[Buildroot] [PATCH v2 2/2] security hardening: add RELFO, FORTIFY options

Arnout Vandecappelle arnout at mind.be
Sat Nov 11 10:42:05 UTC 2017



On 08-11-17 03:01, Stefan Fröberg wrote:
> 
> 
> 6.11.2017, 23:14, Arnout Vandecappelle kirjoitti:
>> @@ -181,6 +184,28 @@ TARGET_CXXFLAGS += -fstack-protector-all
>>   TARGET_FCFLAGS += -fstack-protector-all
>>   endif
>>   +ifeq ($(BR2_RELRO_PARTIAL),y)
>> +TARGET_CFLAGS += $(TARGET_CFLAGS_RELRO)
>> +TARGET_CXXFLAGS += $(TARGET_CFLAGS_RELRO)
>> +TARGET_FCFLAGS += $(TARGET_CFLAGS_RELRO)
>>   Since these are linker flags, it _should_ be sufficient to add them to LDFLAGS.
>> There may be some packages that don't listen to LDFLAGS so in that sense it
>> could be a good idea to add it to CFLAGS as well, but I tend to prefer to fix
>> the packages. Only, there is no easy way to detect that LDFLAGS are ignored.
>>
> 
> There could be a way to tell if package shows middle finger to
> CFLAGS/CXXFLAGS/LDFLAGS
> and just ignores the hardening options.
> 
> There's a little perl script called hardening-check that could be used to do
> post installation checking
> of what packages actually respected the flags.
> 
> http://manpages.ubuntu.com/manpages/trusty/man1/hardening-check.1.html
> 
> I have a copy of that perl script here:
> https://www.orwell1984.today/hardening-check

 Yeah, Matthew already proposed to include a (different) hardening check script.
I think that that's a good idea.

[snip]
> Maybe there could be hardened directory with some premade "profiles" (gcc spec
> files) for various arch-lib combos
> which could be selected from menu and then the buildroot cross-compiler would have
> it's `dirname $($HOST_CC) --print-libgcc-file-name`/specs be a just symlink to
> that arch-lib combos like this:
> 
> output/host/lib/gcc/i686-buildroot-linux-uclibc/6.4.0/specs -->
> ../../../../../../hardened/i686/uclibc/specs
> 
> If selecting vanilla, non-hardened toolchain from menu, it would just remove the
> symlink.

 Hm, I think messing with the specs file is making things complicated...

 However, we do have a toolchain wrapper and we could add the hardening options
in there instead of in CFLAGS. One small caveat, however: some packages may not
build at all with some of the hardening options (-pie for example), in
particular bootloaders and kernels are prone to be problematic. Otherwise it
sounds like a viable option though.

> And maybe there could be an option to run hardening-check script at the end of
> installation.

 Yep, certainly.

 Regards,
 Arnout

> 
> Just throwing thoughts around
> -S-
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF


More information about the buildroot mailing list