> > Hi, > > > On 08/17/2017 07:06 PM, Frediano Ziglio wrote: > > Enable NX (prevent data to be executable) and ASLR (address > > randomisation). > > > > Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx> > > --- > > Makefile.am | 27 ++++++++++++++++++++++++--- > > 1 file changed, 24 insertions(+), 3 deletions(-) > > > > diff --git a/Makefile.am b/Makefile.am > > index 62640f2..3556681 100644 > > --- a/Makefile.am > > +++ b/Makefile.am > > @@ -20,11 +20,31 @@ endif > > # -lversion is needed for the GetFileVersion* API which is used by > > vdlog.cpp > > LIBS = -lversion > > > > +# binutils does not take into account entry point when > > +# -pie is used so we need to provide it manually > > +ENTRY_PREFIX := $(if $(filter x86_64,$(host_cpu)),,_) > > + > > +# --dynamicbase to enable ASLR protection > > +# --nxcompat is to enable NX protection > > +# --pie as --dynamicbase requires relocations > Does PIC\PIE is needed? as far as i understand windows only uses > load-time relocation anyway > > (Implicitly mentioned here: > https://insights.sei.cmu.edu/cert/2014/02/differences-between-aslr-on-windows-and-linux.html) > > Snir Unfortunately yes. You cannot randomize addresses if you can't move the executable. Currently --dynamicbase only set a flag in the executable but without relocations you cannot change the load address. There are (in theory) different options to enable relocations on executable but currently -pie is the best (-r crash binutils and enable some different feature that we don't want). Frediano > > +LDFLAGS_SECURITY_COMMON = \ > > + -Wl,--dynamicbase -Wl,-pie \ > > + -Wl,--nxcompat \ > > + $(NULL) > > +LDFLAGS_SECURITY_GUI = $(LDFLAGS_SECURITY_COMMON) \ > > + -Wl,-e,$(ENTRY_PREFIX)WinMainCRTStartup \ > > + -mwindows \ > > + $(NULL) > > +LDFLAGS_SECURITY_CUI = $(LDFLAGS_SECURITY_COMMON) \ > > + -Wl,-e,$(ENTRY_PREFIX)mainCRTStartup \ > > + -mconsole \ > > + $(NULL) > > + > > bin_PROGRAMS = vdagent vdservice > > > > vdagent_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32 > > vdagent_rc.$(OBJEXT) > > vdagent_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS) > > -vdagent_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,windows > > +vdagent_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_GUI) > > vdagent_SOURCES = \ > > common/vdcommon.cpp \ > > common/vdcommon.h \ > > @@ -53,6 +73,7 @@ vdagent_rc.$(OBJEXT): vdagent/vdagent.rc > > MAINTAINERCLEANFILES += vdagent_rc.$(OBJEXT) > > > > vdservice_LDADD = -lwtsapi32 vdservice_rc.$(OBJEXT) > > +vdservice_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > > vdservice_SOURCES = \ > > common/stdint.h \ > > common/vdcommon.cpp \ > > @@ -71,7 +92,7 @@ check_PROGRAMS = imagetest > > > > imagetest_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32 > > imagetest_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS) > > -imagetest_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console > > +imagetest_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > > imagetest_SOURCES = \ > > common/vdcommon.cpp \ > > common/vdcommon.h \ > > @@ -91,7 +112,7 @@ check_PROGRAMS += test-log-win > > TESTS += test-log > > EXTRA_DIST += test-log > > > > -test_log_win_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console > > +test_log_win_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > > test_log_win_SOURCES = \ > > common/vdcommon.cpp \ > > common/vdcommon.h \ > _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel