diff options
author | khorben <khorben@pkgsrc.org> | 2016-03-11 23:03:31 +0000 |
---|---|---|
committer | khorben <khorben@pkgsrc.org> | 2016-03-11 23:03:31 +0000 |
commit | 35e1364464de032ec92a94132037a96e202159d4 (patch) | |
tree | a31436d9533c1541a49db35aa9ff8a012a2ddaf2 /mk | |
parent | 6a553fa6bb9755be90e94f865fa347ffbbf4b44f (diff) | |
download | pkgsrc-35e1364464de032ec92a94132037a96e202159d4.tar.gz |
Add support for a number of security features
- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
from functioning.
Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).
Tested on SunOS by jperkin@, thank you!
As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.
ok bsiegert@
Diffstat (limited to 'mk')
-rw-r--r-- | mk/bsd.prefs.mk | 31 | ||||
-rw-r--r-- | mk/compiler/gcc.mk | 23 | ||||
-rw-r--r-- | mk/defaults/mk.conf | 28 | ||||
-rw-r--r-- | mk/platform/NetBSD.mk | 40 | ||||
-rw-r--r-- | mk/platform/SunOS.mk | 10 | ||||
-rw-r--r-- | mk/wrapper/arg-source | 8 | ||||
-rw-r--r-- | mk/wrapper/bsd.wrapper.mk | 6 | ||||
-rw-r--r-- | mk/wrapper/cmd-sink-mkpie-gcc | 47 | ||||
-rw-r--r-- | mk/wrapper/transform-gcc | 11 |
9 files changed, 176 insertions, 28 deletions
diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk index bba380a197c..a3686851292 100644 --- a/mk/bsd.prefs.mk +++ b/mk/bsd.prefs.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.prefs.mk,v 1.379 2016/03/11 05:42:35 tnn Exp $ +# $NetBSD: bsd.prefs.mk,v 1.380 2016/03/11 23:03:31 khorben Exp $ # # This file includes the mk.conf file, which contains the user settings. # @@ -709,6 +709,35 @@ _USE_CWRAPPERS= yes _USE_CWRAPPERS= no .endif +_PKGSRC_MKPIE= no +.if (${PKGSRC_MKPIE:tl} == "yes") && \ + (${_OPSYS_SUPPORTS_MKPIE:Uno} == "yes") +_PKGSRC_MKPIE= yes +_GCC_CFLAGS+= ${_MKPIE_CFLAGS.gcc} +_GCC_LDFLAGS+= ${_MKPIE_LDFLAGS.gcc} +.endif + +_PKGSRC_USE_FORTIFY= no +.if (${PKGSRC_USE_FORTIFY:tl} == "yes") && \ + (${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes") +_PKGSRC_USE_FORTIFY= yes +_GCC_CFLAGS+= ${_FORTIFY_CFLAGS.gcc} +.endif + +_PKGSRC_USE_RELRO= no +.if (${PKGSRC_USE_RELRO:tl} == "yes") && \ + (${_OPSYS_SUPPORTS_RELRO:Uno} == "yes") +_PKGSRC_USE_RELRO= yes +_GCC_LDFLAGS+= ${_RELRO_LDFLAGS.gcc} +.endif + +_PKGSRC_USE_SSP= no +.if (${PKGSRC_USE_SSP:tl} == "yes") && \ + (${_OPSYS_SUPPORTS_SSP:Uno} == "yes") +_PKGSRC_USE_SSP= yes +_GCC_CFLAGS+= ${_SSP_CFLAGS.gcc} +.endif + # Wrapper framework definitions .include "wrapper/wrapper-defs.mk" diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk index e0f73858081..1a575feffe3 100644 --- a/mk/compiler/gcc.mk +++ b/mk/compiler/gcc.mk @@ -1,4 +1,4 @@ -# $NetBSD: gcc.mk,v 1.164 2016/03/02 18:45:21 jperkin Exp $ +# $NetBSD: gcc.mk,v 1.165 2016/03/11 23:03:31 khorben Exp $ # # This is the compiler definition for the GNU Compiler Collection. # @@ -338,6 +338,24 @@ _WRAP_EXTRA_ARGS.CC+= -std=gnu99 CWRAPPERS_APPEND.cc+= -std=gnu99 .endif +.if ${_PKGSRC_MKPIE} == "yes" +CWRAPPERS_APPEND.cc+= ${_MKPIE_CFLAGS.gcc} +# XXX this differs for libraries and executables +# CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc} +.endif + +.if ${_PKGSRC_USE_FORTIFY} == "yes" +CWRAPPERS_APPEND.cc+= ${_FORTIFY_CFLAGS.gcc} +.endif + +.if ${_PKGSRC_USE_RELRO} == "yes" +CWRAPPERS_APPEND.ld+= ${_RELRO_LDFLAGS.gcc} +.endif + +.if ${_PKGSRC_USE_SSP} == "yes" +CWRAPPERS_APPEND.cc+= ${_SSP_CFLAGS.gcc} +.endif + # GCC has this annoying behaviour where it advocates in a multi-line # banner the use of "#include" over "#import" when including headers. # This generates a huge number of warnings when building practically all @@ -713,9 +731,10 @@ _GCC_LDFLAGS= # empty . for _dir_ in ${_GCC_LIBDIRS:N*not_found*} _GCC_LDFLAGS+= -L${_dir_} ${COMPILER_RPATH_FLAG}${_dir_} . endfor -LDFLAGS+= ${_GCC_LDFLAGS} .endif +LDFLAGS+= ${_GCC_LDFLAGS} + # Point the variables that specify the compiler to the installed # GCC executables. # diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf index 4d6e883bc91..568b72a6fa7 100644 --- a/mk/defaults/mk.conf +++ b/mk/defaults/mk.conf @@ -1,4 +1,4 @@ -# $NetBSD: mk.conf,v 1.262 2016/01/24 16:14:44 jperkin Exp $ +# $NetBSD: mk.conf,v 1.263 2016/03/11 23:03:31 khorben Exp $ # # This file provides default values for variables that may be overridden @@ -215,20 +215,30 @@ PKGSRC_RUN_TEST?= no # Possible: yes, no # Default: no -PKGSRC_USE_FORT?= no +PKGSRC_MKPIE?= no +# If no, create regular executables. Otherwise create PIE (Position Independent +# Executables, on supported platforms). This option is necessary to fully +# leverage ASLR as a mitigation for security vulnerabilities. +# Possible: yes, no +# Default: no + +PKGSRC_USE_FORTIFY?= no # Turns on substitute wrappers for commonly used functions that do not bounds -# checking regularly, but could in some cases (with GCC for instance). +# checking regularly, but could in some cases. This is effectively in use only +# when both enabled and supported. +# Possible: yes, no +# Default: no + +PKGSRC_USE_RELRO?= no +# Link with RELRO by default (on supported platforms). This makes the +# exploitation of some security vulnerabilities more difficult in some cases. # Possible: yes, no # Default: no -.if ${PKGSRC_USE_FORT:Uno} != "no" -PKGSRC_USE_SSP?= yes -.else PKGSRC_USE_SSP?= no -.endif -# Set this to YES to enable stack-smashing protection (on supported platforms). +# Set this to yes to enable stack-smashing protection (on supported platforms). # Possible: yes, no -# Default: no, except if PKGSRC_USE_FORT is set to "yes". +# Default: no # The default PREFER_PKGSRC should be empty, but due to historical reasons we have the list below. # Please add your platform here once you have confirmed it is correct diff --git a/mk/platform/NetBSD.mk b/mk/platform/NetBSD.mk index c2666e2df37..d5270fedc05 100644 --- a/mk/platform/NetBSD.mk +++ b/mk/platform/NetBSD.mk @@ -1,4 +1,4 @@ -# $NetBSD: NetBSD.mk,v 1.46 2016/03/10 16:58:19 jperkin Exp $ +# $NetBSD: NetBSD.mk,v 1.47 2016/03/11 23:03:31 khorben Exp $ # # Variable definitions for the NetBSD operating system. @@ -123,19 +123,35 @@ FFLAGS+= -mieee PKG_HAVE_KQUEUE= # defined .endif -.if ${PKGSRC_USE_FORT:Uno} != "no" -# build with fortify -_GCC_CFLAGS+= -D_FORTIFY_SOURCE=2 +# Register support for FORTIFY where supported (with GCC) +_OPSYS_SUPPORTS_FORTIFY=yes +_FORTIFY_CFLAGS.gcc= -D_FORTIFY_SOURCE=2 + +# Register support for PIE on supported architectures (with GCC) +.if (${MACHINE_ARCH} == "i386") || \ + (${MACHINE_ARCH} == "x86_64") +_OPSYS_SUPPORTS_MKPIE= yes +_MKPIE_CFLAGS.gcc= -fPIC +# XXX for executables it should be: +#_MKPIE_CFLAGS.gcc= -fPIE +# XXX for libraries a sink wrapper around gcc is required and used instead +#_MKPIE_LDFLAGS.gcc= -pie .endif -.if ${PKGSRC_USE_SSP:Uno} != "no" -. if (${MACHINE_ARCH} != "alpha") && \ - (${MACHINE_ARCH} != "hppa") && \ - (${MACHINE_ARCH} != "ia64") && \ - (${MACHINE_ARCH} != "mips") -# build with stack protection (with GCC) -_GCC_CFLAGS+= -fstack-protector -. endif +# Register support for RELRO on supported architectures (with GCC) +.if (${MACHINE_ARCH} == "i386") || \ + (${MACHINE_ARCH} == "x86_64") +_OPSYS_SUPPORTS_RELRO= yes +_RELRO_LDFLAGS.gcc= -Wl,-z,relro -Wl,-z,now +.endif + +# Register support for SSP on most architectures (with GCC) +.if (${MACHINE_ARCH} != "alpha") && \ + (${MACHINE_ARCH} != "hppa") && \ + (${MACHINE_ARCH} != "ia64") && \ + (${MACHINE_ARCH} != "mips") +_OPSYS_SUPPORTS_SSP= yes +_SSP_CFLAGS.gcc= -fstack-protector-all .endif _OPSYS_CAN_CHECK_SHLIBS= yes # use readelf in check/bsd.check-vars.mk diff --git a/mk/platform/SunOS.mk b/mk/platform/SunOS.mk index 024037da3e8..6c6d1ffe0fe 100644 --- a/mk/platform/SunOS.mk +++ b/mk/platform/SunOS.mk @@ -1,4 +1,4 @@ -# $NetBSD: SunOS.mk,v 1.69 2016/03/11 22:04:34 fhajny Exp $ +# $NetBSD: SunOS.mk,v 1.70 2016/03/11 23:03:31 khorben Exp $ # # Variable definitions for the SunOS/Solaris operating system. @@ -111,6 +111,14 @@ _OPSYS_SYSTEM_RPATH?= /lib${LIBABISUFFIX}:/usr/lib${LIBABISUFFIX} _OPSYS_LIB_DIRS?= /lib${LIBABISUFFIX} /usr/lib${LIBABISUFFIX} _OPSYS_INCLUDE_DIRS?= /usr/include +# support FORTIFY (with GCC) +_OPSYS_SUPPORTS_FORTIFY=yes +_FORTIFY_CFLAGS.gcc= -D_FORTIFY_SOURCE=2 + +# support stack protection (with GCC) +_OPSYS_SUPPORTS_SSP= yes +_SSP_CFLAGS.gcc= -fstack-protector + _OPSYS_CAN_CHECK_SHLIBS= yes # requires readelf # check for maximum command line length and set it in configure's environment, diff --git a/mk/wrapper/arg-source b/mk/wrapper/arg-source index 9336414edbf..476de2de56b 100644 --- a/mk/wrapper/arg-source +++ b/mk/wrapper/arg-source @@ -1,4 +1,4 @@ -# $NetBSD: arg-source,v 1.16 2015/11/20 05:49:24 richard Exp $ +# $NetBSD: arg-source,v 1.17 2016/03/11 23:03:31 khorben Exp $ # # Copyright (c) 2004 The NetBSD Foundation, Inc. # All rights reserved. @@ -161,6 +161,12 @@ while $test $# -gt 0; do ############################################################## -c|-S|-E) dont_link=yes + dont_link_binary=yes + append_queue argbuf "$arg" + $debug_log $wrapperlog " (arg-source) push: $arg" + ;; + -shared) + dont_link_binary=yes append_queue argbuf "$arg" $debug_log $wrapperlog " (arg-source) push: $arg" ;; diff --git a/mk/wrapper/bsd.wrapper.mk b/mk/wrapper/bsd.wrapper.mk index 67d90d0fff2..887db29a08d 100644 --- a/mk/wrapper/bsd.wrapper.mk +++ b/mk/wrapper/bsd.wrapper.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.wrapper.mk,v 1.96 2016/03/04 21:25:47 tnn Exp $ +# $NetBSD: bsd.wrapper.mk,v 1.97 2016/03/11 23:03:31 khorben Exp $ # # Copyright (c) 2005 The NetBSD Foundation, Inc. # All rights reserved. @@ -311,6 +311,9 @@ _WRAP_TRANSFORM.CXX= ${_WRAP_TRANSFORM.CC} .if !empty(PKGSRC_COMPILER:Mgcc) _WRAP_TRANSFORM.CC= ${WRAPPER_TMPDIR}/transform-gcc _WRAP_TRANSFORM.CXX= ${_WRAP_TRANSFORM.CC} +. if ${_PKGSRC_MKPIE} != "no" +_WRAP_CMD_SINK.CC= ${WRAPPER_TMPDIR}/cmd-sink-mkpie-gcc +. endif .endif _WRAP_CMD_SINK.LD= ${WRAPPER_TMPDIR}/cmd-sink-ld @@ -514,6 +517,7 @@ generate-wrappers: ${_target_} cmd-sink-irix-ld \ cmd-sink-interix-gcc \ cmd-sink-ld \ + cmd-sink-mkpie-gcc \ cmd-sink-osf1-cc \ cmd-sink-osf1-ld \ cmd-sink-hpux-cc \ diff --git a/mk/wrapper/cmd-sink-mkpie-gcc b/mk/wrapper/cmd-sink-mkpie-gcc new file mode 100644 index 00000000000..8a1ed864d6d --- /dev/null +++ b/mk/wrapper/cmd-sink-mkpie-gcc @@ -0,0 +1,47 @@ +# $NetBSD: cmd-sink-mkpie-gcc,v 1.1 2016/03/11 23:03:31 khorben Exp $ +# +# Copyright (c) 2016 The NetBSD Foundation, Inc. +# All rights reserved. +# +# This code is derived from software contributed to The NetBSD Foundation +# by Pierre Pronchery. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +while ! queue_is_empty cmdbuf; do + pop_queue cmdbuf arg + $debug_log $wrapperlog " (cmd-sink-mkpie-gcc) pop: $arg" + case $arg in + *) + . $buildcmd + ;; + esac +done + +# Append any optional flags required when linking binaries. +if $test "$dont_link_binary" != "yes"; then + # XXX obtain these flags from _MKPIE_LDFLAGS.gcc + for arg in -pie; do + $debug_log $wrapperlog " (cmd-sink-mkpie-gcc) pop: $arg" + . $buildcmd + done +fi diff --git a/mk/wrapper/transform-gcc b/mk/wrapper/transform-gcc index 3dd6624d7fb..cceabccb240 100644 --- a/mk/wrapper/transform-gcc +++ b/mk/wrapper/transform-gcc @@ -1,4 +1,4 @@ -# $NetBSD: transform-gcc,v 1.29 2013/12/31 13:56:35 tron Exp $ +# $NetBSD: transform-gcc,v 1.30 2016/03/11 23:03:31 khorben Exp $ # # This file handles the transformations needed for gcc that can be done # looking at only one argument at a time. @@ -43,10 +43,14 @@ case $arg in -fomit-frame-pointer |\ -fPIC |\ -fpic |\ +-fPIE |\ +-fpie |\ -fpcc-struct-return |\ -freg-struct-return |\ -frename-registers |\ -fsigned-char |\ +-fstack-protector |\ +-fstack-protector-all |\ -funroll-loops |\ -funsigned-char |\ -fweb |\ @@ -74,6 +78,8 @@ case $arg in -print-search-dirs |\ -S |\ -shared |\ +-shared-gcc |\ +-shared-libgcc |\ -static |\ -std=c99 |\ -std=gnu89 |\ @@ -90,6 +96,7 @@ case $arg in -Werror |\ -Werror-implicit-function-declaration |\ -Wformat* |\ +-Winline |\ -Wmissing-declarations |\ -Wmissing-format-attribute |\ -Wmissing-prototypes |\ @@ -110,12 +117,14 @@ case $arg in -Wno-write-strings |\ -Wparentheses |\ -Wpointer-arith |\ +-Wredundant-decls |\ -Wreturn-type |\ -Wshadow |\ -Wsign-compare |\ -Wstrict-aliasing |\ -Wstrict-prototypes |\ -Wswitch |\ +-Wtrigraphs |\ -Wunused |\ -Wundef |\ -Wwrite-strings ) transform_pass ;; |