Fedora 32 System-Wide Change proposal: Annobin Used By Bodhi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://fedoraproject.org/wiki/Changes/ANNOBIN-used-by-bodhi

= Annobin Used By Bodhi =

== Summary ==
Use the annocheck program from the annobin package to produce an
analysis of the security hardening of a compiled package when
reviewing a Bodhi update.

== Owner ==
* Name: Nick Clifton [https://fedoraproject.org/wiki/User:Nickc]
* Email: nickc@xxxxxxxxxx

== Detailed Description ==
The annobin package provides two components, a plugin for gcc that
records details about how a program was compiled and an analyser that
uses this information to produce a report on the security hardening
status of the compiled program.  Currently the plugin is being used as
part of the build process for Fedora packages (when they are built
using gcc), but the analysing program is not being run.  This proposal
is to have the analyser (called annocheck) run when creating
information for review by the Bodhi update process, possibly allowing
an update to be delayed until the security issues are addressed.

The analyser currently looks for the following items:

*  Lazy binding must not have been enabled via the linker option "-z
lazy".  Instead the @option{-z now} option must have been used.

* The program must not have a stack in an executable region of memory.

* The relocations for the GOT table must be read only.

* No program segment should have all three of the read, write and
execute permission bits set.

* There should be no relocations against executable code.

* The runpath information used to locate shared libraries at runtime
must only include directories rooted at /usr.

* The program must have been compiled with the
-fstack-protector-strong option enabled, and with -D_FORTIFY_SOURCE=2
specified.  It must also have been compiled at at least optimisation
level 2.

* Dynamic executables must have a dynamic segment.

* Shared libraries must have been compiled with -fPIC or-fPIE but not -static.

* Dynamic executables must have been compiled with -fPIE and linked with -pie.

* Program which use exception handling must have been compiled with
-fexceptions enabled and with -D_GLIBCXX_ASSERTIONS specified.

* If available the -fstack-clash-protection must have been used.

* If available the -fcf-protection=full must have been used.

* For i686 binaries, the -mstackrealign option must have been specified.

* The program must have been compiled with the -D_FORTIFY_SOURCE=2
command line option specified.

* The program must have been compiled with at least -O2 optimisation enabled.

* The program must not have any relocations that are held in a writable section.

* For x86_64 binaries, check that -fcf-protection has been enabled.


Note - I do not know *how* to add a run of the annocheck program to
the Bodhi process.  This change request is about asking that such a
thing be added.

== Benefit to Fedora ==

Establishing good security practices when building packages will help
Fedora remain a front running Linux distribution.  By providing a way
to review the security hardening status of packages, this update will
help to ensure that these practices continue.

Note - the intention is that if this change is successful, and useful,
then a future change request would be made to include the security
checking as part of the actual package build process, and to have
packages fail to complete building if they do not pass the security
checks.

== Scope ==
* Proposal owners:
In theory there is very little that I can do personally.  I do not
have the knowledge to change the Bodhi process myself, so I will have
to rely upon someone else to do that.  I am familiar with the annobin
package however, so any changes that are needed to it I will be happy
to make.


* Other developers:
Add an invocation of the annocheck program to the Bodhi build approval
process and make its output available to reviewers.
Annocheck can be invoked simply as "annocheck <filename>" although
there are a set of command line options to extend and modify its
behaviour.  Annocheck understands the rpm file format, as well as
shared and static libraries and executable binaries.  It can also be
helpful to provide annocheck with access to the debug information for
a binary or rpm, if that has been placed into a separate file.


* Release engineering: https://pagure.io/fedora-ci/general/issue/78

No mass rebuild is required.

* Policies and guidelines:
It is desirable that the packaging guidelines be updated to describe
the security hardening features examined by annocheck.  (If they are
not already mentioned in the guidelines).

* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
This change should have no effect on upgrading Fedora, nor should it
introduce any compatibility problems.

== How To Test ==
Submit a package for Bodhi review and see if the annocheck data is
added to the page.
No special hardware is needed for this test, but it might involve the
use of a dummy package or a dummy instance of Bodhi in order to test
the behaviour before going live.

== User Experience ==
This change should not be noticeable by users.

== Dependencies ==
No packages depend upon this change.
This change does depend upon the annobin package.

== Contingency Plan ==
Back out any changes made to Bodhi.

* Blocks release?
No releases are blocked by this change.

* Blocks product?
No products are blocked by this change.

== Documentation ==
The watermark specification explains the technology underlying annobin:
https://fedoraproject.org/wiki/Toolchain/Watermark#Proposed_Specification_for_non-loaded_notes

The annobin package includes its own documentation.  On a system where
it is installed invoking "info annobin" should produce a searchable
information structure.

== Release Notes ==
An update to the Fedora Release Notes should not be needed.

-- 
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux