Patchwork security_flags: Add the compiler and linker flags that enhance security

login
register
mail settings
Submitter Saul Wold
Date June 28, 2013, 6:46 p.m.
Message ID <1372445217-28739-1-git-send-email-sgw@linux.intel.com>
Download mbox | patch
Permalink /patch/52627/
State New
Headers show

Comments

Saul Wold - June 28, 2013, 6:46 p.m.
These flags add addition checks at compile, link and runtime to prevent
stack smashing, checking for buffer overflows, and link at program start
to prevent call spoofing later.

This needs to be explicitly enabled by adding the following line to your
local.conf:

require conf/distro/include/security_flags.inc

[YOCTO #3868]

Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 meta/conf/distro/include/security_flags.inc
Mark Hatle - June 28, 2013, 7:05 p.m.
On 6/28/13 1:46 PM, Saul Wold wrote:
> These flags add addition checks at compile, link and runtime to prevent
> stack smashing, checking for buffer overflows, and link at program start
> to prevent call spoofing later.
>
> This needs to be explicitly enabled by adding the following line to your
> local.conf:
>
> require conf/distro/include/security_flags.inc
>
> [YOCTO #3868]
>
> Signed-off-by: Saul Wold <sgw@linux.intel.com>
> ---
>   meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
>   1 file changed, 21 insertions(+)
>   create mode 100644 meta/conf/distro/include/security_flags.inc
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> new file mode 100644
> index 0000000..dc231e2
> --- /dev/null
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -0,0 +1,21 @@
> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"

Where do the flags get introduced into the actual CFLAGS and LDFLAGS?  Would it 
make sense to add this to the existing BUILD_OPTIMIZATION settings..  So they 
would always be available, and someone could just flip a switch to enable it?

> +
> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-eglibc = ""
> +SECURITY_CFLAGS_pn-eglibc-initial = ""

I know why you don't use them on -initial, but any reason to not enable this on 
'eglibc'?  If it doesn't work, it would be good to enhance eglibc's recipe to 
spit out a warning and sanitize the build like it does for -O0.

--Mark

> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +
> +# These flags seem to
> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>
Saul Wold - June 28, 2013, 7:14 p.m.
On 06/28/2013 12:05 PM, Mark Hatle wrote:
> On 6/28/13 1:46 PM, Saul Wold wrote:
>> These flags add addition checks at compile, link and runtime to prevent
>> stack smashing, checking for buffer overflows, and link at program start
>> to prevent call spoofing later.
>>
>> This needs to be explicitly enabled by adding the following line to your
>> local.conf:
>>
>> require conf/distro/include/security_flags.inc
>>
>> [YOCTO #3868]
>>
>> Signed-off-by: Saul Wold <sgw@linux.intel.com>
>> ---
>>   meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
>>   1 file changed, 21 insertions(+)
>>   create mode 100644 meta/conf/distro/include/security_flags.inc
>>
>> diff --git a/meta/conf/distro/include/security_flags.inc
>> b/meta/conf/distro/include/security_flags.inc
>> new file mode 100644
>> index 0000000..dc231e2
>> --- /dev/null
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -0,0 +1,21 @@
>> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
>> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
>
> Where do the flags get introduced into the actual CFLAGS and LDFLAGS?
> Would it make sense to add this to the existing BUILD_OPTIMIZATION
> settings..  So they would always be available, and someone could just
> flip a switch to enable it?
>
Opps, sorry forgot to send part 2!

Sau!

>> +
>> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
>> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-eglibc = ""
>> +SECURITY_CFLAGS_pn-eglibc-initial = ""
>
> I know why you don't use them on -initial, but any reason to not enable
> this on 'eglibc'?  If it doesn't work, it would be good to enhance
> eglibc's recipe to spit out a warning and sanitize the build like it
> does for -O0.
>
> --Mark
>
>> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +
>> +# These flags seem to
>> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>

Patch

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
new file mode 100644
index 0000000..dc231e2
--- /dev/null
+++ b/meta/conf/distro/include/security_flags.inc
@@ -0,0 +1,21 @@ 
+SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
+SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
+
+#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
+SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-eglibc = ""
+SECURITY_CFLAGS_pn-eglibc-initial = ""
+SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+
+# These flags seem to 
+SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"