[tor-bugs] #8491 [Tor bundles/installation]: build hardening for TBB
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Mar 16 19:39:56 UTC 2013
#8491: build hardening for TBB
--------------------------------------+-------------------------------------
Reporter: ioerror | Owner: mikeperry
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
I was looking at the latest 64bit stable tbb and ran scanelf on it:
{{{
~/tor-browser_en-US % find .| xargs -n 1 scanelf -a -v
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./Lib/libevent_extra-2.0.so.5
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libpng15.so.15
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./Lib/libpng15.so.15.13.0
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./Lib/libevent_core-2.0.so.5
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib LAZY ./Lib/libQtGui.so.4
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib LAZY ./Lib/libQtCore.so.4
ET_DYN PeMRxS 0644 LE RW- --- RW- - - LAZY
./Lib/libcrypto.so.1.0.0
ET_DYN PeMRxS 0644 LE RW- --- RW- - - LAZY ./Lib/libssl.so.1.0.0
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./Lib/libevent-2.0.so.5
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib LAZY ./Lib/libQtNetwork.so.4
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib LAZY ./Lib/libQtXml.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./Lib/libevent_extra-2.0.so.5
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libpng15.so.15
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libz/libz.so.1
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libz/libz.so.1
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./Lib/libpng15.so.15.13.0
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./Lib/libevent_core-2.0.so.5
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib LAZY ./Lib/libQtGui.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib LAZY ./Lib/libQtCore.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0644 LE RW- --- RW- - - LAZY
./Lib/libcrypto.so.1.0.0
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0644 LE RW- --- RW- - - LAZY ./Lib/libssl.so.1.0.0
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./Lib/libevent-2.0.so.5
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib LAZY ./Lib/libQtNetwork.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib LAZY ./Lib/libQtXml.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/vidalia
ET_EXEC PeMRxS 0755 LE RW- R-- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib NOW ./App/tor
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/vidalia
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox
/firefox-bin
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox
/webapprt-stub
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libmozalloc.so
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/firefox
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libsoftokn3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libxpcom.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnssdbm3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libplc4.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libxul.so
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox
/mozilla-xremote-client
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnssckbi.so
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox
/plugin-container
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnss3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libmozsqlite3.so
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/updater
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libssl3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libplds4.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libfreebl3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnssutil3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnspr4.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libsmime3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox
/firefox-bin
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox
/webapprt-stub
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libmozalloc.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/firefox
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libsoftokn3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libxpcom.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnssdbm3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/components/libdbusservice.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/components/libbrowsercomps.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/components/libdbusservice.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/components/libbrowsercomps.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libplc4.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libxul.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox
/mozilla-xremote-client
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnssckbi.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox
/plugin-container
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnss3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libmozsqlite3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/updater
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libssl3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libplds4.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libfreebl3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnssutil3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libnspr4.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY
./App/Firefox/libsmime3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- R-- RW- - /srv/build-trees/build-
alpha/x86_64/built/lib NOW ./App/tor
}}}
The output is explained on <a href="http://www.gentoo.org/proj/en/hardened
/pax-utils.xml">the pax-utils</a> documentation website.
A few things come to mind - one is that all our binaries should be set to
BIND 'NOW' at run time. There are likely other things we could/should
improve about these builds.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8491>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list