[Buildroot] [PATCH v2 2/2] security hardening: add RELFO, FORTIFY options
Stefan Fröberg
stefan.froberg at petroprogram.com
Wed Nov 8 02:01:11 UTC 2017
6.11.2017, 23:14, Arnout Vandecappelle kirjoitti:
> @@ -181,6 +184,28 @@ TARGET_CXXFLAGS += -fstack-protector-all
> TARGET_FCFLAGS += -fstack-protector-all
> endif
>
> +ifeq ($(BR2_RELRO_PARTIAL),y)
> +TARGET_CFLAGS += $(TARGET_CFLAGS_RELRO)
> +TARGET_CXXFLAGS += $(TARGET_CFLAGS_RELRO)
> +TARGET_FCFLAGS += $(TARGET_CFLAGS_RELRO)
> Since these are linker flags, it _should_ be sufficient to add them to LDFLAGS.
> There may be some packages that don't listen to LDFLAGS so in that sense it
> could be a good idea to add it to CFLAGS as well, but I tend to prefer to fix
> the packages. Only, there is no easy way to detect that LDFLAGS are ignored.
>
There could be a way to tell if package shows middle finger to
CFLAGS/CXXFLAGS/LDFLAGS
and just ignores the hardening options.
There's a little perl script called hardening-check that could be used
to do post installation checking
of what packages actually respected the flags.
http://manpages.ubuntu.com/manpages/trusty/man1/hardening-check.1.html
I have a copy of that perl script here:
https://www.orwell1984.today/hardening-check
I also did the following little test:
1. First compiled turbovnc against i686-uclibc without any hardening and
then running
"hardening-check -c output/target/usr/bin/Xvnc" with following results:
output/target/usr/bin/Xvnc:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no, not found!
2. Then forced the gcc compiler to use hardening features by using GCC
Spec File, so that
if turbovnc did ignore CFLAGS/CXXFLAGS/LDFLAGS it would still be
forcefeed the right
hardening options, like this:
- Dump the built-in specs file "$(HOST_CC) -dumpspecs > specs" and then
edit it
to enable all the hardening stuff
(here's mine for i686-uclibc, forgot to enable stack-protection:
https://www.orwell1984.today/specs)
- Find location where gcc looks for specs file "dirname $($(HOST_CC)
--print-libgcc-file-name)"
and move the edited specs file there
- Rebuild turbovnc
- And finally, check "hardening-check -c output/target/usr/bin/Xvnc"
with following result:
output/target/usr/bin/Xvnc:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
Here turbovnc built with pie, relro,now and if I would have remember to
enable stack protection in toolchain,
also with stack protection.
So that's a one way to force & check hardening afterwards. But have to
admit, not very elegant way.
Maybe there could be hardened directory with some premade "profiles"
(gcc spec files) for various arch-lib combos
which could be selected from menu and then the buildroot cross-compiler
would have
it's `dirname $($HOST_CC) --print-libgcc-file-name`/specs be a just
symlink to that arch-lib combos like this:
output/host/lib/gcc/i686-buildroot-linux-uclibc/6.4.0/specs -->
../../../../../../hardened/i686/uclibc/specs
If selecting vanilla, non-hardened toolchain from menu, it would just
remove the symlink.
And maybe there could be an option to run hardening-check script at the
end of installation.
Just throwing thoughts around
-S-
More information about the buildroot
mailing list