PIE (position independent executable) adds security to executables by composing them entirely of position-independent code (PIC. The .so libraries already build with -fPIC. This adds -fPIE which is the equivalent to -fPIC, but for executables. This for allows Exec Shield to use address space layout randomization to prevent attackers from knowing where existing executable code is during a security attack using exploits that rely on knowing the offset of the executable code in the binary, such as return-to-libc attacks. Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> --- configure.ac | 1 + m4/virt-compile-pie.m4 | 35 +++++++++++++++++++++++++++++++++++ src/Makefile.am | 2 ++ 3 files changed, 38 insertions(+) create mode 100644 m4/virt-compile-pie.m4 diff --git a/configure.ac b/configure.ac index b9ccf93..228ea11 100644 --- a/configure.ac +++ b/configure.ac @@ -38,6 +38,7 @@ PKG_CHECK_MODULES(SYSTEMD, libsystemd >= $SYSTEMD_REQUIRED) LIBVIRT_COMPILE_WARNINGS LIBVIRT_LINKER_RELRO +LIBVIRT_COMPILE_PIE AC_ARG_WITH(dbus-services, [AC_HELP_STRING([--with-dbus-services=<dir>], diff --git a/m4/virt-compile-pie.m4 b/m4/virt-compile-pie.m4 new file mode 100644 index 0000000..a2df38e --- /dev/null +++ b/m4/virt-compile-pie.m4 @@ -0,0 +1,35 @@ +dnl +dnl Check for support for position independent executables +dnl +dnl Copyright (C) 2013 Red Hat, Inc. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl <http://www.gnu.org/licenses/>. +dnl + +AC_DEFUN([LIBVIRT_COMPILE_PIE],[ + PIE_CFLAGS= + PIE_LDFLAGS= + case "$host" in + *-*-mingw* | *-*-msvc* | *-*-cygwin* ) + ;; dnl All code is position independent on Win32 target + *) + gl_COMPILER_OPTION_IF([-fPIE -DPIE -pie], [ + PIE_CFLAGS="-fPIE -DPIE" + PIE_LDFLAGS="-pie" + ]) + esac + AC_SUBST([PIE_CFLAGS]) + AC_SUBST([PIE_LDFLAGS]) +]) diff --git a/src/Makefile.am b/src/Makefile.am index 8dd8ecd..5d4cb04 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -20,12 +20,14 @@ libvirt_dbus_CFLAGS = \ $(SYSTEMD_CFLAGS) \ $(LIBVIRT_CFLAGS) \ $(WARN_CFLAGS) \ + $(PIE_CFLAGS) \ $(NULL) libvirt_dbus_LDFLAGS = \ $(SYSTEMD_LDFLAGS) \ $(LIBVIRT_LDFLAGS) \ $(RELRO_LDFLAGS) \ + $(PID_LDFLAGS) \ $(NULL) libvirt_dbus_LDADD = \ -- 2.13.6 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
