> > On 08/18/2017 02:09 PM, Frediano Ziglio wrote: > >> > >> Enable NX (prevent data to be executable) and ASLR (address > >> randomisation). > >> > >> Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx> > >> --- > >> Makefile.am | 27 ++++++++++++++++++++++++--- > >> 1 file changed, 24 insertions(+), 3 deletions(-) > >> > >> diff --git a/Makefile.am b/Makefile.am > >> index 62640f2..3556681 100644 > >> --- a/Makefile.am > >> +++ b/Makefile.am > >> @@ -20,11 +20,31 @@ endif > >> # -lversion is needed for the GetFileVersion* API which is used by > >> vdlog.cpp > >> LIBS = -lversion > >> > >> +# binutils does not take into account entry point when > >> +# -pie is used so we need to provide it manually > >> +ENTRY_PREFIX := $(if $(filter x86_64,$(host_cpu)),,_) > >> + > >> +# --dynamicbase to enable ASLR protection > >> +# --nxcompat is to enable NX protection > >> +# --pie as --dynamicbase requires relocations > > Hi Frediano, > > man ld suggests that --dynamicbase should be used for 32 bit > and --high-entropy-va for 64 bit. > > Regards, > Uri. > I have another patch for that but it basically states that --high-entropy-va is not reliable on binutils. You should have an high image base but currently binutils fails to change the image base to these addresses. This bug (2 years old) ask to do some changes in this respect https://sourceware.org/bugzilla/show_bug.cgi?id=19011 but there are no much progress on it. Frediano > >> +LDFLAGS_SECURITY_COMMON = \ > >> + -Wl,--dynamicbase -Wl,-pie \ > >> + -Wl,--nxcompat \ > >> + $(NULL) > >> +LDFLAGS_SECURITY_GUI = $(LDFLAGS_SECURITY_COMMON) \ > >> + -Wl,-e,$(ENTRY_PREFIX)WinMainCRTStartup \ > >> + -mwindows \ > >> + $(NULL) > >> +LDFLAGS_SECURITY_CUI = $(LDFLAGS_SECURITY_COMMON) \ > >> + -Wl,-e,$(ENTRY_PREFIX)mainCRTStartup \ > >> + -mconsole \ > >> + $(NULL) > >> + > >> bin_PROGRAMS = vdagent vdservice > >> > >> vdagent_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32 > >> vdagent_rc.$(OBJEXT) > >> vdagent_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS) > >> -vdagent_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,windows > >> +vdagent_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_GUI) > >> vdagent_SOURCES = \ > >> common/vdcommon.cpp \ > >> common/vdcommon.h \ > >> @@ -53,6 +73,7 @@ vdagent_rc.$(OBJEXT): vdagent/vdagent.rc > >> MAINTAINERCLEANFILES += vdagent_rc.$(OBJEXT) > >> > >> vdservice_LDADD = -lwtsapi32 vdservice_rc.$(OBJEXT) > >> +vdservice_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > >> vdservice_SOURCES = \ > >> common/stdint.h \ > >> common/vdcommon.cpp \ > >> @@ -71,7 +92,7 @@ check_PROGRAMS = imagetest > >> > >> imagetest_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32 > >> imagetest_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS) > >> -imagetest_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console > >> +imagetest_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > >> imagetest_SOURCES = \ > >> common/vdcommon.cpp \ > >> common/vdcommon.h \ > >> @@ -91,7 +112,7 @@ check_PROGRAMS += test-log-win > >> TESTS += test-log > >> EXTRA_DIST += test-log > >> > >> -test_log_win_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console > >> +test_log_win_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > >> test_log_win_SOURCES = \ > >> common/vdcommon.cpp \ > >> common/vdcommon.h \ > > > > Part of the complexity of this patch is due to this issue: > > > > https://sourceware.org/bugzilla/show_bug.cgi?id=21964 > > _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel