daemons: use PIE and RELRO compiler/linker options

The PIE and RELRO compiler/linker options can be used to produce a code some techniques applied that makes the code more immune to some attacks: - PIE (Position Independent Executable). It can make use of the ASLR (Address Space Layout Randomization) provided by kernel to avoid static locations for .text regions of executables (this is the 'pie' compiler and linker option) - RELRO (Relocation Read-Only). This prevents overwrite attacks of the GOT (Global Offset Table) and PLT (Procedure Lookup Table) used for relocations by making it read-only after all relocations are resolved (these are the 'relro' and 'now' linker options) - hence all symbols are resolved at the very start so there's no need for those tables to be writeable later. These compiler/linker options are now used by default for daemons if the compiler/linker supports it.
2024-12-21 13:34:40 +03:00 · 2013-12-04 10:16:15 +01:00 · 2013-12-04 10:16:15 +01:00 · a65ab773b4
commit a65ab773b4
parent fc37d4fb0d
6 changed files with 19 additions and 5 deletions
--- a/1
+++ b/1
@ -1,5 +1,6 @@
 Version 2.02.105 -
 =====================================
+  Compile/link daemons with RELRO and PIE options to harden daemon security.
  Support per-object compilation cflags via CFLAGS_object.o.
  Automatically detect support for compiler/linker options to use RELRO and PIE.
  Add --splitsnapshot to lvconvert to separate out cow LV.
--- a/daemons/clvmd/Makefile.in
+++ b/daemons/clvmd/Makefile.in
@ -88,7 +88,8 @@ LVMLIBS += -ldevmapper
 LIBS += $(PTHREAD_LIBS)

 DEFS += -D_REENTRANT
-CFLAGS += -fno-strict-aliasing
+CFLAGS += -fno-strict-aliasing $(DAEMON_CFLAGS)
+LDFLAGS += $(DAEMON_LDFLAGS)

 INSTALL_TARGETS = \
 	install_clvmd
--- a/daemons/cmirrord/Makefile.in
+++ b/daemons/cmirrord/Makefile.in
@ -28,7 +28,8 @@ include $(top_builddir)/make.tmpl

 LIBS += -ldevmapper
 LMLIBS += $(CPG_LIBS) $(SACKPT_LIBS)
-CFLAGS += $(CPG_CFLAGS) $(SACKPT_CFLAGS)
+CFLAGS += $(CPG_CFLAGS) $(SACKPT_CFLAGS) $(DAEMON_CFLAGS)
+LDFLAGS += $(DAEMON_LDFLAGS)

 cmirrord: $(OBJECTS) $(top_builddir)/lib/liblvm-internal.a
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJECTS) \
--- a/daemons/dmeventd/Makefile.in
+++ b/daemons/dmeventd/Makefile.in
@ -59,8 +59,10 @@ device-mapper: $(TARGETS)
 LIBS += -ldevmapper
 LVMLIBS += -ldevmapper-event $(PTHREAD_LIBS)

+CFLAGS_dmeventd.o += $(DAEMON_CFLAGS)
+
 dmeventd: $(LIB_SHARED) dmeventd.o
-	$(CC) $(CFLAGS) $(LDFLAGS) $(ELDFLAGS) -L. -o $@ dmeventd.o \
+	$(CC) $(CFLAGS) $(LDFLAGS) $(DAEMON_LDFLAGS) $(ELDFLAGS) -L. -o $@ dmeventd.o \
 	$(DL_LIBS) $(LVMLIBS) $(LIBS) -rdynamic

 dmeventd.static: $(LIB_STATIC) dmeventd.o $(interfacebuilddir)/libdevmapper.a
--- a/daemons/lvmetad/Makefile.in
+++ b/daemons/lvmetad/Makefile.in
@ -33,8 +33,8 @@ LVMLIBS = -ldaemonserver $(LVMINTERNAL_LIBS) -ldevmapper

 LIBS += $(PTHREAD_LIBS)

-LDFLAGS += -L$(top_builddir)/libdaemon/server
-CLDFLAGS += -L$(top_builddir)/libdaemon/server
+LDFLAGS += -L$(top_builddir)/libdaemon/server $(DAEMON_LDFLAGS)
+CLDFLAGS += -L$(top_builddir)/libdaemon/server $(DAEMON_CFLAGS)

 lvmetad: $(OBJECTS) $(top_builddir)/libdaemon/client/libdaemonclient.a \
 		    $(top_builddir)/libdaemon/server/libdaemonserver.a
--- a/make.tmpl.in
+++ b/make.tmpl.in
@ -150,6 +150,15 @@ WFLAGS += -Wclobbered -Wempty-body -Wignored-qualifiers \
 -Wtype-limits -Wsync-nand -Wlogical-op
 endif

+ifneq ("@STATIC_LINK@", "yes")
+ifeq ("@HAVE_PIE@", "yes")
+ifeq ("@HAVE_FULL_RELRO@", "yes")
+  DAEMON_CFLAGS += -fPIE -DPIE
+  DAEMON_LDFLAGS += -Wl,-z,relro,-z,now -pie
+endif
+endif
+endif
+
 #WFLAGS += -W -Wno-sign-compare -Wno-unused-parameter -Wno-missing-field-initializers
 #WFLAGS += -Wsign-compare -Wunused-parameter -Wmissing-field-initializers 
 #WFLAGS += -Wconversion -Wbad-function-cast -Wcast-qual -Waggregate-return -Wpacked