Use hardening for building all tools & libraries

This does not affect the wheels that are produced by end users as proposed in pypa#59 but mitigates potential security issues in the tools used by manylinux images as mentioned in pypa#1005
mayeut · Feb 21, 2021 · 776658a · 776658a
1 parent 2c345f8
commit 776658a
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 4 deletions.
diff --git a/docker/build_scripts/build-cmake.sh b/docker/build_scripts/build-cmake.sh
@@ -19,6 +19,10 @@ fetch_source cmake-${CMAKE_VERSION}.tar.gz ${CMAKE_DOWNLOAD_URL}/v${CMAKE_VERSIO
 check_sha256sum cmake-${CMAKE_VERSION}.tar.gz ${CMAKE_HASH}
 tar -xzf cmake-${CMAKE_VERSION}.tar.gz
 pushd cmake-${CMAKE_VERSION}
+export CPPFLAGS="${MANYLINUX_CPPFLAGS}"
+export CFLAGS="${MANYLINUX_CFLAGS} ${CPPFLAGS}"
+export CXXFLAGS="${MANYLINUX_CXXFLAGS} ${CPPFLAGS}"
+export LDFLAGS="${MANYLINUX_LDFLAGS}"
 ./bootstrap --system-curl --parallel=$(nproc)
 make -j$(nproc)
 make install DESTDIR=/manylinux-rootfs

diff --git a/docker/build_scripts/build-cpython.sh b/docker/build_scripts/build-cpython.sh
@@ -32,7 +32,20 @@ tar -xzf Python-${CPYTHON_VERSION}.tgz
 pushd Python-${CPYTHON_VERSION}
 PREFIX="/opt/_internal/cpython-${CPYTHON_VERSION}"
 mkdir -p ${PREFIX}/lib
-./configure --prefix=${PREFIX} --disable-shared --with-ensurepip=no > /dev/null
+# configure with hardening options only for the interpreter & stdlib C extensions
+# do not change the default for user built extension (yet?)
+if [ "${CPYTHON_VERSION:0:4}" == "3.5." ]; then
+	./configure \
+		CFLAGS_NODIST="${MANYLINUX_CFLAGS} ${MANYLINUX_CPPFLAGS}" \
+		--prefix=${PREFIX} --disable-shared --with-ensurepip=no > /dev/null
+	# those are not picked-up by distutils in CPython 3.5 which has no LDFLAGS_NODIST option in configure
+	export LDFLAGS="${MANYLINUX_LDFLAGS}"
+else
+	./configure \
+		CFLAGS_NODIST="${MANYLINUX_CFLAGS} ${MANYLINUX_CPPFLAGS}" \
+		LDFLAGS_NODIST="${MANYLINUX_LDFLAGS}" \
+		--prefix=${PREFIX} --disable-shared --with-ensurepip=no > /dev/null
+fi
 make -j$(nproc) > /dev/null
 make -j$(nproc) install > /dev/null
 popd

diff --git a/docker/build_scripts/build-git.sh b/docker/build_scripts/build-git.sh
@@ -19,7 +19,7 @@ fetch_source ${GIT_ROOT}.tar.gz ${GIT_DOWNLOAD_URL}
 check_sha256sum ${GIT_ROOT}.tar.gz ${GIT_HASH}
 tar -xzf ${GIT_ROOT}.tar.gz
 pushd ${GIT_ROOT}
-make -j$(nproc) install prefix=/usr/local NO_GETTEXT=1 NO_TCLTK=1 DESTDIR=/manylinux-rootfs
+make -j$(nproc) install prefix=/usr/local NO_GETTEXT=1 NO_TCLTK=1 DESTDIR=/manylinux-rootfs CPPFLAGS="${MANYLINUX_CPPFLAGS}" CFLAGS="${MANYLINUX_CFLAGS}" CXXFLAGS="${MANYLINUX_CXXFLAGS}" LDFLAGS="${MANYLINUX_LDFLAGS}"
 popd
 rm -rf ${GIT_ROOT} ${GIT_ROOT}.tar.gz
 

diff --git a/docker/build_scripts/build-openssl.sh b/docker/build_scripts/build-openssl.sh
@@ -35,7 +35,7 @@ fetch_source ${OPENSSL_ROOT}.tar.gz ${OPENSSL_DOWNLOAD_URL}
 check_sha256sum ${OPENSSL_ROOT}.tar.gz ${OPENSSL_HASH}
 tar -xzf ${OPENSSL_ROOT}.tar.gz
 pushd ${OPENSSL_ROOT}
-./config no-shared -fPIC --prefix=/usr/local/ssl --openssldir=/usr/local/ssl > /dev/null
+./config no-shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl CPPFLAGS="${MANYLINUX_CPPFLAGS}" CFLAGS="${MANYLINUX_CFLAGS} -fPIC" CXXFLAGS="${MANYLINUX_CXXFLAGS} -fPIC" LDFLAGS="${MANYLINUX_LDFLAGS} -fPIC" > /dev/null
 make > /dev/null
 make install_sw > /dev/null
 popd

diff --git a/docker/build_scripts/build-swig.sh b/docker/build_scripts/build-swig.sh
@@ -24,6 +24,10 @@ tar -xzf ${SWIG_ROOT}.tar.gz
 pushd ${SWIG_ROOT}
 fetch_source ${PCRE_ROOT}.tar.gz ${PCRE_DOWNLOAD_URL}
 check_sha256sum ${PCRE_ROOT}.tar.gz ${PCRE_HASH}
+export CPPFLAGS="${MANYLINUX_CPPFLAGS}"
+export CFLAGS="${MANYLINUX_CFLAGS}"
+export CXXFLAGS="${MANYLINUX_CXXFLAGS}"
+export LDFLAGS="${MANYLINUX_LDFLAGS}"
 ./Tools/pcre-build.sh
 ./configure
 make -j$(nproc)

diff --git a/docker/build_scripts/build_utils.sh b/docker/build_scripts/build_utils.sh
@@ -2,6 +2,13 @@
 # Helper utilities for build
 
 
+# use all flags used by ubuntu 20.04 for hardening builds, dpkg-buildflags --export
+MANYLINUX_CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2"
+MANYLINUX_CFLAGS="-g -O2 -Wall -fdebug-prefix-map=/=. -fstack-protector-strong -Wformat -Werror=format-security"
+MANYLINUX_CXXFLAGS="-g -O2 -Wall -fdebug-prefix-map=/=. -fstack-protector-strong -Wformat -Werror=format-security"
+MANYLINUX_LDFLAGS="-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now"
+
+
 function check_var {
     if [ -z "$1" ]; then
         echo "required variable not defined"
@@ -38,7 +45,7 @@ function check_sha256sum {
 
 
 function do_standard_install {
-    ./configure "$@" > /dev/null
+    ./configure "$@" CPPFLAGS="${MANYLINUX_CPPFLAGS}" CFLAGS="${MANYLINUX_CFLAGS}" "CXXFLAGS=${MANYLINUX_CXXFLAGS}" LDFLAGS="${MANYLINUX_LDFLAGS}" > /dev/null
     make -j$(nproc) > /dev/null
     make -j$(nproc) install > /dev/null
 }