narration_tagconfig variable to set narration from metadata
Dockerfileto create Docker image
SECCOMP_RET_USER_NOTIFfilters to inject file descriptors into the target process using
SECCOMP_IOCTL_NOTIF_ADDFD. This lets container managers fully emulate syscalls like
connect(), where an actual file descriptor is expected to be available after a successful syscall. In the process I fixed a couple bugs and refactored the file descriptor receiving code. zero-initialize stack variables with Clang
CONFIG_INIT_STACK_ALL_ZERO, which besides actually being faster, has a few behavior benefits as well. Unlike pattern initialization, which has a higher chance of triggering existing bugs, zero initialization provides safe defaults for strings, pointers, indexes, and sizes. Like the pattern initialization, this feature stops entire classes of uninitialized stack variable flaws. common syscall entry/exit routines
CONFIG_SLAB_FREELIST_HARDENEDfeature-parity with the SLUB heap allocator, I added naive double-free detection and the ability to detect cross-cache freeing in the SLAB allocator. This should keep a class of type-confusion bugs from biting kernels using SLAB. (Most distro kernels use SLUB, but some smaller devices prefer the slightly more compact SLAB, so this hardening is mostly aimed at those systems.) new
CAP_CHECKPOINT_RESTOREcapability, splitting this functionality off of
CAP_SYS_ADMIN. The needs for the kernel to correctly checkpoint and restore a process (e.g. used to move processes between containers) continues to grow, and it became clear that the security implications were lower than those of
CAP_SYS_ADMINyet distinct from other capabilities. Using this capability is now the preferred method for doing things like changing
debugfsboot-time visibility restriction
debugfsboot parameter to control the visibility of the kernel s debug filesystem. The contents of debugfs continue to be a common area of sensitive information being exposed to attackers. While this was effectively possible by unsetting
CONFIG_DEBUG_FS, that wasn t a great approach for system builders needing a single set of kernel configs (e.g. a distro kernel), so now it can be disabled at boot time. more seccomp architecture support
-fstack-protector-strong) support for RISC-V. This is the initial global-canary support while the patches to GCC to support per-task canaries is getting finished (similar to the per-task canaries done for arm64). This will mean nearly all stack frame write overflows are no longer useful to attackers on this architecture. It s nice to see this finally land for RISC-V, which is quickly approaching architecture feature parity with the other major architectures in the kernel. new
taskletAPI to make their use safer. Much like the
timer_listrefactoring work done earlier, the
taskletAPI is also a potential source of simple function-pointer-and-first-argument controlled exploits via linear heap overwrites. It s a smaller attack surface since it s used much less in the kernel, but it is the same weak design, making it a sensible thing to replace. While the use of the
taskletAPI is considered deprecated (replaced by threaded IRQs), it s not always a simple mechanical refactoring, so the old API still needs refactoring (since that CAN be done mechanically is most cases). x86
FSGSBASEseries. This provides task switching performance improvements while keeping the kernel safe from modules accidentally (or maliciously) trying to use the features directly (which exposed an unprivileged direct kernel access hole). filter x86 MSR writes
MSR_IA32_ENERGY_PERF_BIAS. Boris Petkov has decided enough is enough and has now enabled logging and kernel tainting (
TAINT_CPU_OUT_OF_SPEC) by default and a way to disable MSR writes at runtime. (However, since this is controlled by a normal module parameter and the root user can just turn writes back on, I continue to recommend that people build with
CONFIG_X86_MSR=n.) The expectation is that userspace MSR writes will be entirely removed in future kernels.
uninitialized_var()macro, which had been used to silence compiler warnings. The rationale for this macro was weak to begin with ( the compiler is reporting an uninitialized variable that is clearly initialized ) since it was mainly papering over compiler bugs. However, it creates a much more fragile situation in the kernel since now such uses can actually disable automatic stack variable initialization, as well as mask legitimate unused variable warnings. The proper solution is to just initialize variables the compiler warns about. function pointer cast removals
-Wcast-function-type. The future use of Control Flow Integrity checking (which does validation of function prototypes matching between the caller and the target) tends not to work well with function casts, so it d be nice to get rid of these before CFI lands. flexible array conversions
-Warray-bounds, which catches a lot of potential buffer overflows at compile time. That s it for now! Please let me know if you think anything else needs some attention. Next up is Linux v5.10.
2021, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
|Series:||Sun Chronicles #1|
Welcome to the May 2020 report from the Reproducible Builds project. One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. Nonetheless, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes. In these reports we outline the most important things that we and the rest of the community have been up to over the past month.
Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle.In related news, the LineageOS Android distribution announced that a hacker had access to the infrastructure of their servers after exploiting an unpatched vulnerability. Marcin Jachymiak of the Sia decentralised cloud storage platform posted on their blog that their
siadutilities can now be built reproducibly:
This means that anyone can recreate the same binaries produced from our official release process. Now anyone can verify that the release binaries were created using the source code we say they were created from. No single person or computer needs to be trusted when producing the binaries now, which greatly reduces the attack surface for Sia users.Synchronicity is a distributed build system for Rust build artifacts which have been published to crates.io. The goal of Synchronicity is to provide a distributed binary transparency system which is independent of any central operator. The Comparison of Linux distributions article on Wikipedia now features a Reproducible Builds column indicating whether distributions approach and progress towards achieving reproducible builds.
binutilspackage ships its own, unreproducible, log files in its binary packages. It was followed-up by replies from Chris Lamb and Matthias Klose.
.apkpackages. Allan McRae of the ArchLinux project posted their third Reproducible builds progress report to the
arch-dev-publicmailing list which includes the following call for help:
We also need help to investigate and fix the packages that fail to reproduce that we have not investigated as of yet.In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.
146to Debian, PyPI, etc.
filenow supports recognising JSON data. (#106)
.buildinfohandling to show all details (including the GnuPG header and footer components) even when referenced files are not present. (#122)
BuildinfoFilecomparator (etc.) regardless of whether the associated files (such as the
.deb) are present. [ ]
.changes, etc. [ ]
differencestypo in the
id="foo"anchor reference twice in the HTML output, otherwise identically-named parts will not be able to linked to via a
#. [ ]
--jsonpresenter; it will usually be too complicated to be readable by the human anyway. [ ]
Command [ ] failed with exit codemessages to remove duplicate
exited with exitbut also to note that
diffoscopeis interpreting this as an error. [ ]
Command [ ] exited with 1messages. (#126)
debianPython module. [ ]
stderr fromif both commands emit the same output. [ ]
apksignertest failures due to lack of
binfmt_misc, eg. on Salsa CI and elsewhere. [ ]
.travis.ymlas we use Salsa instead. [ ]
.dockerignorefile to whitelist files we actually need in our container. (#105)
ENVwhen setting up the
DEBIAN_FRONTENDenvironment variable at runtime. (#103)
build-essentialduring build so we can install the recommended packages from Git. [ ]
shell=Falsekeyword argument to
subprocess.Popenso that the potentially-unsafe
shell=Trueis more obvious. [ ]
MissingFiles special handling of
deb822to prevent leaking through abstract layers. [ ][ ]
exceptblock when cleaning up temporary files with respect to the
flake8quality assurance tool. [ ]
dsc_in_same_dirto clarify the use of this variable. [ ]
debian_fallbackclass [ ] and add descriptions for the file types. [ ]
Opensslcommand class to
OpenSSLPKCS7to accommodate other command names with this prefix. [ ]
--debuggercommand-line argument to
--pdb. [ ]
stat(2)birth times (ie.
st_birthtime) in the same way we do with the
Change:times to fix a nondeterministic build failure in GNU Guix. (#74)
has_same_contentmethod was called regardless of the underlying type of file. [ ]
debian/py3dist-overridesto ensure the
rpm-pythonmodule is used in package dependencies (#89) and moved to using the new
execute_before_*Debhelper rules [ ].
relative_urlwhere possible [ ][ ] and move a number of configuration variables to
_config.yml[ ][ ].
golang-packaging(toolchain issue, affecting times in
jboss-logging-tools(toolchain issue, affecting date for
findoutput to avoid inheriting filesystem order)
moonjit(generate reproducible output by default if
vala(report ASLR nondeterminism)
1.8.1-1to Debian unstable and Bernhard M. Wiedemann fixed an off-by-one error when parsing PNG image modification times. (#16) In disorderfs, our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues, Chris Lamb replaced the term dirents in place of directory entries in human-readable output/log messages [ ] and used the astyle source code formatter with the default settings to the main
disorderfs.cppsource file [ ]. Holger Levsen bumped the
debhelper-compat levelto 13 in disorderfs [ ] and reprotest [ ], and for the GNU Guix distribution Vagrant Cascadian updated the versions of disorderfs to version 0.5.10 [ ] and diffoscope to version 145 [ ].
libtool. [ ]
_docssubdirectory to find the
_docs/index.mdfile after an internal move. (#27)
ltmain.shetc. in preformatted quotes. [ ]
SOURCE_DATE_EPOCHPython examples onto more lines to prevent visual overflow on the page. [ ]
tests.reproducible-builds.orgthat, amongst many other tasks, tracks the status of our reproducibility efforts as well as identifies any regressions that have been introduced. Holger Levsen made the following changes:
let VARIABLE=0exits with an error. [ ]
.buildinfofiles with the same name. [ ]
/usrmerge variation on Debian unstable. [ ]
molly-guard. [ ]
debrebuildscript. [ ][ ][ ][ ]
.buildinfofiles. [ ][ ]
alpine_schroot.shscript now that a patch for
abuildhad been released upstream. [ ]
bcm47xx. [ ]
jenkinsto run the
blacklistcommand [ ] and the usual build node maintenance was performed was performed by Holger Levsen [ ][ ][ ], Mattia Rizzolo [ ][ ] and Vagrant Cascadian [ ][ ][ ].
To make the results accessible, storable and create tools around them, they should all follow the same schema, a reproducible builds verification format. The format tries to be as generic as possible to cover all open source projects offering precompiled source code. It stores the rebuilder results of what is reproducible and what not.Hans-Christoph Steiner of the Guardian Project also continued his previous discussion regarding making our website translatable. Lastly, Leo Wandersleb posted a detailed request for feedback on a question of supply chain security and other issues of software review; Leo is the founder of the Wallet Scrutiny project which aims to prove the security of Android Bitcoin Wallets:
Do you own your Bitcoins or do you trust that your app allows you to use your coins while they are actually controlled by them ? Do you have a backup? Do they have a copy they didn t tell you about? Did anybody check the wallet for deliberate backdoors or vulnerabilities? Could anybody check the wallet for those?Elsewhere, Leo had posted instructions on his attempts to reproduce the binaries for the BlueWallet Bitcoin wallet for iOS and Android platforms.
This month s report was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
kernel.perf_event_paranoidsysctl knob has existed for a while, attempts to extend its control to block all
perf_event_open()calls have failed in the past. Distribution kernels have carried the rejected sysctl patch for many years, but now Joel Fernandes has implemented a solution that was deemed acceptable: instead of extending the sysctl, add LSM hooks so that LSMs (e.g. SELinux, Apparmor, etc) can make these choices as part of their overall system policy. generic fast full
refcount_thardening work for both x86 and arm64 and distilled the implementations into a single architecture-agnostic C version. The result was almost as fast as the x86 assembly version, but it covered more cases (e.g. increment-from-zero), and is now available by default for all architectures. (There is no longer any Kconfig associated with
refcount_t; the use of the primitive provides full coverage.) linker script cleanup for exception tables
SECCOMP_RET_USER_NOTIFinterface was added, it seemed like it would only be used in very limited conditions, so the idea of needing to handle normal requests didn t seem very onerous. However, since then, it has become clear that the overhead of a monitor process needing to perform lots of normal
open()calls on behalf of the monitored process started to look more and more slow and fragile. To deal with this, it became clear that there needed to be a way for the
USER_NOTIFinterface to indicate that seccomp should just continue as normal and allow the syscall without any special handling. Christian Brauner implemented
SECCOMP_USER_NOTIF_FLAG_CONTINUEto get this done. It comes with a bit of a disclaimer due to the chance that monitors may use it in places where ToCToU is a risk, and for possible conflicts with
SECCOMP_RET_TRACE. But overall, this is a net win for container monitoring tools.
CONFIG_FORTIFY_SOURCE, so compile-time (and some run-time) buffer overflows during calls to the
strcpy()families of functions will be detected. limit
copy_ to,from _user()size to
strscpy(), I went ahead and limited the size of
INT_MAXin order to catch any weird overflows in size calculations. Other things
vmalloc(). More specifically, this means KASan can examine the stack again, since it can be in that region since
2020, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
88~bpo9+1to stretch-backports. reprotest development
util-linuxconfirmed bug in nsenter, awaiting fix.
/contribute/on our main website.
CONFIG_VMAP_STACKfor arm64, which moves the kernel stack to an isolated and guard-paged vmap area. With traditional stacks, there were two major risks when exhausting the stack: overwriting the
thread_infostructure (which contained the
addr_limitfield which is checked during
copy_to/from_user()), and overwriting neighboring stacks (or other things allocated next to the stack). While arm64 previously moved its thread_info off the stack to deal with the former issue, this vmap change adds the last bit of protection by nature of the vmap guard pages. If the kernel tries to write past the end of the stack, it will hit the guard page and fault. (Testing for this is now possible via LKDTM s
STACK_GUARD_PAGE_LEADING/TRAILINGtests.) One aspect of the guard page protection that will need further attention (on all architectures) is that if the stack grew because of a giant Variable Length Array on the stack (effectively an implicit
alloca()call), it might be possible to jump over the guard page entirely (as seen in the userspace Stack Clash attacks). Thankfully the use of VLAs is rare in the kernel. In the future, hopefully we ll see the addition of PaX/grsecurity s STACKLEAK plugin which, in addition to its primary purpose of clearing the kernel stack on return to userspace, makes sure stack expansion cannot skip over guard pages. This stack probing ability will likely also become directly available from the compiler as well.
addr_limitfield mentioned above, another class of bug is finding a way to force the kernel into accidentally leaving
addr_limitopen to kernel memory through an unbalanced call to
set_fs(). In some areas of the kernel, in order to reuse userspace routines (usually VFS or compat related), code will do something like:
set_fs(KERNEL_DS); ...some code here...; set_fs(USER_DS);. When the
USER_DScall goes missing (usually due to a buggy error path or exception), subsequent system calls can suddenly start writing into kernel memory via
copy_to_user(where the to user really means within the
addr_limitrange ). Thomas Garnier implemented USER_DS checking at syscall exit time for x86, arm, and arm64. This means that a broken
set_fs()setting will not extend beyond the buggy syscall that fails to set it back to
USER_DS. Additionally, as part of the discussion on the best way to deal with this feature, Christoph Hellwig and Al Viro (and others) have been making extensive changes to avoid the need for
set_fs()being used at all, which should greatly reduce the number of places where it might be possible to introduce such a bug in the future. SLUB freelist hardening
CONFIG_SLAB_FREELIST_HARDENED, makes freelist pointer overwrites very hard to exploit unless an attacker has found a way to expose both the random value and the pointer location. This should render blind heap overflow bugs much more difficult to exploit. Additionally, Alexander Popov implemented a simple double-free defense, similar to the fasttop check in the GNU C library, which will catch sequential
free()s of the same pointer. (And has already uncovered a bug.) Future work would be to provide similar metadata protections to the SLAB allocator (though SLAB doesn t store its freelist within the individual unused objects, so it has a different set of exposures compared to SLUB). setuid-exec stack limitation
CONFIG_GCC_PLUGIN_RANDSTRUCT, now includes one of the major targets of exploits: function pointer structures. Without knowing the build-randomized location of a callback pointer an attacker needs to overwrite in a structure, exploits become much less reliable. structleak passed-by-reference variable initialization
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL. Normally the compiler will yell if a variable is used before being initialized, but it silences this warning if the variable s address is passed into a function call first, as it has no way to tell if the function did actually initialize the contents. So the plugin now zero-initializes such variables (if they hadn t already been initialized) before the function call that takes their address. Enabling this feature has a small performance impact, but solves many stack content exposure flaws. (In fact at least one such flaw reported during the v4.15 development cycle was mitigated by this plugin.) improved boot entropy
SECCOMP_FILTER_FLAG_LOG, he added a new action result,
SECCOMP_RET_LOG. With these changes in place, it should be much easier for developers to inspect the results of seccomp filters, and for process launchers to generate logs for their child processes operating under a seccomp filter. Additionally, I finally found a way to implement an often-requested feature for seccomp, which was to kill an entire process instead of just the offending thread. This was done by creating the
SECCOMP_RET_ACTION_FULLmask (n e
SECCOMP_RET_ACTION) and implementing
SECCOMP_RET_KILL_PROCESS. That s it for now; please let me know if I missed anything. The v4.15 merge window is now open!
2017, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
armhfbuild machines to stretch.
git log -1 > .htmlto node document environment().
postgres-9.4from jenkins, so we could test our backups
CONFIG_IP_MULTIPLE_TABLESoptions enabled (however, no IP rules are used). Some other unrelated options are enabled to be able to boot them in a virtual machine and run the benchmark. The measurements are done in a virtual machine with one vCPU2. The host is an Intel Core i5-4670K and the CPU governor was set to performance . The benchmark is single-threaded. Implemented as a kernel module, it calls
fib_lookup()with various destinations in 100,000 timed iterations and keeps the median. Timings of individual runs are computed from the TSC (and converted to nanoseconds by assuming a constant clock). The following kernel versions bring a notable performance improvement:
CONFIG_IP_MULTIPLE_TABLESoption doesn t impact the performances unless some IP rules are configured. This version also removes the route cache (commit 5e9965c15ba8). However, this has no effect on the benchmark as it directly calls
fib_lookup()which doesn t involve the cache.
ardeterminitiscally for Homebrew, a package manager for MacOS. Dan Kegel worked on using
SOURCE_DATE_EPOCHand other reproduciblity fixes in fpm, a multi plattform package builder. The Fedora Haskell team disabled parallel builds to achieve reproducible builds. Bernhard M. Wiedemann submitted many patches upstream:
html-diroutput for very very large diffs such as those for GCC. So far, this includes unreleased work on a
PartialStringdata structure which will form a core part of a new and more intelligent recursive display algorithm. strip-nondeterminism development Versions 0.035-1 was uploaded to unstable from experimental by Chris Lamb. It included contributions from:
sha256sumbefore calling diffoscope. The LEDE build consists of 1000 packages, using diffoscope to detect whether two packages are identical takes 3 seconds in average, while calling
sha256sumon those small packages takes less than a second, so this reduces the runtime from 3h to 2h (roughly). For Debian package builds this is neglectable, as each build takes several minutes anyway, thus adding 3 seconds to each build doesn't matter much.
toolchain.htmlcreation to remote node, as this is were the toolchain is build.
pb3+4-amd64(used for coreboot, LEDE, OpenWrt, NetBSD, Fedora and Arch Linux tests) to Stretch
|Source Distribution||Backports Distribution||Sloppy Distribution|
Debian needs feature X but it is already in the enterprise version. We make a patch and, for commercial reasons, it never gets merged (they already sell it in the enterprise version). Which means we will have to fork the software and keep those patches forever. Been there done that. For me, that isn't acceptable.This concern was further deepened when GitLab's Director of Strategic Partnerships, Eliran Mesika, explained the company's stewardship policy that explains how GitLab decides which features end up in the proprietary version. Praveen pointed out that:
[...] basically it boils down to features that they consider important for organizations with less than 100 developers may get accepted. I see that as a red flag for a big community like debian.Since there are over 600 Debian Developers, the community seems to fall within the needs of "enterprise" users. The features the Debian community may need are, by definition, appropriate only to the "Enterprise Edition" (GitLab EE), the non-free version, and are therefore unlikely to end up in the "Community Edition" (GitLab CE), the free-software version. Interestingly, Mesika asked for clarification on which features were missing, explaining that GitLab is actually open to adding features to GitLab CE. The response from Debian Developer Holger Levsen was categorical: "It's not about a specific patch. Free GitLab and we can talk again." But beyond the practical and ethical concerns, some specific features Debian needs are currently only in GitLab EE. For example, debian.org systems use LDAP for authentication, which would obviously be useful in a GitLab deployment; GitLab CE supports basic LDAP authentication, but advanced features, like group or SSH-key synchronization, are only available in GitLab EE. Wirt also expressed concern about the Contributor License Agreement that GitLab B.V. requires contributors to sign when they send patches, which forces users to allow the release of their code under a non-free license. The debate then went on going through a exhaustive inventory of different free-software alternatives:
On the mailinglist it seemed that some Debian maintainers do not agree with our open core business model and demand that there is no proprietary version. We respect that position but we don't think we can compete with the purely proprietary software like GitHub with this model.
Personally I'm leaning towards the feeling that all configuration, code and dependencies for Debian services should be packaged and subjected to the usual Debian QA activities but I acknowledge that the current archive setup (testing migration plus backporting etc) doesn't necessarily make this easy.Wise did say that "DSA doesn't have any hard rules/policy written down, just evaluation on a case-by-case basis" which probably means that pagure packaging will not be a blocker for deployment. The last pending issue is the question of the mailing lists hosted on Alioth, as pagure doesn't offer mailing list management (nor does GitLab). In fact, there are three different mailing list services for the Debian project:
Note: this article first appeared in the Linux Weekly News.
tar --sort=namewe need to compile tar before downloading everything
CONFIG_AUTOREMOVEto reduce required space
build_dirbecause the former is persistent among the two builds.
git reset/cleanlike Jenkins does
WORKSPACEdir names, as WORKSPACE cannot be generated from
$0as it's a temporary name.