From 658fff9445711b8402029bc2916fccbc5d6fd8fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= Date: Tue, 21 Jun 2016 19:16:43 +0200 Subject: [PATCH 1/2] Feature: conditional hardening, especially for daemons + libraries So far the build system has not been concerned with run-time hardening measures the typical toolchains provide (beside unconditional enforcing of -fstack-protector-all). Hence make a step in that direction, enabling following if available and anticipating more to come: [$LD -z relro] - daemons incl. libs - make some parts of Global Offset Table (GOT) read-only [$CC -fPIE + ld -pie] - daemons - benefit from Address Space Layout Randomization (ASLR) for code areas [$LD -z now] - daemons incl. libs, only when the former two features are supported - all symbols are resolved initially to that complete GOT is read-only [$CC -fstack-protector-strong/-fstack-protector-all/-fstack-protector] - universal - extra run-time checks for buffer overflows - NOTE: in case -fstack-protector-strong is supported, this is effectively a weakening of previously enforced -fstack-protector-all, but note that this variant comes with not entirely negligible performance penalty [1], making "strong" variant a reasonable tradeoff for something that is not in the prime line of possible attacks For details on how to instruct configure script to do the right thing (for when the default won't cut it), see detailed comment in configure.ac under "Hardening flags" section. [1] http://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.1860.pdf --- acinclude.m4 | 25 +++++++++ attrd/Makefile.am | 3 + cib/Makefile.am | 3 + configure.ac | 135 +++++++++++++++++++++++++++++++++++++++++++-- crmd/Makefile.am | 3 + fencing/Makefile.am | 3 + lib/cib/Makefile.am | 3 + lib/cluster/Makefile.am | 4 ++ lib/common/Makefile.am | 4 ++ lib/fencing/Makefile.am | 4 ++ lib/lrmd/Makefile.am | 4 ++ lib/pengine/Makefile.am | 8 +++ lib/services/Makefile.am | 3 + lib/transition/Makefile.am | 3 + lrmd/Makefile.am | 6 ++ mcp/Makefile.am | 3 + pacemaker.spec.in | 17 ++++++ pengine/Makefile.am | 6 ++ 18 files changed, 231 insertions(+), 6 deletions(-) create mode 100644 acinclude.m4 diff --git a/acinclude.m4 b/acinclude.m4 new file mode 100644 index 0000000..ecaa1dd --- /dev/null +++ b/acinclude.m4 @@ -0,0 +1,25 @@ +dnl +dnl local autoconf/automake macros for pacemaker +dnl + +dnl Check if the flag is supported by linker (cacheable) +dnl CC_CHECK_LDFLAGS([FLAG], [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND]) +dnl +dnl Origin (declared license: GPLv2+ with less restrictive exception): +dnl https://git.gnome.org/browse/glib/tree/m4macros/attributes.m4?h=2.49.1 +dnl (AC_LANG_PROGRAM substituted by Jan Pokorny ) + +AC_DEFUN([CC_CHECK_LDFLAGS], [ + AC_CACHE_CHECK([if $CC supports $1 flag], + AS_TR_SH([cc_cv_ldflags_$1]), + [ac_save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $1" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])], + [eval "AS_TR_SH([cc_cv_ldflags_$1])='yes'"], + [eval "AS_TR_SH([cc_cv_ldflags_$1])="]) + LDFLAGS="$ac_save_LDFLAGS" + ]) + + AS_IF([eval test x$]AS_TR_SH([cc_cv_ldflags_$1])[ = xyes], + [$2], [$3]) +]) diff --git a/attrd/Makefile.am b/attrd/Makefile.am index a116e0e..6eaaae2 100644 --- a/attrd/Makefile.am +++ b/attrd/Makefile.am @@ -21,6 +21,9 @@ halibdir = $(CRM_DAEMON_DIR) halib_PROGRAMS = attrd ## SOURCES +attrd_CFLAGS = $(CFLAGS_HARDENED_EXE) +attrd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) + attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ $(top_builddir)/lib/common/libcrmcommon.la \ $(top_builddir)/lib/cib/libcib.la \ diff --git a/cib/Makefile.am b/cib/Makefile.am index fcb8ce9..4273191 100644 --- a/cib/Makefile.am +++ b/cib/Makefile.am @@ -32,6 +32,9 @@ halib_PROGRAMS = cib cibmon ## SOURCES noinst_HEADERS = callbacks.h cibio.h cibmessages.h common.h notify.h +cib_CFLAGS = $(CFLAGS_HARDENED_EXE) +cib_LDFLAGS = $(LDFLAGS_HARDENED_EXE) + cib_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ $(COMMONLIBS) $(CRYPTOLIB) $(CLUSTERLIBS) diff --git a/configure.ac b/configure.ac index c5b30dc..edf6a91 100644 --- a/configure.ac +++ b/configure.ac @@ -196,6 +196,13 @@ AC_ARG_ENABLE([systemd], [ --enable-systemd Do not build support for the Systemd init system [default=yes]]) +AC_ARG_ENABLE(hardening, + [ --with-hardening + Harden the resulting executables/libraries (best effort by default)], + [ HARDENING="${enableval}" ], + [ HARDENING=try ], +) + AC_ARG_WITH(ais, [ --with-ais Support the Corosync messaging and membership layer ], @@ -1710,6 +1717,12 @@ if export | fgrep " CFLAGS=" > /dev/null; then unset SAVED_CFLAGS fi +AC_ARG_VAR([CFLAGS_HARDENED_LIB], [extra C compiler flags for hardened libraries]) +AC_ARG_VAR([LDFLAGS_HARDENED_LIB], [extra linker flags for hardened libraries]) + +AC_ARG_VAR([CFLAGS_HARDENED_EXE], [extra C compiler flags for hardened executables]) +AC_ARG_VAR([LDFLAGS_HARDENED_EXE], [extra linker flags for hardened executables]) + CC_EXTRAS="" if test "$GCC" != yes; then @@ -1785,12 +1798,6 @@ dnl otherwise none of both # Additional warnings it might be nice to enable one day # -Wshadow # -Wunreachable-code - case "$host_os" in - *solaris*) ;; - *) EXTRA_FLAGS="$EXTRA_FLAGS - -fstack-protector-all" - ;; - esac for j in $EXTRA_FLAGS do if @@ -1829,6 +1836,118 @@ dnl System specific options AC_MSG_NOTICE(Activated additional gcc flags: ${CC_EXTRAS}) fi +dnl +dnl Hardening flags +dnl +dnl The prime control of whether to apply (targeted) hardening build flags and +dnl which ones is --{enable,disable}-hardening option passed to ./configure: +dnl +dnl --enable-hardening=try (default): +dnl depending on whether any of CFLAGS_HARDENED_EXE, LDFLAGS_HARDENED_EXE, +dnl CFLAGS_HARDENED_LIB or LDFLAGS_HARDENED_LIB environment variables +dnl (see below) is set and non-null, all these custom flags (even if not +dnl set) are used as are, otherwise the best effort is made to offer +dnl reasonably strong hardening in several categories (RELRO, PIE, +dnl "bind now", stack protector) according to what the selected toolchain +dnl can offer +dnl +dnl --enable-hardening: +dnl same effect as --enable-hardening=try when the environment variables +dnl in question are suppressed +dnl +dnl --disable-hardening: +dnl do not apply any targeted hardening measures at all +dnl +dnl The user-injected environment variables that regulate the hardening in +dnl default case are as follows: +dnl +dnl * CFLAGS_HARDENED_EXE, LDFLAGS_HARDENED_EXE +dnl compiler and linker flags (respectively) for daemon programs +dnl (attrd, cib, crmd, lrmd, stonithd, pacemakerd, pacemaker_remoted, +dnl pengine) +dnl +dnl * CFLAGS_HARDENED_LIB, LDFLAGS_HARDENED_LIB +dnl compiler and linker flags (respectively) for libraries linked +dnl with the daemon programs +dnl +dnl Note that these are purposedly targeted variables (addressing particular +dnl targets all over the scattered Makefiles) and have no effect outside of +dnl the predestined scope (e.g., CLI utilities). For a global reach, +dnl use CFLAGS, LDFLAGS, etc. as usual. +dnl +dnl For guidance on the suitable flags consult, for instance: +dnl https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description +dnl https://owasp.org/index.php/C-Based_Toolchain_Hardening#GCC.2FBinutils +dnl + +if test "x${HARDENING}" != "xtry"; then + unset CFLAGS_HARDENED_EXE + unset CFLAGS_HARDENED_LIB + unset LDFLAGS_HARDENED_EXE + unset LDFLAGS_HARDENED_LIB +fi +if test "x${HARDENING}" = "xno"; then + AC_MSG_NOTICE([Hardening: explicitly disabled]) +elif test "x${HARDENING}" = "xyes" \ + || test "$(env | grep -Ec '^(C|LD)FLAGS_HARDENED_(EXE|LIB)=.')" = 0; then + dnl We'll figure out on our own... + CFLAGS_HARDENED_EXE= + CFLAGS_HARDENED_LIB= + LDFLAGS_HARDENED_EXE= + LDFLAGS_HARDENED_LIB= + relro=0 + pie=0 + bindnow=0 + # daemons incl. libs: partial RELRO + flag="-Wl,-z,relro" + CC_CHECK_LDFLAGS(["${flag}"], + [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}"; + LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}"; + relro=1] + ) + # daemons: PIE for both CFLAGS and LDFLAGS + if cc_supports_flag -fPIE; then + flag="-pie" + CC_CHECK_LDFLAGS(["${flag}"], + [CFLAGS_HARDENED_EXE="${CFLAGS_HARDENED_EXE} -fPIE"; + LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}"; + pie=1] + ) + fi + # daemons incl. libs: full RELRO if sensible + if test "${relro}" = 1 && test "${pie}" = 1; then + flag="-Wl,-z,now" + CC_CHECK_LDFLAGS(["${flag}"], + [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}"; + LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}"; + bindnow=1] + ) + fi + # universal: prefer strong > all > default stack protector if possible + flag= + if cc_supports_flag -fstack-protector-strong; then + flag="-fstack-protector-strong" + elif cc_supports_flag -fstack-protector-all; then + flag="-fstack-protector-all" + elif cc_supports_flag -fstack-protector; then + flag="-fstack-protector" + fi + if test -n "${flag}"; then + CC_EXTRAS="${CC_EXTRAS} ${flag}" + stackprot=1 + fi + if test "${relro}" = 1 \ + || test "${pie}" = 1 \ + || test "${stackprot}" = 1; then + AC_MSG_NOTICE( + [Hardening: relro=${relro} pie=${pie} bindnow=${bindnow} stackprot=${flag}]) + else + AC_MSG_WARN([Hardening: no suitable features in the toolchain detected]) + fi +else + AC_MSG_NOTICE([Hardening: using custom flags]) +fi + CFLAGS="$CFLAGS $CC_EXTRAS" NON_FATAL_CFLAGS="$CFLAGS" @@ -1978,5 +2097,9 @@ AC_MSG_RESULT([ HA group name = ${CRM_DAEMON_GROUP}]) AC_MSG_RESULT([ HA user name = ${CRM_DAEMON_USER}]) AC_MSG_RESULT([]) AC_MSG_RESULT([ CFLAGS = ${CFLAGS}]) +AC_MSG_RESULT([ CFLAGS_HARDENED_EXE = ${CFLAGS_HARDENED_EXE}]) +AC_MSG_RESULT([ CFLAGS_HARDENED_LIB = ${CFLAGS_HARDENED_LIB}]) +AC_MSG_RESULT([ LDFLAGS_HARDENED_EXE = ${LDFLAGS_HARDENED_EXE}]) +AC_MSG_RESULT([ LDFLAGS_HARDENED_LIB = ${LDFLAGS_HARDENED_LIB}]) AC_MSG_RESULT([ Libraries = ${LIBS}]) AC_MSG_RESULT([ Stack Libraries = ${CLUSTERLIBS}]) diff --git a/crmd/Makefile.am b/crmd/Makefile.am index 979e266..6d5ee9a 100644 --- a/crmd/Makefile.am +++ b/crmd/Makefile.am @@ -28,6 +28,9 @@ noinst_HEADERS = crmd.h crmd_fsa.h crmd_messages.h fsa_defines.h \ fsa_matrix.h fsa_proto.h crmd_utils.h crmd_callbacks.h \ crmd_lrm.h te_callbacks.h tengine.h +crmd_CFLAGS = $(CFLAGS_HARDENED_EXE) +crmd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) + crmd_LDADD = $(top_builddir)/lib/fencing/libstonithd.la \ $(top_builddir)/lib/transition/libtransitioner.la \ $(top_builddir)/lib/pengine/libpe_rules.la \ diff --git a/fencing/Makefile.am b/fencing/Makefile.am index 1d591fc..c53ead6 100644 --- a/fencing/Makefile.am +++ b/fencing/Makefile.am @@ -52,6 +52,9 @@ stonith_admin_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ stonithd_CPPFLAGS = -I$(top_srcdir)/pengine $(AM_CPPFLAGS) stonithd_YFLAGS = -d +stonithd_CFLAGS = $(CFLAGS_HARDENED_EXE) +stonithd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) + stonithd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ $(top_builddir)/lib/cluster/libcrmcluster.la \ $(top_builddir)/lib/fencing/libstonithd.la \ diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am index e414a7f..637ea8c 100644 --- a/lib/cib/Makefile.am +++ b/lib/cib/Makefile.am @@ -27,6 +27,9 @@ libcib_la_SOURCES += cib_file.c cib_remote.c libcib_la_LDFLAGS = -version-info 5:1:1 libcib_la_CPPFLAGS = -I$(top_srcdir) $(AM_CPPFLAGS) +libcib_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +libcib_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la clean-generic: diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am index 06d7066..9a57bbb 100644 --- a/lib/cluster/Makefile.am +++ b/lib/cluster/Makefile.am @@ -21,6 +21,10 @@ include $(top_srcdir)/Makefile.common lib_LTLIBRARIES = libcrmcluster.la libcrmcluster_la_LDFLAGS = -version-info 6:0:2 + +libcrmcluster_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +libcrmcluster_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libcrmcluster_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la $(CLUSTERLIBS) libcrmcluster_la_SOURCES = election.c cluster.c membership.c diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am index 7550ec1..0e1ad29 100644 --- a/lib/common/Makefile.am +++ b/lib/common/Makefile.am @@ -32,6 +32,10 @@ lib_LTLIBRARIES = libcrmcommon.la CFLAGS = $(CFLAGS_COPY:-Wcast-qual=) -fPIC libcrmcommon_la_LDFLAGS = -version-info 9:0:6 + +libcrmcommon_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +libcrmcommon_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libcrmcommon_la_LIBADD = @LIBADD_DL@ $(GNUTLSLIBS) -lm libcrmcommon_la_SOURCES = compat.c digest.c ipc.c io.c procfs.c utils.c xml.c \ diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am index 85ae40a..dc15799 100644 --- a/lib/fencing/Makefile.am +++ b/lib/fencing/Makefile.am @@ -21,5 +21,9 @@ include $(top_srcdir)/Makefile.common lib_LTLIBRARIES = libstonithd.la libstonithd_la_LDFLAGS = -version-info 4:1:2 + +libstonithd_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +libstonithd_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la libstonithd_la_SOURCES = st_client.c diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am index 25f3d55..611675e 100644 --- a/lib/lrmd/Makefile.am +++ b/lib/lrmd/Makefile.am @@ -19,6 +19,10 @@ include $(top_srcdir)/Makefile.common lib_LTLIBRARIES = liblrmd.la liblrmd_la_LDFLAGS = -version-info 4:0:3 + +liblrmd_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +liblrmd_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \ $(top_builddir)/lib/services/libcrmservice.la \ $(top_builddir)/lib/fencing/libstonithd.la diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am index de760c3..ad5c5c3 100644 --- a/lib/pengine/Makefile.am +++ b/lib/pengine/Makefile.am @@ -24,10 +24,18 @@ lib_LTLIBRARIES = libpe_rules.la libpe_status.la noinst_HEADERS = unpack.h variant.h libpe_rules_la_LDFLAGS = -version-info 2:6:0 + +libpe_rules_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +libpe_rules_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libpe_rules_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la libpe_rules_la_SOURCES = rules.c common.c libpe_status_la_LDFLAGS = -version-info 11:0:1 + +libpe_status_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +libpe_status_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.la libpe_status_la_SOURCES = status.c unpack.c utils.c complex.c native.c \ group.c clone.c rules.c common.c remote.c diff --git a/lib/services/Makefile.am b/lib/services/Makefile.am index c789fbd..b3208c2 100644 --- a/lib/services/Makefile.am +++ b/lib/services/Makefile.am @@ -27,6 +27,9 @@ libcrmservice_la_LDFLAGS = -version-info 4:1:1 libcrmservice_la_CPPFLAGS = -DOCF_ROOT_DIR=\"@OCF_ROOT_DIR@\" $(AM_CPPFLAGS) libcrmservice_la_CFLAGS = $(GIO_CFLAGS) +libcrmservice_la_CFLAGS += $(CFLAGS_HARDENED_LIB) +libcrmservice_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libcrmservice_la_LIBADD = $(GIO_LIBS) $(top_builddir)/lib/common/libcrmcommon.la $(DBUS_LIBS) libcrmservice_la_SOURCES = services.c services_linux.c diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am index 9bc039e..4d6cd23 100644 --- a/lib/transition/Makefile.am +++ b/lib/transition/Makefile.am @@ -25,6 +25,9 @@ lib_LTLIBRARIES = libtransitioner.la libtransitioner_la_LDFLAGS = -version-info 2:5:0 libtransitioner_la_CPPFLAGS = -I$(top_builddir) $(AM_CPPFLAGS) +libtransitioner_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +libtransitioner_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la libtransitioner_la_SOURCES = unpack.c graph.c utils.c diff --git a/lrmd/Makefile.am b/lrmd/Makefile.am index 64df105..5846503 100644 --- a/lrmd/Makefile.am +++ b/lrmd/Makefile.am @@ -30,6 +30,9 @@ if BUILD_SYSTEMD systemdunit_DATA = pacemaker_remote.service endif +lrmd_CFLAGS = $(CFLAGS_HARDENED_EXE) +lrmd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) + lrmd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ $(top_builddir)/lib/services/libcrmservice.la \ $(top_builddir)/lib/lrmd/liblrmd.la \ @@ -38,6 +41,9 @@ lrmd_SOURCES = main.c lrmd.c pacemaker_remoted_CPPFLAGS = -DSUPPORT_REMOTE $(AM_CPPFLAGS) +pacemaker_remoted_CFLAGS = $(CFLAGS_HARDENED_EXE) +pacemaker_remoted_LDFLAGS = $(LDFLAGS_HARDENED_EXE) + pacemaker_remoted_LDADD = $(lrmd_LDADD) pacemaker_remoted_SOURCES = main.c lrmd.c tls_backend.c ipc_proxy.c diff --git a/mcp/Makefile.am b/mcp/Makefile.am index 195530a..074d251 100644 --- a/mcp/Makefile.am +++ b/mcp/Makefile.am @@ -31,6 +31,9 @@ endif noinst_HEADERS = pacemaker.h +pacemakerd_CFLAGS = $(CFLAGS_HARDENED_EXE) +pacemakerd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) + pacemakerd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la $(top_builddir)/lib/common/libcrmcommon.la pacemakerd_LDADD += $(CLUSTERLIBS) pacemakerd_SOURCES = pacemaker.c corosync.c diff --git a/pacemaker.spec.in b/pacemaker.spec.in index 6024514..a607588 100644 --- a/pacemaker.spec.in +++ b/pacemaker.spec.in @@ -63,6 +63,9 @@ # Turn off cman support on platforms that normally ship with it %bcond_without cman +# Turn off hardening of libraries and daemon executables +%bcond_without hardening + %if %{with profiling} # This disables -debuginfo package creation and also the stripping binaries/libraries # Useful if you want sane profiling data @@ -168,6 +171,7 @@ resource health. Available rpmbuild rebuild options: --with(out) : cman stonithd doc coverage profiling pre_release upstart_job + hardening %package cli License: GPLv2+ and LGPLv2+ @@ -301,6 +305,18 @@ find . -exec touch \{\} \; # Early versions of autotools (e.g. RHEL <= 5) do not support --docdir export docdir=%{pcmk_docdir} +%if %{with hardening} +# prefer distro-provided hardening flags in case they are defined +# through _hardening_{c,ld}flags macros, configure script will +# use its own defaults otherwise; if such hardenings are completely +# undesired, rpmbuild using "--without hardening" +# (or "--define '_without_hardening 1'") +export CFLAGS_HARDENED_EXE="%{?_hardening_cflags}" +export CFLAGS_HARDENED_LIB="%{?_hardening_cflags}" +export LDFLAGS_HARDENED_EXE="%{?_hardening_ldflags}" +export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}" +%endif + ./autogen.sh %{configure} \ @@ -309,6 +325,7 @@ export docdir=%{pcmk_docdir} %{!?with_cman: --without-cman} \ --without-heartbeat \ %{!?with_doc: --with-brand=} \ + %{!?with_hardening: --disable-hardening} \ --with-initdir=%{_initrddir} \ --localstatedir=%{_var} \ --with-version=%{version}-%{release} diff --git a/pengine/Makefile.am b/pengine/Makefile.am index 96c914f..d4dbfb9 100644 --- a/pengine/Makefile.am +++ b/pengine/Makefile.am @@ -61,12 +61,18 @@ endif noinst_HEADERS = allocate.h utils.h pengine.h libpengine_la_LDFLAGS = -version-info 11:0:1 + +libpengine_la_CFLAGS = $(CFLAGS_HARDENED_LIB) +libpengine_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) + libpengine_la_LIBADD = $(top_builddir)/lib/pengine/libpe_status.la \ $(top_builddir)/lib/cib/libcib.la # -L$(top_builddir)/lib/pils -lpils -export-dynamic -module -avoid-version libpengine_la_SOURCES = pengine.c allocate.c utils.c constraints.c libpengine_la_SOURCES += native.c group.c clone.c master.c graph.c utilization.c +pengine_CFLAGS = $(CFLAGS_HARDENED_EXE) +pengine_LDFLAGS = $(LDFLAGS_HARDENED_EXE) pengine_LDADD = $(top_builddir)/lib/cib/libcib.la $(COMMONLIBS) # libcib for get_object_root() # $(top_builddir)/lib/hbclient/libhbclient.la -- 1.8.3.1 From 35ec27112452f2bd06ae8b395d8543db935e2b05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= Date: Wed, 22 Jun 2016 15:18:00 +0200 Subject: [PATCH 2/2] Build: configure.ac: prefer as-needed linking in case of "-z now" Slight optimization of a default toolchain-flags-based hardening. --- configure.ac | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index edf6a91..4beb877 100644 --- a/configure.ac +++ b/configure.ac @@ -1914,7 +1914,10 @@ elif test "x${HARDENING}" = "xyes" \ pie=1] ) fi - # daemons incl. libs: full RELRO if sensible + # daemons incl. libs: full RELRO if sensible + as-needed linking + # so as to possibly mitigate startup performance + # hit caused by excessive linking with unneeded + # libraries if test "${relro}" = 1 && test "${pie}" = 1; then flag="-Wl,-z,now" CC_CHECK_LDFLAGS(["${flag}"], @@ -1923,6 +1926,13 @@ elif test "x${HARDENING}" = "xyes" \ bindnow=1] ) fi + if test "${bindnow}" = 1; then + flag="-Wl,--as-needed" + CC_CHECK_LDFLAGS(["${flag}"], + [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}"; + LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}"] + ) + fi # universal: prefer strong > all > default stack protector if possible flag= if cc_supports_flag -fstack-protector-strong; then -- 1.8.3.1