Hello Jens!
In my attempt to harden the fio build as recommended within Debian, I tried to
build it with PIE by using Debian´s own mechanism via dpkg-buildflags. And I
got:
CC diskutil.o
CC fifo.o
CC blktrace.o
CC cgroup.o
CC trim.o
CC engines/sg.o
CC engines/binject.o
CC oslib/linux-dev-lookup.o
CC fio.o
LINK fio
/usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table' can
not be used when making a shared object; recompile with -fPIC
crc/crc16.o: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:399: recipe for target 'fio' failed
make[1]: *** [fio] Error 1
make[1]: Leaving directory '/home/ms/Debian/fio/pkg-fio'
dh_auto_build: make -j1 returned exit code 2
debian/rules:17: recipe for target 'build' failed
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
Yet, building fio 2.10 from upstream does doesn´t produce a shared object
file.
Any idea?
I: fio: hardening-no-pie usr/bin/fio
N:
N: This package provides an ELF executable that was not compiled as a
N: position independent executable (PIE).
N:
N: PIE is required for fully enabling Address Space Layout Randomization
N: (ASLR), which makes "Return-oriented" attacks more difficult.
N:
N: Historically, PIE has been associated with noticeable performance
N: overhead on i386. However, GCC-5 has implemented an optimization that
N: can reduce the overhead significantly.
N:
N: If you use dpkg-buildflags, you may have to add hardening=+pie or
N: hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:
N: The relevant compiler flags must be passed both to the compiler and the
N: linker (e.g. for C that would be commonly be CFLAGS and LDFLAGS).
N:
N: CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not suitable
N: for all cases:
N:
N: * It is <not> compatible with -fPIC which required for
N: compiling shared libraries.
N: * It is unlikely to work when compiling static libraries or
N: executables (gcc -static).
N:
N: If your upstream build compiles either of the above, you may have to
N: patch the build to ensure that only ELF executables are compiled with
N: PIE.
N:
N: Refer to https://wiki.debian.org/Hardening,
N: https://gcc.gnu.org/gcc-5/changes.html, and
N: https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
N: for details.
N:
N: Severity: wishlist, Certainty: certain
N:
N: Check: binaries, Type: binary, udeb
N:
I: fio: hardening-no-pie usr/bin/fio-btrace2fio
I: fio: hardening-no-pie usr/bin/fio-dedupe
I: fio: hardening-no-pie usr/bin/fio-genzipf
Another option to harden fio works find and that is:
I: fio: hardening-no-bindnow usr/bin/fio
N:
N: This package provides an ELF binary that lacks the "bindnow" linker
N: flag.
N:
N: If the ELF binary does not rely on late binding of symbols (e.g. weak
N: symbols), then please consider enabling this feature. Otherwise, please
N: consider overriding the tag (possibly with a comment about why).
N:
N: If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N: hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:
N: The relevant compiler flags are set in LDFLAGS.
N:
N: Refer to https://wiki.debian.org/Hardening for details.
N:
N: Severity: wishlist, Certainty: certain
N:
N: Check: binaries, Type: binary, udeb
N:
I: fio: hardening-no-pie usr/bin/fio-btrace2fio
I: fio: hardening-no-bindnow usr/bin/fio-btrace2fio
I: fio: hardening-no-pie usr/bin/fio-dedupe
I: fio: hardening-no-bindnow usr/bin/fio-dedupe
I: fio: hardening-no-pie usr/bin/fio-genzipf
I: fio: hardening-no-bindnow usr/bin/fio-genzipf
Maybe it would be nice to have some of these in upstream build? PIE may not
yet be advisable as for GCC 5 requirement.
Thanks,
--
To unsubscribe from this list: send the line "unsubscribe fio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
