being used as part of the build process for Fedora packages (when they are built using gcc), but the analysing program is not being run. This proposal is to have the analyser (called annocheck) run when creating information for review by the Bodhi update process, possibly allowing an update to be delayed until the security issues are addressed. The analyser currently looks for the following items: * Lazy binding must not have been enabled via the linker option "-z lazy". Instead the @option{-z now} option must have been used. * The program must not have a stack in an executable region of memory. * The relocations for the GOT table must be read only. * No program segment should have all three of the read, write and execute permission bits set. * There should be no relocations against executable code. * The runpath information used to locate shared libraries at runtime must only include directories rooted at /usr. * The program must have been compiled with the -fstack-protector-strong option enabled, and with -D_FORTIFY_SOURCE=2 specified. It must also have been compiled at at least optimisation level 2. * Dynamic executables must have a dynamic segment. * Shared libraries must have been compiled with -fPIC or-fPIE but not -static. * Dynamic executables must have been compiled with -fPIE and linked with -pie. * Program which use exception handling must have been compiled with -fexceptions enabled and with -D_GLIBCXX_ASSERTIONS specified. * If available the -fstack-clash-protection must have been used. * If available the -fcf-protection=full must have been used. * For i686 binaries, the -mstackrealign option must have been specified. * The program must have been compiled with the -D_FORTIFY_SOURCE=2 command line option specified. * The program must have been compiled with at least -O2 optimisation enabled. * The program must not have any relocations that are held in a writable section. * For x86_64 binaries, check that -fcf-protection has been enabled. Note - I do not know *how* to add a run of the annocheck program to the Bodhi process. This change request is about asking that such a thing be added. == Benefit to Fedora == Establishing good security practices when building packages will help Fedora remain a front running Linux distribution. By providing a way to review the security hardening status of packages, this update will help to ensure that these practices continue. Note - the intention is that if this change is successful, and useful, then a future change request would be made to include the security checking as part of the actual package build process, and to have packages fail to complete building if they do not pass the security checks. == Scope == * Proposal owners: In theory there is very little that I can do personally. I do not have the knowledge to change the Bodhi process myself, so I will have to rely upon someone else to do that. I am familiar with the annobin package however, so any changes that are needed to it I will be happy to make. * Other developers: Add an invocation of the annocheck program to the Bodhi build approval process and make its output available to reviewers. Annocheck can be invoked simply as "annocheck <filename>" although there are a set of command line options to extend and modify its behaviour. Annocheck understands the rpm file format, as well as shared and static libraries and executable binaries. It can also be helpful to provide annocheck with access to the debug information for a binary or rpm, if that has been placed into a separate file. * Release engineering: https://pagure.io/fedora-ci/general/issue/78 No mass rebuild is required. * Policies and guidelines: It is desirable that the packaging guidelines be updated to describe the security hardening features examined by annocheck. (If they are not already mentioned in the guidelines). * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == This change should have no effect on upgrading Fedora, nor should it introduce any compatibility problems. == How To Test == Submit a package for Bodhi review and see if the annocheck data is added to the page. No special hardware is needed for this test, but it might involve the use of a dummy package or a dummy instance of Bodhi in order to test the behaviour before going live. == User Experience == This change should not be noticeable by users. == Dependencies == No packages depend upon this change. This change does depend upon the annobin package. == Contingency Plan == Back out any changes made to Bodhi. * Blocks release? No releases are blocked by this change. * Blocks product? No products are blocked by this change. == Documentation == The watermark specification explains the technology underlying annobin: https://fedoraproject.org/wiki/Toolchain/Watermark#Proposed_Specification_for_non-loaded_notes The annobin package includes its own documentation. On a system where it is installed invoking "info annobin" should produce a searchable information structure. == Release Notes == An update to the Fedora Release Notes should not be needed. -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx