[PATCH 1/2] Build all binaries with PIE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

PIE (position independent executable) adds security to executables
by composing them entirely of position-independent code (PIC. The
.so libraries already build with -fPIC. This adds -fPIE which is
the equivalent to -fPIC, but for executables. This for allows Exec
Shield to use address space layout randomization to prevent attackers
from knowing where existing executable code is during a security
attack using exploits that rely on knowing the offset of the
executable code in the binary, such as return-to-libc attacks.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 configure.ac           |  1 +
 daemon/Makefile.am     |  5 +++--
 m4/virt-compile-pie.m4 | 13 ++++++++++++
 src/Makefile.am        | 57 +++++++++++++++++++++++++++++++++++++++++---------
 tools/Makefile.am      |  6 +++++-
 5 files changed, 69 insertions(+), 13 deletions(-)
 create mode 100644 m4/virt-compile-pie.m4

diff --git a/configure.ac b/configure.ac
index 09e4ad9..69d87fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -141,6 +141,7 @@ VERSION_SCRIPT_FLAGS=-Wl,--version-script=
 AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS])
 
 LIBVIRT_COMPILE_WARNINGS
+LIBVIRT_COMPILE_PIE
 
 LIBVIRT_CHECK_APPARMOR
 LIBVIRT_CHECK_ATTR
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 4d5c2fd..bf260b1 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -106,12 +106,13 @@ libvirtd_SOURCES = $(DAEMON_SOURCES)
 libvirtd_CFLAGS = \
 	$(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(SASL_CFLAGS) \
 	$(XDR_CFLAGS) $(POLKIT_CFLAGS) $(DBUS_CFLAGS) $(LIBNL_CFLAGS) \
-	$(WARN_CFLAGS) \
+	$(WARN_CFLAGS) $(PIE_CFLAGS) \
 	$(COVERAGE_CFLAGS) \
 	-DQEMUD_PID_FILE="\"$(QEMUD_PID_FILE)\""
 
 libvirtd_LDFLAGS =					\
-	$(WARN_CFLAGS)					\
+	$(WARN_LDFLAGS)					\
+	$(PIE_LDFLAGS)					\
 	$(COVERAGE_LDFLAGS)
 
 libvirtd_LDADD =					\
diff --git a/m4/virt-compile-pie.m4 b/m4/virt-compile-pie.m4
new file mode 100644
index 0000000..fc2d444
--- /dev/null
+++ b/m4/virt-compile-pie.m4
@@ -0,0 +1,13 @@
+dnl
+dnl Check for support for position independent executables
+dnl
+AC_DEFUN([LIBVIRT_COMPILE_PIE],[
+    PIE_CFLAGS=
+    PIE_LDFLAGS=
+    gl_COMPILER_OPTION_IF([-fPIE -DPIE], [
+        PIE_CFLAGS="-fPIE -DPIE"
+        PIE_LDFLAGS="-pie"
+    ])
+    AC_SUBST([PIE_CFLAGS])
+    AC_SUBST([PIE_LDFLAGS])
+])
diff --git a/src/Makefile.am b/src/Makefile.am
index 3f69d39..b33737f 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1670,9 +1670,11 @@ virtlockd_SOURCES = \
 		$(NULL)
 virtlockd_CFLAGS = \
 		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
 		$(NULL)
 virtlockd_LDFLAGS = \
 		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
 		$(CYGWIN_EXTRA_LDFLAGS) \
 		$(MINGW_EXTRA_LDFLAGS) \
 		$(NULL)
@@ -1917,7 +1919,11 @@ libexec_PROGRAMS =
 if WITH_LIBVIRTD
 libexec_PROGRAMS += libvirt_iohelper
 libvirt_iohelper_SOURCES = $(UTIL_IO_HELPER_SOURCES)
-libvirt_iohelper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_iohelper_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 libvirt_iohelper_LDADD =		\
 		libvirt_util.la		\
 		../gnulib/lib/libgnu.la
@@ -1925,7 +1931,10 @@ if WITH_DTRACE_PROBES
 libvirt_iohelper_LDADD += libvirt_probes.lo
 endif
 
-libvirt_iohelper_CFLAGS = $(AM_CFLAGS)
+libvirt_iohelper_CFLAGS = \
+		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
+		$(NULL)
 endif
 
 if WITH_STORAGE_DISK
@@ -1933,7 +1942,11 @@ if WITH_LIBVIRTD
 libexec_PROGRAMS += libvirt_parthelper
 
 libvirt_parthelper_SOURCES = $(STORAGE_HELPER_DISK_SOURCES)
-libvirt_parthelper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_parthelper_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 libvirt_parthelper_LDADD =		\
 		$(LIBPARTED_LIBS)	\
 		libvirt_util.la		\
@@ -1942,7 +1955,11 @@ if WITH_DTRACE_PROBES
 libvirt_parthelper_LDADD += libvirt_probes.lo
 endif
 
-libvirt_parthelper_CFLAGS = $(LIBPARTED_CFLAGS) $(AM_CFLAGS)
+libvirt_parthelper_CFLAGS = \
+		$(LIBPARTED_CFLAGS) \
+		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
+		$(NULL)
 endif
 endif
 EXTRA_DIST += $(STORAGE_HELPER_DISK_SOURCES)
@@ -1952,8 +1969,16 @@ if WITH_SANLOCK
 libexec_PROGRAMS += libvirt_sanlock_helper
 
 libvirt_sanlock_helper_SOURCES = $(LOCK_DRIVER_SANLOCK_HELPER_SOURCES)
-libvirt_sanlock_helper_CFLAGS = -I$(top_srcdir)/src/conf $(AM_CFLAGS)
-libvirt_sanlock_helper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_sanlock_helper_CFLAGS = \
+		-I$(top_srcdir)/src/conf \
+		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
+		$(NULL)
+libvirt_sanlock_helper_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 libvirt_sanlock_helper_LDADD = libvirt.la
 endif
 
@@ -1965,7 +1990,11 @@ libvirt_lxc_SOURCES =						\
 		$(LXC_CONTROLLER_SOURCES)			\
 		$(NODE_INFO_SOURCES)				\
 		$(DATATYPES_SOURCES)
-libvirt_lxc_LDFLAGS = $(WARN_CFLAGS) $(AM_LDFLAGS)
+libvirt_lxc_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 libvirt_lxc_LDADD =			\
 		$(FUSE_LIBS) \
 		libvirt-net-rpc-server.la \
@@ -1981,8 +2010,10 @@ libvirt_lxc_LDADD += $(SECDRIVER_LIBS)
 libvirt_lxc_CFLAGS =				\
 		-I$(top_srcdir)/src/conf	\
 		$(AM_CFLAGS)                    \
+		$(PIE_CFLAGS)			\
 		$(LIBNL_CFLAGS)			\
-		$(FUSE_CFLAGS)
+		$(FUSE_CFLAGS)			\
+		$(NULL)
 if WITH_BLKID
 libvirt_lxc_CFLAGS += $(BLKID_CFLAGS)
 libvirt_lxc_LDADD += $(BLKID_LIBS)
@@ -2003,7 +2034,11 @@ libexec_PROGRAMS += virt-aa-helper
 
 virt_aa_helper_SOURCES = $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES)
 
-virt_aa_helper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+virt_aa_helper_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 virt_aa_helper_LDADD =						\
 		libvirt_conf.la					\
 		libvirt_util.la					\
@@ -2014,7 +2049,9 @@ endif
 virt_aa_helper_CFLAGS =						\
 		-I$(top_srcdir)/src/conf			\
 		-I$(top_srcdir)/src/security			\
-		$(AM_CFLAGS)
+		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
+		$(NULL)
 endif
 endif
 EXTRA_DIST += $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES)
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 0010c39..09a9bdd 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -99,6 +99,7 @@ virt_host_validate_SOURCES = \
 
 virt_host_validate_LDFLAGS = \
 		$(WARN_LDFLAGS) \
+		$(PIE_LDFLAGS) \
 		$(COVERAGE_LDFLAGS) \
 		$(NULL)
 
@@ -109,6 +110,7 @@ virt_host_validate_LDADD = \
 
 virt_host_validate_CFLAGS = \
 		$(WARN_CFLAGS)					\
+		$(PIE_CFLAGS)					\
 		$(COVERAGE_CFLAGS)				\
 		$(NULL)
 
@@ -131,7 +133,8 @@ virsh_SOURCES =							\
 virsh_LDFLAGS = $(WARN_LDFLAGS) $(COVERAGE_LDFLAGS)
 virsh_LDADD =							\
 		$(STATIC_BINARIES)				\
-		$(WARN_CFLAGS)					\
+		$(WARN_LDFLAGS)					\
+		$(PIE_LDFLAGS)					\
 		../src/libvirt.la				\
 		../src/libvirt-lxc.la				\
 		../src/libvirt-qemu.la				\
@@ -140,6 +143,7 @@ virsh_LDADD =							\
 		$(VIRSH_LIBS)
 virsh_CFLAGS =							\
 		$(WARN_CFLAGS)					\
+		$(PIE_CFLAGS)					\
 		$(COVERAGE_CFLAGS)				\
 		$(LIBXML_CFLAGS)				\
 		$(READLINE_CFLAGS)
-- 
1.7.11.7

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]