Re: [vdagent-win PATCH] Enable some security options on output executables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/18/2017 02:09 PM, Frediano Ziglio wrote:

Enable NX (prevent data to be executable) and ASLR (address
randomisation).

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
  Makefile.am | 27 ++++++++++++++++++++++++---
  1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 62640f2..3556681 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -20,11 +20,31 @@ endif
  # -lversion is needed for the GetFileVersion* API which is used by vdlog.cpp
  LIBS = -lversion
+# binutils does not take into account entry point when
+# -pie is used so we need to provide it manually
+ENTRY_PREFIX := $(if $(filter x86_64,$(host_cpu)),,_)
+
+# --dynamicbase to enable ASLR protection
+# --nxcompat is to enable NX protection
+# --pie as --dynamicbase requires relocations

Hi Frediano,

man ld suggests that --dynamicbase should be used for 32 bit
and --high-entropy-va for 64 bit.

Regards,
    Uri.

+LDFLAGS_SECURITY_COMMON = \
+	-Wl,--dynamicbase -Wl,-pie \
+	-Wl,--nxcompat \
+	$(NULL)
+LDFLAGS_SECURITY_GUI = $(LDFLAGS_SECURITY_COMMON) \
+	-Wl,-e,$(ENTRY_PREFIX)WinMainCRTStartup \
+	-mwindows \
+	$(NULL)
+LDFLAGS_SECURITY_CUI = $(LDFLAGS_SECURITY_COMMON) \
+	-Wl,-e,$(ENTRY_PREFIX)mainCRTStartup \
+	-mconsole \
+	$(NULL)
+
  bin_PROGRAMS = vdagent vdservice
vdagent_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32
  vdagent_rc.$(OBJEXT)
  vdagent_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS)
-vdagent_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,windows
+vdagent_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_GUI)
  vdagent_SOURCES =			\
  	common/vdcommon.cpp             \
  	common/vdcommon.h		\
@@ -53,6 +73,7 @@ vdagent_rc.$(OBJEXT): vdagent/vdagent.rc
  MAINTAINERCLEANFILES += vdagent_rc.$(OBJEXT)
vdservice_LDADD = -lwtsapi32 vdservice_rc.$(OBJEXT)
+vdservice_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
  vdservice_SOURCES =			\
  	common/stdint.h			\
  	common/vdcommon.cpp             \
@@ -71,7 +92,7 @@ check_PROGRAMS = imagetest
imagetest_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32
  imagetest_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS)
-imagetest_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console
+imagetest_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
  imagetest_SOURCES =			\
  	common/vdcommon.cpp             \
  	common/vdcommon.h		\
@@ -91,7 +112,7 @@ check_PROGRAMS += test-log-win
  TESTS += test-log
  EXTRA_DIST += test-log
-test_log_win_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console
+test_log_win_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
  test_log_win_SOURCES =			\
  	common/vdcommon.cpp             \
  	common/vdcommon.h		\

Part of the complexity of this patch is due to this issue:

https://sourceware.org/bugzilla/show_bug.cgi?id=21964

Frediano
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel


_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]