On Wed, Aug 22, 2012 at 3:36 PM, Russ Allbery <rra@xxxxxxxxxxxx> wrote:
> Jeffrey Walton <noloader@xxxxxxxxx> writes:
>
>> $ ./configure CFLAGS="-Wall -Wextra -Wconversion -fPIE
>> -Wno-unused-parameter -Wformat=2 -Wformat-security
>> -fstack-protector-all -Wstrict-overflow -Wl,-pie -Wl,-z,noexecstack
>> -Wl,-z,relro -Wl,-z,now"
>
> The thing that jumps out at me as different between what Debian uses for
> its normal hardening flags and what you're using is the -Wl,-pie flag in
> CFLAGS. Debian just uses -fPIE in CFLAGS and then adds -fPIE -pie to
> LDFLAGS. I'm not sure if that would make a difference.
Yea, I usually use -fPIE -pie (or -fPIC -pic), but I was having so
much trouble I tried passing -pie directly to the linker.
> You in general want to avoid ever using -Wl if you can help it, since
> you're hiding the flag from the compiler by using that. If the compiler
> needed to know that you were linking that way so that it could do other
> magic itself, you break that support by using -Wl.
I've never really thought of it that way - it was more like :I'm
talking to the linker." Good point, taken.
> Here's what Debian is using:
>
> CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> CPPFLAGS=-D_FORTIFY_SOURCE=2
> CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> FFLAGS=-g -O2
> LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now
Debian does a good job. I think there is room for improvement (such as
DEP and ASLR), and hope the maintainers stiffen their security posture
in the future. The idea: make it secure out of the box, and let those
who want to shot themselves in the foot do so. For example, apply
-z,noexecstack out of the box, and let folks turn it off with
-z,execstack.
The posture would have saved a number of folks from, for example,
Pidgin's latest rounds of Critical Vulnerabilities (memory corruption
and code execution). No-exec stacks and heaps would have reduced
many/most to an annoying UI problem (a call to abort()).
> Also, you should generally not add -Wall -Wextra to the configure flags,
> and instead add it after configure completes, since many of the tricks
> configure has to use will result in warnings when you turn on all the
> compiler warnings, which can confuse configure.
This was a very good point and I had to think about it for a while.
Are there Autoconf variable for this? For example, rather than:
./configure "CFLAGS=..." "CXXFLAGS=..."
could we instead use Autoconf defined stuff:
./configure "ac_warnings=-Wall -Wextra -Wconversion" \
"ac_cflags=-fstack-protector-all..." \
ac_so_flags=... ac_exe_flags=...
Autoconf could use ac_cflags as it being used now(?) and save
ac_warnings for later use (by Automake?) when real source files are
compiled.
Jeff
_______________________________________________
Autoconf mailing list
Autoconf@xxxxxxx
https://lists.gnu.org/mailman/listinfo/autoconf
