Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Makefile: Apply minimum hardening to libs and applications. #33

Merged
merged 1 commit into from
Jan 20, 2025
+17 −1
Merged

Makefile: Apply minimum hardening to libs and applications. #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,17 @@
proceeding.
* progs/tcb_unconvert.c (main): Likewise.

Makefile: Apply minimum hardening to libs and applications.
This enables stack-protector-strong with _FORTIFY_SOURCE=2, and the
following linker flags:
-Wl,-z,defs: Disallows undefined symbols at link-time.
-Wl,-z,relro: Relocation Read-Only protects the Global Offset Table
(GOT) in ELF binaries from being overwritten.
-Wl,-z,now: Tell the dynamic linker to resolve all symbols when the
program is started, or when the shared library is loaded.
* Make.defs: Define HARDENING_(C|LD)FLAGS, and prepend to coresponding
CFLAGS or LDFLAGS variable.

2024-12-20 Björn Esser <besser82 at fedoraproject.org>

libnss_tcb: Disallow potentially-malicious user names in getspnam(3).
Expand Down
7 changes: 6 additions & 1 deletion Make.defs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ OMIT_PAM_MODULE =
# May be needed when compiling to use with OpenPAM.
PAM_SO_SUFFIX =

# Flags for hardening.
HARDENING_CFLAGS = -fstack-protector-strong -D_FORTIFY_SOURCE=2
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this -D_FORTIFY_SOURCE=2 might be problematic for ALT because there the default is -D_FORTIFY_SOURCE=3.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be OK since per my reading of the changes here HARDENING_CFLAGS is prepended before the passed CFLAGS. Unless you have that as compiler default, not as part of default RPM optflags?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently, it's a compiler default, so now I see the following warnings:

<command-line>: warning: "_FORTIFY_SOURCE" redefined
<built-in>: note: this is the location of the previous definition

"info gcc" on that system displays the following note:

NOTE: In ALT 12.2.1-alt2 and later versions, '-D_FORTIFY_SOURCE=3' is set by default, and is activated when '-O' is set to 1 or higher.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'd probably avoid this specific issue by upgrading to =3, but overall it's not good we may override a potentially better default.

HARDENING_LDFLAGS = -Wl,-z,defs -Wl,-z,relro -Wl,-z,now

DBGFLAG = #-ggdb
ifndef CFLAGS
CFLAGS = -O2
Expand All @@ -23,7 +27,8 @@ ifneq ($(WERROR),)
CFLAGS += -Werror
endif
#CFLAGS += -DFAIL_RECORD
LDFLAGS += $(DBGFLAG) -L../libs
CFLAGS := $(HARDENING_CFLAGS) $(CFLAGS)
LDFLAGS := $(HARDENING_LDFLAGS) $(LDFLAGS) $(DBGFLAG) -L../libs

PREFIX = /usr
SBINDIR = /sbin
Expand Down
Loading