From 776658a6749052007130e71cb693256e7528c2e3 Mon Sep 17 00:00:00 2001 From: mayeut Date: Sun, 21 Feb 2021 14:17:37 +0100 Subject: [PATCH] Use hardening for building all tools & libraries This does not affect the wheels that are produced by end users as proposed in https://github.com/pypa/manylinux/issues/59 but mitigates potential security issues in the tools used by manylinux images as mentioned in https://github.com/pypa/manylinux/issues/1005 --- docker/build_scripts/build-cmake.sh | 4 ++++ docker/build_scripts/build-cpython.sh | 15 ++++++++++++++- docker/build_scripts/build-git.sh | 2 +- docker/build_scripts/build-openssl.sh | 2 +- docker/build_scripts/build-swig.sh | 4 ++++ docker/build_scripts/build_utils.sh | 9 ++++++++- 6 files changed, 32 insertions(+), 4 deletions(-) diff --git a/docker/build_scripts/build-cmake.sh b/docker/build_scripts/build-cmake.sh index 7d4d27450..cc63ca243 100755 --- a/docker/build_scripts/build-cmake.sh +++ b/docker/build_scripts/build-cmake.sh @@ -19,6 +19,10 @@ fetch_source cmake-${CMAKE_VERSION}.tar.gz ${CMAKE_DOWNLOAD_URL}/v${CMAKE_VERSIO check_sha256sum cmake-${CMAKE_VERSION}.tar.gz ${CMAKE_HASH} tar -xzf cmake-${CMAKE_VERSION}.tar.gz pushd cmake-${CMAKE_VERSION} +export CPPFLAGS="${MANYLINUX_CPPFLAGS}" +export CFLAGS="${MANYLINUX_CFLAGS} ${CPPFLAGS}" +export CXXFLAGS="${MANYLINUX_CXXFLAGS} ${CPPFLAGS}" +export LDFLAGS="${MANYLINUX_LDFLAGS}" ./bootstrap --system-curl --parallel=$(nproc) make -j$(nproc) make install DESTDIR=/manylinux-rootfs diff --git a/docker/build_scripts/build-cpython.sh b/docker/build_scripts/build-cpython.sh index a61d864ad..2da92460e 100755 --- a/docker/build_scripts/build-cpython.sh +++ b/docker/build_scripts/build-cpython.sh @@ -32,7 +32,20 @@ tar -xzf Python-${CPYTHON_VERSION}.tgz pushd Python-${CPYTHON_VERSION} PREFIX="/opt/_internal/cpython-${CPYTHON_VERSION}" mkdir -p ${PREFIX}/lib -./configure --prefix=${PREFIX} --disable-shared --with-ensurepip=no > /dev/null +# configure with hardening options only for the interpreter & stdlib C extensions +# do not change the default for user built extension (yet?) +if [ "${CPYTHON_VERSION:0:4}" == "3.5." ]; then + ./configure \ + CFLAGS_NODIST="${MANYLINUX_CFLAGS} ${MANYLINUX_CPPFLAGS}" \ + --prefix=${PREFIX} --disable-shared --with-ensurepip=no > /dev/null + # those are not picked-up by distutils in CPython 3.5 which has no LDFLAGS_NODIST option in configure + export LDFLAGS="${MANYLINUX_LDFLAGS}" +else + ./configure \ + CFLAGS_NODIST="${MANYLINUX_CFLAGS} ${MANYLINUX_CPPFLAGS}" \ + LDFLAGS_NODIST="${MANYLINUX_LDFLAGS}" \ + --prefix=${PREFIX} --disable-shared --with-ensurepip=no > /dev/null +fi make -j$(nproc) > /dev/null make -j$(nproc) install > /dev/null popd diff --git a/docker/build_scripts/build-git.sh b/docker/build_scripts/build-git.sh index 940ded6f2..6a4eb4118 100755 --- a/docker/build_scripts/build-git.sh +++ b/docker/build_scripts/build-git.sh @@ -19,7 +19,7 @@ fetch_source ${GIT_ROOT}.tar.gz ${GIT_DOWNLOAD_URL} check_sha256sum ${GIT_ROOT}.tar.gz ${GIT_HASH} tar -xzf ${GIT_ROOT}.tar.gz pushd ${GIT_ROOT} -make -j$(nproc) install prefix=/usr/local NO_GETTEXT=1 NO_TCLTK=1 DESTDIR=/manylinux-rootfs +make -j$(nproc) install prefix=/usr/local NO_GETTEXT=1 NO_TCLTK=1 DESTDIR=/manylinux-rootfs CPPFLAGS="${MANYLINUX_CPPFLAGS}" CFLAGS="${MANYLINUX_CFLAGS}" CXXFLAGS="${MANYLINUX_CXXFLAGS}" LDFLAGS="${MANYLINUX_LDFLAGS}" popd rm -rf ${GIT_ROOT} ${GIT_ROOT}.tar.gz diff --git a/docker/build_scripts/build-openssl.sh b/docker/build_scripts/build-openssl.sh index ead51bef0..8a4bf7230 100755 --- a/docker/build_scripts/build-openssl.sh +++ b/docker/build_scripts/build-openssl.sh @@ -35,7 +35,7 @@ fetch_source ${OPENSSL_ROOT}.tar.gz ${OPENSSL_DOWNLOAD_URL} check_sha256sum ${OPENSSL_ROOT}.tar.gz ${OPENSSL_HASH} tar -xzf ${OPENSSL_ROOT}.tar.gz pushd ${OPENSSL_ROOT} -./config no-shared -fPIC --prefix=/usr/local/ssl --openssldir=/usr/local/ssl > /dev/null +./config no-shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl CPPFLAGS="${MANYLINUX_CPPFLAGS}" CFLAGS="${MANYLINUX_CFLAGS} -fPIC" CXXFLAGS="${MANYLINUX_CXXFLAGS} -fPIC" LDFLAGS="${MANYLINUX_LDFLAGS} -fPIC" > /dev/null make > /dev/null make install_sw > /dev/null popd diff --git a/docker/build_scripts/build-swig.sh b/docker/build_scripts/build-swig.sh index 6da0d053b..5b49bebc2 100755 --- a/docker/build_scripts/build-swig.sh +++ b/docker/build_scripts/build-swig.sh @@ -24,6 +24,10 @@ tar -xzf ${SWIG_ROOT}.tar.gz pushd ${SWIG_ROOT} fetch_source ${PCRE_ROOT}.tar.gz ${PCRE_DOWNLOAD_URL} check_sha256sum ${PCRE_ROOT}.tar.gz ${PCRE_HASH} +export CPPFLAGS="${MANYLINUX_CPPFLAGS}" +export CFLAGS="${MANYLINUX_CFLAGS}" +export CXXFLAGS="${MANYLINUX_CXXFLAGS}" +export LDFLAGS="${MANYLINUX_LDFLAGS}" ./Tools/pcre-build.sh ./configure make -j$(nproc) diff --git a/docker/build_scripts/build_utils.sh b/docker/build_scripts/build_utils.sh index d88ac6151..43f5fa653 100755 --- a/docker/build_scripts/build_utils.sh +++ b/docker/build_scripts/build_utils.sh @@ -2,6 +2,13 @@ # Helper utilities for build +# use all flags used by ubuntu 20.04 for hardening builds, dpkg-buildflags --export +MANYLINUX_CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" +MANYLINUX_CFLAGS="-g -O2 -Wall -fdebug-prefix-map=/=. -fstack-protector-strong -Wformat -Werror=format-security" +MANYLINUX_CXXFLAGS="-g -O2 -Wall -fdebug-prefix-map=/=. -fstack-protector-strong -Wformat -Werror=format-security" +MANYLINUX_LDFLAGS="-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now" + + function check_var { if [ -z "$1" ]; then echo "required variable not defined" @@ -38,7 +45,7 @@ function check_sha256sum { function do_standard_install { - ./configure "$@" > /dev/null + ./configure "$@" CPPFLAGS="${MANYLINUX_CPPFLAGS}" CFLAGS="${MANYLINUX_CFLAGS}" "CXXFLAGS=${MANYLINUX_CXXFLAGS}" LDFLAGS="${MANYLINUX_LDFLAGS}" > /dev/null make -j$(nproc) > /dev/null make -j$(nproc) install > /dev/null }