From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> By passing the flags -z relro -z now to the linker, we can force it to resolve all library symbols at startup, instead of on-demand. This allows it to then make the global offset table (GOT) read-only, which makes some security attacks harder. Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> --- configure.ac | 1 + daemon/Makefile.am | 1 + m4/virt-linker-relro.m4 | 15 +++++++++++++++ src/Makefile.am | 43 +++++++++++++++++++++++++++++++------------ tools/Makefile.am | 2 ++ 5 files changed, 50 insertions(+), 12 deletions(-) create mode 100644 m4/virt-linker-relro.m4 diff --git a/configure.ac b/configure.ac index 69d87fc..4c93e7d 100644 --- a/configure.ac +++ b/configure.ac @@ -142,6 +142,7 @@ AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS]) LIBVIRT_COMPILE_WARNINGS LIBVIRT_COMPILE_PIE +LIBVIRT_LINKER_RELRO LIBVIRT_CHECK_APPARMOR LIBVIRT_CHECK_ATTR diff --git a/daemon/Makefile.am b/daemon/Makefile.am index bf260b1..3532bd5 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -113,6 +113,7 @@ libvirtd_CFLAGS = \ libvirtd_LDFLAGS = \ $(WARN_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(COVERAGE_LDFLAGS) libvirtd_LDADD = \ diff --git a/m4/virt-linker-relro.m4 b/m4/virt-linker-relro.m4 new file mode 100644 index 0000000..eeff0f8 --- /dev/null +++ b/m4/virt-linker-relro.m4 @@ -0,0 +1,15 @@ +dnl +dnl Check for -z now and -z relro linker flags +dnl +AC_DEFUN([LIBVIRT_LINKER_RELRO],[ + AC_MSG_CHECKING([for how to force completely read-only GOT table]) + + RELRO_LDFLAGS= + `$LD --help 2>&1 | grep -- "-z relro" >/dev/null` && \ + RELRO_LDFLAGS="-Wl,-z -Wl,relro" + `$LD --help 2>&1 | grep -- "-z now" >/dev/null` && \ + RELRO_LDFLAGS="$RELRO_LDFLAGS -Wl,-z -Wl,now" + AC_SUBST([RELRO_LDFLAGS]) + + AC_MSG_RESULT([$RELRO_LDFLAGS]) +]) diff --git a/src/Makefile.am b/src/Makefile.am index b33737f..78b4ab6 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1537,10 +1537,15 @@ libvirt_lxc.def: $(srcdir)/libvirt_lxc.syms # Empty source list - it merely links a bunch of convenience libs together libvirt_la_SOURCES = -libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \ - -version-info $(LIBVIRT_VERSION_INFO) \ - $(LIBVIRT_NODELETE) $(AM_LDFLAGS) \ - $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) +libvirt_la_LDFLAGS = \ + $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \ + -version-info $(LIBVIRT_VERSION_INFO) \ + $(LIBVIRT_NODELETE) \ + $(AM_LDFLAGS) \ + $(RELRO_LDFLAGS) \ + $(CYGWIN_EXTRA_LDFLAGS) \ + $(MINGW_EXTRA_LDFLAGS) \ + $(NULL) libvirt_la_BUILT_LIBADD += ../gnulib/lib/libgnu.la libvirt_la_LIBADD += \ $(DRIVER_MODULE_LIBS) \ @@ -1616,18 +1621,26 @@ endif EXTRA_DIST += libvirt_probes.d libvirt_qemu_probes.d libvirt_qemu_la_SOURCES = libvirt-qemu.c -libvirt_qemu_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_QEMU_SYMBOL_FILE) \ - -version-info $(LIBVIRT_VERSION_INFO) \ - $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) \ - $(AM_LDFLAGS) +libvirt_qemu_la_LDFLAGS = \ + $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_QEMU_SYMBOL_FILE) \ + -version-info $(LIBVIRT_VERSION_INFO) \ + $(AM_LDFLAGS) \ + $(RELRO_LDFLAGS) \ + $(CYGWIN_EXTRA_LDFLAGS) \ + $(MINGW_EXTRA_LDFLAGS) \ + $(NULL) libvirt_qemu_la_CFLAGS = $(AM_CFLAGS) libvirt_qemu_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD) libvirt_lxc_la_SOURCES = libvirt-lxc.c -libvirt_lxc_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_LXC_SYMBOL_FILE) \ - -version-info $(LIBVIRT_VERSION_INFO) \ - $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) \ - $(AM_LDFLAGS) +libvirt_lxc_la_LDFLAGS = \ + $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_LXC_SYMBOL_FILE) \ + -version-info $(LIBVIRT_VERSION_INFO) \ + $(AM_LDFLAGS) \ + $(RELRO_LDFLAGS) \ + $(CYGWIN_EXTRA_LDFLAGS) \ + $(MINGW_EXTRA_LDFLAGS) \ + $(NULL) libvirt_lxc_la_CFLAGS = $(AM_CFLAGS) libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD) EXTRA_DIST += $(LIBVIRT_LXC_SYMBOL_FILE) @@ -1675,6 +1688,7 @@ virtlockd_CFLAGS = \ virtlockd_LDFLAGS = \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(CYGWIN_EXTRA_LDFLAGS) \ $(MINGW_EXTRA_LDFLAGS) \ $(NULL) @@ -1923,6 +1937,7 @@ libvirt_iohelper_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) libvirt_iohelper_LDADD = \ libvirt_util.la \ @@ -1946,6 +1961,7 @@ libvirt_parthelper_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) libvirt_parthelper_LDADD = \ $(LIBPARTED_LIBS) \ @@ -1978,6 +1994,7 @@ libvirt_sanlock_helper_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) libvirt_sanlock_helper_LDADD = libvirt.la endif @@ -1994,6 +2011,7 @@ libvirt_lxc_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) libvirt_lxc_LDADD = \ $(FUSE_LIBS) \ @@ -2038,6 +2056,7 @@ virt_aa_helper_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) virt_aa_helper_LDADD = \ libvirt_conf.la \ diff --git a/tools/Makefile.am b/tools/Makefile.am index 09a9bdd..07c9f43 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -100,6 +100,7 @@ virt_host_validate_SOURCES = \ virt_host_validate_LDFLAGS = \ $(WARN_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(COVERAGE_LDFLAGS) \ $(NULL) @@ -135,6 +136,7 @@ virsh_LDADD = \ $(STATIC_BINARIES) \ $(WARN_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ ../src/libvirt.la \ ../src/libvirt-lxc.la \ ../src/libvirt-qemu.la \ -- 1.7.11.7 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list