From Fedora Project Wiki

Annobin Used By Bodhi

Summary

Use the annocheck program from the annobin package to produce an analysis of the security hardening of a compiled package when reviewing a Bodhi update.

Owner

  • Name: Nick Clifton [1]
  • Email: nickc@redhat.com

Current status

  • Targeted release: Fedora 32
  • Last updated: 2019-11-19
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The annobin package provides two components, a plugin for gcc that records details about how a program was compiled and an analyser that uses this information to produce a report on the security hardening status of the compiled program. Currently the plugin is being used as part of the build process for Fedora packages (when they are built using gcc), but the analysing program is not being run. This proposal is to have the analyser (called annocheck) run when creating information for review by the Bodhi update process, possibly allowing an update to be delayed until the security issues are addressed.

The analyser currently looks for the following items:

  • Lazy binding must not have been enabled via the linker option "-z lazy". Instead the @option{-z now} option must have been used.
  • The program must not have a stack in an executable region of memory.
  • The relocations for the GOT table must be read only.
  • No program segment should have all three of the read, write and execute permission bits set.
  • There should be no relocations against executable code.
  • The runpath information used to locate shared libraries at runtime must only include directories rooted at /usr.
  • The program must have been compiled with the -fstack-protector-strong option enabled, and with -D_FORTIFY_SOURCE=2 specified. It must also have been compiled at at least optimisation level 2.
  • Dynamic executables must have a dynamic segment.
  • Shared libraries must have been compiled with -fPIC or-fPIE but not -static.
  • Dynamic executables must have been compiled with -fPIE and linked with -pie.
  • Program which use exception handling must have been compiled with -fexceptions enabled and with -D_GLIBCXX_ASSERTIONS specified.
  • If available the -fstack-clash-protection must have been used.
  • If available the -fcf-protection=full must have been used.
  • For i686 binaries, the -mstackrealign option must have been specified.
  • The program must have been compiled with the -D_FORTIFY_SOURCE=2 command line option specified.
  • The program must have been compiled with at least -O2 optimisation enabled.
  • The program must not have any relocations that are held in a writable section.
  • For x86_64 binaries, check that -fcf-protection has been enabled.


Note - I do not know *how* to add a run of the annocheck program to the Bodhi process. This change request is about asking that such a thing be added.

Benefit to Fedora

Establishing good security practices when building packages will help Fedora remain a front running Linux distribution. By providing a way to review the security hardening status of packages, this update will help to ensure that these practices continue.

Note - the intention is that if this change is successful, and useful, then a future change request would be made to include the security checking as part of the actual package build process, and to have packages fail to complete building if they do not pass the security checks.

Scope

  • Proposal owners:

In theory there is very little that I can do personally. I do not have the knowledge to change the Bodhi process myself, so I will have to rely upon someone else to do that. I am familiar with the annobin package however, so any changes that are needed to it I will be happy to make.


  • Other developers:

Add an invocation of the annocheck program to the Bodhi build approval process and make its output available to reviewers. Annocheck can be invoked simply as "annocheck <filename>" although there are a set of command line options to extend and modify its behaviour. Annocheck understands the rpm file format, as well as shared and static libraries and executable binaries. It can also be helpful to provide annocheck with access to the debug information for a binary or rpm, if that has been placed into a separate file.


No mass rebuild is required.

  • Policies and guidelines:

It is desirable that the packaging guidelines be updated to describe the security hardening features examined by annocheck. (If they are not already mentioned in the guidelines).

  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

This change should have no effect on upgrading Fedora, nor should it introduce any compatibility problems.

How To Test

Submit a package for Bodhi review and see if the annocheck data is added to the page. No special hardware is needed for this test, but it might involve the use of a dummy package or a dummy instance of Bodhi in order to test the behaviour before going live.

User Experience

This change should not be noticeable by users.

Dependencies

No packages depend upon this change. This change does depend upon the annobin package.

Contingency Plan

Back out any changes made to Bodhi.

  • Blocks release?

No releases are blocked by this change.

  • Blocks product?

No products are blocked by this change.

Documentation

The watermark specification explains the technology underlying annobin: https://fedoraproject.org/wiki/Toolchain/Watermark#Proposed_Specification_for_non-loaded_notes

The annobin package includes its own documentation. On a system where it is installed invoking "info annobin" should produce a searchable information structure.

Release Notes

An update to the Fedora Release Notes should not be needed.