| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Jul 2015 11:29:46 -0400
From: Prarit Bhargava <prarit@...hat.com>
To: linux-kernel@...r.kernel.org
Cc: Prarit Bhargava <prarit@...hat.com>
Subject: [PATCH] tools, Add CFLAGS_SECURITY for RELRO and PIE
My Makefile-fu has always been lacking and I know there's a better way to
do this. I'm trying to avoid heavily modifying the tools/ Makefiles because
I see that every author has their own way of doing things and I didn't want
to get in the way of specific use-case and design decisions.
P.
---8<---
PIE and RELRO security, while not quite new, is a relatively recent addition
for user space executable security.
This patch adds PIE and RELRO support for some /usr/bin/ executables
by adding the appropriate compiler flags. Information on PIE
(and how it differs from relocatable code) can be found at
http://en.wikipedia.org/wiki/Position-independent_code
and information on RELRO can be found at
https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
I used the following test to confirm the changes,
find ./ -executable -type f | xargs file | grep ELF | awk -F ":" ' { print $1 } ' | sed 's/^..//' | while read -r f
do
f=${f%:* ELF}
pushd ${f%/*} >/dev/null
readelf -W -l ${f##*/} > ~-/program_headers 2> ~-/erroutput
readelf -W -d ${f##*/} > ~-/dynamic_section 2>> ~-/erroutput
readelf -W -h ${f##*/} > ~-/elf_header 2>> ~-/erroutput
popd >/dev/null
TYPE=$(grep -m1 -F 'Type:' elf_header | awk '{ print $2; }')
if [[ -s erroutput ]]
then
printf "PROCESSING FAILED: (%04d) %s : %s\n" $cnt "$pkg" "$f"
elif [[ $TYPE != EXEC && $TYPE != DYN ]]
then
printf "%4s: (%04d) %s : %s\n" $TYPE $cnt "$pkg" "$f"
continue
else
printf "PROCESSED: (%04d) %s : %s\n" $cnt "$pkg" "$f"
fi
f=${f#.}
RELRO=no
PIE=no
grep -F -m1 -q GNU_RELRO program_headers && RELRO=partial
[[ $RELRO = partial ]] && grep -F -m1 -q BIND_NOW dynamic_section && RELRO=full
grep -m1 -q 'Type:[[:space:]]*DYN' elf_header && PIE=dso
[[ $PIE = dso ]] && grep -m1 -F -q '(DEBUG)' dynamic_section && PIE=yes
printf "RELRO=%s\nPIE=%s\n\n" $RELRO $PIE
done; unset f
and also used 'LD_DEBUG=statistics <executable>' to check to see if there
were any serious performance issues.
Signed-off-by: Prarit Bhargava <prarit@...hat.com>
---
tools/cgroup/Makefile | 2 +-
tools/firewire/Makefile | 11 ++++++-----
tools/hv/Makefile | 2 +-
tools/net/Makefile | 18 ++++++++++--------
tools/power/acpi/Makefile | 2 +-
tools/power/cpupower/Makefile | 3 ++-
tools/power/cpupower/bench/Makefile | 2 +-
tools/power/cpupower/debug/i386/Makefile | 8 ++++----
tools/power/cpupower/debug/x86_64/Makefile | 4 ++--
tools/power/x86/turbostat/Makefile | 2 +-
tools/power/x86/x86_energy_perf_policy/Makefile | 1 +
tools/scripts/Makefile.include | 3 +++
tools/thermal/tmon/Makefile | 2 +-
tools/usb/Makefile | 2 +-
tools/virtio/Makefile | 12 +++++++++---
tools/vm/Makefile | 2 +-
16 files changed, 45 insertions(+), 31 deletions(-)
diff --git a/tools/cgroup/Makefile b/tools/cgroup/Makefile
index b428619..4e6b598 100644
--- a/tools/cgroup/Makefile
+++ b/tools/cgroup/Makefile
@@ -1,7 +1,7 @@
# Makefile for cgroup tools
CC = $(CROSS_COMPILE)gcc
-CFLAGS = -Wall -Wextra
+CFLAGS = -Wall -Wextra $(CFLAGS_SECURITY)
all: cgroup_event_listener
%: %.c
diff --git a/tools/firewire/Makefile b/tools/firewire/Makefile
index 81767ad..645698a 100644
--- a/tools/firewire/Makefile
+++ b/tools/firewire/Makefile
@@ -5,12 +5,13 @@ CC = gcc
all : nosy-dump
-nosy-dump : CFLAGS = -Wall -O2 -g
-nosy-dump : CPPFLAGS = -DVERSION=\"$(nosy-dump-version)\" -I../../drivers/firewire
-nosy-dump : LDFLAGS = -g
-nosy-dump : LDLIBS = -lpopt
+CFLAGS := -Wall -O2 -g $(CFLAGS_SECURITY)
+CPPFLAGS := -DVERSION=\"$(nosy-dump-version)\" -I../../drivers/firewire
+LDLIBS := -lpopt
-nosy-dump : nosy-dump.o decode-fcp.o
+NOSY_DUMP_OBJS = nosy-dump.o decode-fcp.o
+nosy-dump : $(NOSY_DUMP_OBJS)
+ $(CC) $(CFLAGS) $(NOSY_DUMP_OBJS) $(LDLIBS) -o $@
clean :
rm -rf *.o nosy-dump
diff --git a/tools/hv/Makefile b/tools/hv/Makefile
index a8ab795..11108c4 100644
--- a/tools/hv/Makefile
+++ b/tools/hv/Makefile
@@ -3,7 +3,7 @@
CC = $(CROSS_COMPILE)gcc
PTHREAD_LIBS = -lpthread
WARNINGS = -Wall -Wextra
-CFLAGS = $(WARNINGS) -g $(PTHREAD_LIBS) $(shell getconf LFS_CFLAGS)
+CFLAGS = $(WARNINGS) $(CFLAGS_SECURITY) -g $(PTHREAD_LIBS) $(shell getconf LFS_CFLAGS)
all: hv_kvp_daemon hv_vss_daemon hv_fcopy_daemon
%: %.c
diff --git a/tools/net/Makefile b/tools/net/Makefile
index ee577ea..b9b02bb 100644
--- a/tools/net/Makefile
+++ b/tools/net/Makefile
@@ -10,20 +10,22 @@ YACC = bison
%.lex.c: %.l
$(LEX) -o $@ $<
+CFLAGS := -Wall -O2 $(CFLAGS_SECURITY)
all : bpf_jit_disasm bpf_dbg bpf_asm
-bpf_jit_disasm : CFLAGS = -Wall -O2 -DPACKAGE='bpf_jit_disasm'
+bpf_jit_disasm : CFLAGS += -DPACKAGE='bpf_jit_disasm'
bpf_jit_disasm : LDLIBS = -lopcodes -lbfd -ldl
-bpf_jit_disasm : bpf_jit_disasm.o
+bpf_jit_disasm : bpf_jit_disasm.c
+ $(CC) $(CFLAGS) -o $@ $< $(LDLIBS)
-bpf_dbg : CFLAGS = -Wall -O2
bpf_dbg : LDLIBS = -lreadline
-bpf_dbg : bpf_dbg.o
+bpf_dbg : bpf_dbg.c
+ $(CC) $(CFLAGS) -o $@ $< $(LDLIBS)
-bpf_asm : CFLAGS = -Wall -O2 -I.
-bpf_asm : LDLIBS =
-bpf_asm : bpf_asm.o bpf_exp.yacc.o bpf_exp.lex.o
-bpf_exp.lex.o : bpf_exp.yacc.c
+BPF_ASM_OBJS = bpf_asm.o bpf_exp.yacc.o bpf_exp.lex.o
+bpf_asm : CFLAGS += -I.
+bpf_asm : $(BPF_ASM_OBJS)
+ $(CC) $(CFLAGS) $(BPF_ASM_OBJS) -o $@
clean :
rm -rf *.o bpf_jit_disasm bpf_dbg bpf_asm bpf_exp.yacc.* bpf_exp.lex.*
diff --git a/tools/power/acpi/Makefile b/tools/power/acpi/Makefile
index 3d1537b..b80d3be 100644
--- a/tools/power/acpi/Makefile
+++ b/tools/power/acpi/Makefile
@@ -72,7 +72,7 @@ WARNINGS += $(call cc-supports,-Wdeclaration-after-statement)
KERNEL_INCLUDE := ../../../include
ACPICA_INCLUDE := ../../../drivers/acpi/acpica
CFLAGS += -D_LINUX -I$(KERNEL_INCLUDE) -I$(ACPICA_INCLUDE)
-CFLAGS += $(WARNINGS)
+CFLAGS += $(WARNINGS) $(CFLAGS_SECURITY)
ifeq ($(strip $(V)),false)
QUIET=@
diff --git a/tools/power/cpupower/Makefile b/tools/power/cpupower/Makefile
index 2e2ba2e..ba97d10 100644
--- a/tools/power/cpupower/Makefile
+++ b/tools/power/cpupower/Makefile
@@ -181,6 +181,7 @@ else
STRIPCMD = $(STRIP) -s --remove-section=.note --remove-section=.comment
endif
+CFLAGS += -Wl,-z,relro,-z,now -fpie
# the actual make rules
@@ -209,7 +210,7 @@ $(OUTPUT)%.o: %.c
$(OUTPUT)cpupower: $(UTIL_OBJS) $(OUTPUT)libcpupower.so.$(LIB_MAJ)
$(ECHO) " CC " $@
- $(QUIET) $(CC) $(CFLAGS) $(LDFLAGS) $(UTIL_OBJS) -lcpupower -lrt -lpci -L$(OUTPUT) -o $@
+ $(QUIET) $(CC) $(CFLAGS) -pie $(LDFLAGS) $(UTIL_OBJS) -lcpupower -lrt -lpci -L$(OUTPUT) -o $@
$(QUIET) $(STRIPCMD) $@
$(OUTPUT)po/$(PACKAGE).pot: $(UTIL_SRC)
diff --git a/tools/power/cpupower/bench/Makefile b/tools/power/cpupower/bench/Makefile
index 7ec7021..f30f00c 100644
--- a/tools/power/cpupower/bench/Makefile
+++ b/tools/power/cpupower/bench/Makefile
@@ -16,7 +16,7 @@ $(OUTPUT)%.o : %.c
$(OUTPUT)cpufreq-bench: $(OBJS)
$(ECHO) " CC " $@
- $(QUIET) $(CC) -o $@ $(CFLAGS) $(OBJS) $(LIBS)
+ $(QUIET) $(CC) -o $@ $(CFLAGS) -fpie -pie $(OBJS) $(LIBS)
all: $(OUTPUT)cpufreq-bench
diff --git a/tools/power/cpupower/debug/i386/Makefile b/tools/power/cpupower/debug/i386/Makefile
index c05cc0a..60967fa 100644
--- a/tools/power/cpupower/debug/i386/Makefile
+++ b/tools/power/cpupower/debug/i386/Makefile
@@ -12,16 +12,16 @@ INSTALL = /usr/bin/install
default: all
$(OUTPUT)centrino-decode: centrino-decode.c
- $(CC) $(CFLAGS) -o $@ centrino-decode.c
+ $(CC) $(CFLAGS) -Wl,-z,relro,-z,now -fpie -pie -o $@ centrino-decode.c
$(OUTPUT)dump_psb: dump_psb.c
- $(CC) $(CFLAGS) -o $@ dump_psb.c
+ $(CC) $(CFLAGS) -Wl,-z,relro,-z,now -fpie -pie -o $@ dump_psb.c
$(OUTPUT)intel_gsic: intel_gsic.c
- $(CC) $(CFLAGS) -o $@ -llrmi intel_gsic.c
+ $(CC) $(CFLAGS) -Wl,-z,relro,-z,now -fpie -pie -o $@ -llrmi intel_gsic.c
$(OUTPUT)powernow-k8-decode: powernow-k8-decode.c
- $(CC) $(CFLAGS) -o $@ powernow-k8-decode.c
+ $(CC) $(CFLAGS) -Wl,-z,relro,-z,now -fpie -pie -o $@ powernow-k8-decode.c
all: $(OUTPUT)centrino-decode $(OUTPUT)dump_psb $(OUTPUT)intel_gsic $(OUTPUT)powernow-k8-decode
diff --git a/tools/power/cpupower/debug/x86_64/Makefile b/tools/power/cpupower/debug/x86_64/Makefile
index 1c52145..e516931 100644
--- a/tools/power/cpupower/debug/x86_64/Makefile
+++ b/tools/power/cpupower/debug/x86_64/Makefile
@@ -12,10 +12,10 @@ INSTALL = /usr/bin/install
default: all
$(OUTPUT)centrino-decode: ../i386/centrino-decode.c
- $(CC) $(CFLAGS) -o $@ $<
+ $(CC) $(CFLAGS) -Wl,-z,relro,-z,now -fpie -pie -o $@ $<
$(OUTPUT)powernow-k8-decode: ../i386/powernow-k8-decode.c
- $(CC) $(CFLAGS) -o $@ $<
+ $(CC) $(CFLAGS) -Wl,-z,relro,-z,now -fpie -pie -o $@ $<
all: $(OUTPUT)centrino-decode $(OUTPUT)powernow-k8-decode
diff --git a/tools/power/x86/turbostat/Makefile b/tools/power/x86/turbostat/Makefile
index e367b1a..d146000 100644
--- a/tools/power/x86/turbostat/Makefile
+++ b/tools/power/x86/turbostat/Makefile
@@ -8,7 +8,7 @@ ifeq ("$(origin O)", "command line")
endif
turbostat : turbostat.c
-CFLAGS += -Wall
+CFLAGS += -Wall $(CFLAGS_SECURITY)
CFLAGS += -DMSRHEADER='"../../../../arch/x86/include/asm/msr-index.h"'
%: %.c
diff --git a/tools/power/x86/x86_energy_perf_policy/Makefile b/tools/power/x86/x86_energy_perf_policy/Makefile
index 971c9ff..274499a 100644
--- a/tools/power/x86/x86_energy_perf_policy/Makefile
+++ b/tools/power/x86/x86_energy_perf_policy/Makefile
@@ -1,4 +1,5 @@
DESTDIR ?=
+CFLAGS += $(CFLAGS_SECURITY)
x86_energy_perf_policy : x86_energy_perf_policy.c
diff --git a/tools/scripts/Makefile.include b/tools/scripts/Makefile.include
index 8abbef1..a4293ed 100644
--- a/tools/scripts/Makefile.include
+++ b/tools/scripts/Makefile.include
@@ -40,6 +40,9 @@ EXTRA_WARNINGS += -Wundef
EXTRA_WARNINGS += -Wwrite-strings
EXTRA_WARNINGS += -Wformat
+CFLAGS_SECURITY := -Wl,-z,relro,-z,now -fpie -pie
+export CFLAGS_SECURITY
+
ifneq ($(findstring $(MAKEFLAGS), w),w)
PRINT_DIR = --no-print-directory
else
diff --git a/tools/thermal/tmon/Makefile b/tools/thermal/tmon/Makefile
index 2e83dd3..0351fbb 100644
--- a/tools/thermal/tmon/Makefile
+++ b/tools/thermal/tmon/Makefile
@@ -2,7 +2,7 @@ VERSION = 1.0
BINDIR=usr/bin
WARNFLAGS=-Wall -Wshadow -W -Wformat -Wimplicit-function-declaration -Wimplicit-int
-CFLAGS+= -O1 ${WARNFLAGS} -fstack-protector
+CFLAGS+= -O1 ${WARNFLAGS} -fstack-protector $(CFLAGS_SECURITY)
CC=$(CROSS_COMPILE)gcc
CFLAGS+=-D VERSION=\"$(VERSION)\"
diff --git a/tools/usb/Makefile b/tools/usb/Makefile
index acf2165..e51e4b2 100644
--- a/tools/usb/Makefile
+++ b/tools/usb/Makefile
@@ -3,7 +3,7 @@
CC = $(CROSS_COMPILE)gcc
PTHREAD_LIBS = -lpthread
WARNINGS = -Wall -Wextra
-CFLAGS = $(WARNINGS) -g -I../include
+CFLAGS = $(WARNINGS) $(CFLAGS_SECURITY) -g -I../include
LDFLAGS = $(PTHREAD_LIBS)
all: testusb ffs-test
diff --git a/tools/virtio/Makefile b/tools/virtio/Makefile
index 505ad51..6514bf5 100644
--- a/tools/virtio/Makefile
+++ b/tools/virtio/Makefile
@@ -1,10 +1,16 @@
all: test mod
test: virtio_test vringh_test
-virtio_test: virtio_ring.o virtio_test.o
-vringh_test: vringh_test.o vringh.o virtio_ring.o
+VIRTIO_TEST_OBJS = virtio_ring.o virtio_test.o
+VRINGH_TEST_OBJS = vringh_test.o vringh.o virtio_ring.o
-CFLAGS += -g -O2 -Werror -Wall -I. -I../include/ -I ../../usr/include/ -Wno-pointer-sign -fno-strict-overflow -fno-strict-aliasing -fno-common -MMD -U_FORTIFY_SOURCE
+CFLAGS += -g -O2 -Werror -Wall -I. -I../include/ -I ../../usr/include/ -Wno-pointer-sign -fno-strict-overflow -fno-strict-aliasing -fno-common -MMD -U_FORTIFY_SOURCE $(CFLAGS_SECURITY)
vpath %.c ../../drivers/virtio ../../drivers/vhost
+
+virtio_test: $(VIRTIO_TEST_OBJS)
+ $(CC) $(CFLAGS) $(VIRTIO_TEST_OBJS) -o $@
+vringh_test: $(VRINGH_TEST_OBJS)
+ $(CC) $(CFLAGS) $(VRINGH_TEST_OBJS) -o $@
+
mod:
${MAKE} -C `pwd`/../.. M=`pwd`/vhost_test
.PHONY: all test mod clean
diff --git a/tools/vm/Makefile b/tools/vm/Makefile
index 93aadaf..426eb28 100644
--- a/tools/vm/Makefile
+++ b/tools/vm/Makefile
@@ -15,7 +15,7 @@ $(LIBS):
make -C $(LIB_DIR)
%: %.c
- $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
+ $(CC) $(CFLAGS) -Wl,-z,relro,-z,now -fpie -pie -o $@ $< $(LDFLAGS)
clean:
$(RM) page-types slabinfo page_owner_sort
--
1.7.9.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists