All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dave Chinner <david@fromorbit.com>
To: Bastian Germann <bastiangermann@fishpost.de>
Cc: linux-xfs@vger.kernel.org, Dimitri John Ledkov <xnox@ubuntu.com>
Subject: Re: [PATCH 2/4] debian: Enable CET on amd64
Date: Sun, 21 Feb 2021 14:59:43 +1100	[thread overview]
Message-ID: <20210221035943.GJ4662@dread.disaster.area> (raw)
In-Reply-To: <20210220121610.3982-3-bastiangermann@fishpost.de>

On Sat, Feb 20, 2021 at 01:16:07PM +0100, Bastian Germann wrote:
> This is a change introduced in 5.6.0-1ubuntu3.
> 
> Reported-by: Dimitri John Ledkov <xnox@ubuntu.com>
> Signed-off-by: Bastian Germann <bastiangermann@fishpost.de>
> ---
>  debian/changelog | 1 +
>  debian/rules     | 8 +++++++-
>  2 files changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/debian/changelog b/debian/changelog
> index 8320a2e8..c77f04ab 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -2,6 +2,7 @@ xfsprogs (5.11.0-rc0-1) experimental; urgency=medium
>  
>    [ Dimitri John Ledkov ]
>    * Drop trying to create upstream distribution
> +  * Enable CET on amd64
>  
>   -- Bastian Germann <bastiangermann@fishpost.de>  Sat, 20 Feb 2021 11:57:31 +0100
>  
> diff --git a/debian/rules b/debian/rules
> index 8a3345b6..dd093f2c 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -23,8 +23,14 @@ pkgdev = DIST_ROOT=`pwd`/$(dirdev); export DIST_ROOT;
>  pkgdi  = DIST_ROOT=`pwd`/$(dirdi); export DIST_ROOT;
>  stdenv = @GZIP=-q; export GZIP;
>  
> +ifeq ($(target),amd64)
> +export DEB_CFLAGS_MAINT_APPEND=-fcf-protection
> +export DEB_LDFLAGS_MAINT_APPEND=-fcf-protection
> +endif
> +include /usr/share/dpkg/default.mk
> +
>  options = export DEBUG=-DNDEBUG DISTRIBUTION=debian \
> -	  INSTALL_USER=root INSTALL_GROUP=root \
> +	  INSTALL_USER=root INSTALL_GROUP=root LDFLAGS='$(LDFLAGS)' \
>  	  LOCAL_CONFIGURE_OPTIONS="--enable-editline=yes --enable-blkid=yes --disable-ubsan --disable-addrsan --disable-threadsan --enable-lto" ;
>  diopts  = $(options) \
>  	  export OPTIMIZER=-Os LOCAL_CONFIGURE_OPTIONS="--enable-gettext=no --disable-ubsan --disable-addrsan --disable-threadsan --enable-lto" ;

No. This is not the way to turn on build wide compiler/linker
options/protections.

IOWs, if you want to turn on control flow protections to make ROP
exploits harder (why that actually matters for xfsprogs is beyond
me), then it you need to add a configure option similar to
--enable-lto. Then it can actually be enabled and used by other
distros, not just Ubuntu, and it will also ensure that builds will
fail at configure time if the compiler/linker does not support this
functionality.

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

  reply	other threads:[~2021-02-21  4:00 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-20 12:16 [PATCH 0/4] debian: Integrate Debian/Ubuntu changes Bastian Germann
2021-02-20 12:16 ` [PATCH 1/4] debian: Drop trying to create upstream distribution Bastian Germann
2021-02-21  4:01   ` Dave Chinner
2021-02-23  3:07     ` Darrick J. Wong
2021-02-20 12:16 ` [PATCH 2/4] debian: Enable CET on amd64 Bastian Germann
2021-02-21  3:59   ` Dave Chinner [this message]
2021-02-21  4:02     ` NACK " Dimitri John Ledkov
2021-02-21  4:28       ` Dave Chinner
2021-02-21  4:32         ` Dimitri John Ledkov
2021-02-21 21:37           ` Dave Chinner
2021-02-20 12:16 ` [PATCH 3/4] debian: Regenerate config.guess using debhelper Bastian Germann
2021-02-21  4:11   ` Dave Chinner
2021-02-21  7:16     ` Steve Langasek
2021-02-21 22:04       ` Dave Chinner
2021-02-22  0:16         ` Steve Langasek
2021-02-22  2:44           ` Dave Chinner
2021-02-22 19:23             ` Eric Sandeen
2021-02-23 20:51               ` Dave Chinner
2021-02-20 12:16 ` [PATCH 4/4] debian: Build-depend on libinih-dev with udeb package Bastian Germann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210221035943.GJ4662@dread.disaster.area \
    --to=david@fromorbit.com \
    --cc=bastiangermann@fishpost.de \
    --cc=linux-xfs@vger.kernel.org \
    --cc=xnox@ubuntu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.