Hey Nick, Is this change about stopping any builds which do not pass annocheck test from going to stable repository or just adding new check in there? If latter, I don't think it qualifies as a system-wide change. On Wed, Oct 30, 2019 at 10:05 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > https://fedoraproject.org/wiki/Changes/ANNOBIN-used-by-bodhi > > = Annobin Used By Bodhi = > > == Summary == > Use the annocheck program from the annobin package to produce an > analysis of the security hardening of a compiled package when > reviewing a Bodhi update. > > == Owner == > * Name: Nick Clifton [https://fedoraproject.org/wiki/User:Nickc] > * Email: nickc@xxxxxxxxxx > > == Detailed Description == > The annobin package provides two components, a plugin for gcc that > records details about how a program was compiled and an analyser that > uses this information to produce a report on the security hardening > status of the compiled program. Currently the plugin is being used as > part of the build process for Fedora packages (when they are built > using gcc), but the analysing program is not being run. This proposal > is to have the analyser (called annocheck) run when creating > information for review by the Bodhi update process, possibly allowing > an update to be delayed until the security issues are addressed. > > The analyser currently looks for the following items: > > * Lazy binding must not have been enabled via the linker option "-z > lazy". Instead the @option{-z now} option must have been used. > > * The program must not have a stack in an executable region of memory. > > * The relocations for the GOT table must be read only. > > * No program segment should have all three of the read, write and > execute permission bits set. > > * There should be no relocations against executable code. > > * The runpath information used to locate shared libraries at runtime > must only include directories rooted at /usr. > > * The program must have been compiled with the > -fstack-protector-strong option enabled, and with -D_FORTIFY_SOURCE=2 > specified. It must also have been compiled at at least optimisation > level 2. > > * Dynamic executables must have a dynamic segment. > > * Shared libraries must have been compiled with -fPIC or-fPIE but not -static. > > * Dynamic executables must have been compiled with -fPIE and linked with -pie. > > * Program which use exception handling must have been compiled with > -fexceptions enabled and with -D_GLIBCXX_ASSERTIONS specified. > > * If available the -fstack-clash-protection must have been used. > > * If available the -fcf-protection=full must have been used. > > * For i686 binaries, the -mstackrealign option must have been specified. > > * The program must have been compiled with the -D_FORTIFY_SOURCE=2 > command line option specified. > > * The program must have been compiled with at least -O2 optimisation enabled. > > * The program must not have any relocations that are held in a writable section. > > * For x86_64 binaries, check that -fcf-protection has been enabled. > > > Note - I do not know *how* to add a run of the annocheck program to > the Bodhi process. This change request is about asking that such a > thing be added. > > == Benefit to Fedora == > > Establishing good security practices when building packages will help > Fedora remain a front running Linux distribution. By providing a way > to review the security hardening status of packages, this update will > help to ensure that these practices continue. > > Note - the intention is that if this change is successful, and useful, > then a future change request would be made to include the security > checking as part of the actual package build process, and to have > packages fail to complete building if they do not pass the security > checks. > > == Scope == > * Proposal owners: > In theory there is very little that I can do personally. I do not > have the knowledge to change the Bodhi process myself, so I will have > to rely upon someone else to do that. I am familiar with the annobin > package however, so any changes that are needed to it I will be happy > to make. > > > * Other developers: > Add an invocation of the annocheck program to the Bodhi build approval > process and make its output available to reviewers. > Annocheck can be invoked simply as "annocheck <filename>" although > there are a set of command line options to extend and modify its > behaviour. Annocheck understands the rpm file format, as well as > shared and static libraries and executable binaries. It can also be > helpful to provide annocheck with access to the debug information for > a binary or rpm, if that has been placed into a separate file. > > > * Release engineering: https://pagure.io/fedora-ci/general/issue/78 > > No mass rebuild is required. > > * Policies and guidelines: > It is desirable that the packaging guidelines be updated to describe > the security hardening features examined by annocheck. (If they are > not already mentioned in the guidelines). > > * Trademark approval: N/A (not needed for this Change) > > == Upgrade/compatibility impact == > This change should have no effect on upgrading Fedora, nor should it > introduce any compatibility problems. > > == How To Test == > Submit a package for Bodhi review and see if the annocheck data is > added to the page. > No special hardware is needed for this test, but it might involve the > use of a dummy package or a dummy instance of Bodhi in order to test > the behaviour before going live. > > == User Experience == > This change should not be noticeable by users. > > == Dependencies == > No packages depend upon this change. > This change does depend upon the annobin package. > > == Contingency Plan == > Back out any changes made to Bodhi. > > * Blocks release? > No releases are blocked by this change. > > * Blocks product? > No products are blocked by this change. > > == Documentation == > The watermark specification explains the technology underlying annobin: > https://fedoraproject.org/wiki/Toolchain/Watermark#Proposed_Specification_for_non-loaded_notes > > The annobin package includes its own documentation. On a system where > it is installed invoking "info annobin" should produce a searchable > information structure. > > == Release Notes == > An update to the Fedora Release Notes should not be needed. > > -- > Ben Cotton > He / Him / His > Fedora Program Manager > Red Hat > TZ=America/Indiana/Indianapolis > _______________________________________________ > devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
