From 947c61d792cff9718e4c3d3c239c38b20454be68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Sun, 22 Dec 2024 18:11:30 +0100
Subject: [PATCH] Makefile: Apply minimum hardening to libs and applications.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This enables stack-protector-strong with _FORTIFY_SOURCE=2, and the
following linker flags:

  -Wl,-z,defs: Disallows undefined symbols at link-time.
  -Wl,-z,relro: Relocation Read-Only protects the Global Offset Table (GOT)
                in ELF binaries from being overwritten.
  -Wl,-z,now: Tell the dynamic linker to resolve all symbols when the
              program is started, or when the shared library is loaded.

Signed-off-by: Björn Esser <besser82@fedoraproject.org>
---
 ChangeLog | 11 +++++++++++
 Make.defs |  7 ++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 88189f9..001f011 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,17 @@
 	proceeding.
 	* progs/tcb_unconvert.c (main): Likewise.
 
+	Makefile: Apply minimum hardening to libs and applications.
+	This enables stack-protector-strong with _FORTIFY_SOURCE=2, and the
+	following linker flags:
+	-Wl,-z,defs: Disallows undefined symbols at link-time.
+	-Wl,-z,relro: Relocation Read-Only protects the Global Offset Table
+		      (GOT) in ELF binaries from being overwritten.
+	-Wl,-z,now: Tell the dynamic linker to resolve all symbols when the
+		    program is started, or when the shared library is loaded.
+	* Make.defs: Define HARDENING_(C|LD)FLAGS, and prepend to coresponding
+	CFLAGS or LDFLAGS variable.
+
 2024-12-20  Björn Esser  <besser82 at fedoraproject.org>
 
 	libnss_tcb: Disallow potentially-malicious user names in getspnam(3).
diff --git a/Make.defs b/Make.defs
index 2db44b5..bc59ec3 100644
--- a/Make.defs
+++ b/Make.defs
@@ -13,6 +13,10 @@ OMIT_PAM_MODULE =
 # May be needed when compiling to use with OpenPAM.
 PAM_SO_SUFFIX =
 
+# Flags for hardening.
+HARDENING_CFLAGS  = -fstack-protector-strong -D_FORTIFY_SOURCE=2
+HARDENING_LDFLAGS = -Wl,-z,defs -Wl,-z,relro -Wl,-z,now
+
 DBGFLAG = #-ggdb
 ifndef CFLAGS
 CFLAGS = -O2
@@ -23,7 +27,8 @@ ifneq ($(WERROR),)
 CFLAGS += -Werror
 endif
 #CFLAGS += -DFAIL_RECORD
-LDFLAGS += $(DBGFLAG) -L../libs
+CFLAGS  := $(HARDENING_CFLAGS) $(CFLAGS)
+LDFLAGS := $(HARDENING_LDFLAGS) $(LDFLAGS) $(DBGFLAG) -L../libs
 
 PREFIX = /usr
 SBINDIR = /sbin