New hardened build support (coming) in F16
Steve Grubb
sgrubb at redhat.com
Tue Aug 9 03:16:12 UTC 2011
On Monday, August 08, 2011 12:23:43 PM Adam Jackson wrote:
> * 2: how do we go about doing it?
> All of this is only an issue because most build systems don't let you
> say different CFLAGS or LDFLAGS for shared libraries and executables.
> Sigh.
>
> So instead, we'll teach gcc to figure it out. To do this we'll use the
> -specs flag to pass some rewrite rules to the compiler driver. At
> compile time, if we don't see -fPIC or -fPIE on the command line, we'll
> add -fPIC. At link time, if we don't see -shared, we'll add -pie. This
> way we build relocatable objects that are always suitable for either
> type of final link object, and we'll only attempt to build a PIE if we
> know we're not building a shared library. Victory!
This is not the policy that I asked for. When you make a PIE executable, you
get ASLR which is good. But the way it does that is making a weakness in the
executable for the relocations. It causes a new segment to be writable. So,
you need full relro support when you do PIE to cover that new weakness. But
full relro can be expensive, so we only want that if the PLT is small.
(Defining small is still TBD.)
What we want is this:
1) Everything is compiled with partial relro. Libraries, executables, daemons,
setuid/setgid/setcap apps.
2) Anything that is setgid/setuid/setcap/daemon also include the "now" flags
and is PIE.
3) Anything that is parsing data from untrusted sources should also have full
relro/pie. That would be things like tcpdump/wireshark/firefox/evince
/file/netpbm etc.
4) Anything that has pie, should should also have full relro, therefore we
need to double check anything with PIE to make sure its really a good idea.
I sent an email to the fedora-test list last week announcing a program that
can check any package or the whole distribution for compliance with this
policy with the exception of rule #3 above. No idea how to make a heuristic
for that. The program is located here:
http://people.redhat.com/sgrubb/files/rpm-chksec
> * 3: what does this mean for you?
>
> The link-time bit of the last paragraph required a bit of gcc magic to
> get right (previously specs rules could only add strings to the command
> line of the program to invoke; they could not rewrite gcc's notion of
> which flags had been passed in the first place). Thanks to a patch from
> Jakub Jelinek, this is now fixed in gcc-4.6.1-7.fc16, and will be in gcc
> 4.7 and later. As a result, %defined _hardened_build 1 will not work
> until that gcc update has gone through.
>
> Once that's done (and redhat-rpm-config-9.1.0-15.fc16 has been gone
> through updates), if you're using a %configure-style spec file, defining
> the magic macro is all you have to do. The rpm macros will notice the
> macro, and put the right magic into CFLAGS and LDFLAGS, and everything
> is great and wonderful.
Except that is not exactly the policy I asked for. :)
> If you're _not_ using %configure, then you have to do whatever is
> conventional for your build system to get CFLAGS and LDFLAGS inherited
> properly. For CFLAGS, this will be $RPM_OPT_FLAGS or %{optflags} as
> before. As of rpm-4.9.1-3.fc16, you will be able to say $RPM_LD_FLAGS
> for the corresponding LDFLAGS values. Until then, there is no such
> shell variable, but you can get the same effect from
> %{?__global_ldflags}. Yes, that's ugly, sorry.
>
> If you are the owner of one of the packages listed here:
>
> https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_fl
> ags
This list is woefully incomplete. I would advocate a much larger list. For
example, sudo is a very important program that we make security claims about.
It is not on that list.
> Then I have locally built (though not extensively tested) your package
> with the appropriate specfile modifications, and the results do indeed
> appear to be fully hardened. If you would like to handle the rebuilds
> yourself, please let me know. Otherwise I will submit them myself once
> the relevant updates have gone through.
I anyone does this and the program is used extensively, we need to know the
extent of the performance hit. If this flag automatically turns on full relro
for libraries, we have a problem.
I think there should have been some discussion about this on the FESCO request
I submitted. I have some concerns about what was implemented. Are there bz
filed for this or more discussion about it somewhere?
Thanks,
-Steve
More information about the devel
mailing list