Build all binaries with PIE

PIE (position independent executable) adds security to executables by composing them entirely of position-independent code (PIC. The .so libraries already build with -fPIC. This adds -fPIE which is the equivalent to -fPIC, but for executables. This for allows Exec Shield to use address space layout randomization to prevent attackers from knowing where existing executable code is during a security attack using exploits that rely on knowing the offset of the executable code in the binary, such as return-to-libc attacks. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2025-02-22 03:12:22 +00:00 · 2013-04-03 11:32:15 +01:00 · 2013-04-03 11:32:15 +01:00 · 1150999ca4
commit 1150999ca4
parent 24ca8fae64
5 changed files with 86 additions and 13 deletions
--- a/configure.ac
+++ b/configure.ac
@ -145,6 +145,7 @@ VERSION_SCRIPT_FLAGS=-Wl,--version-script=
 AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS])

 LIBVIRT_COMPILE_WARNINGS
+LIBVIRT_COMPILE_PIE

 LIBVIRT_CHECK_APPARMOR
 LIBVIRT_CHECK_ATTR
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@ -106,12 +106,13 @@ libvirtd_SOURCES = $(DAEMON_SOURCES)
 libvirtd_CFLAGS = \
 	$(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(SASL_CFLAGS) \
 	$(XDR_CFLAGS) $(POLKIT_CFLAGS) $(DBUS_CFLAGS) $(LIBNL_CFLAGS) \
-	$(WARN_CFLAGS) \
+	$(WARN_CFLAGS) $(PIE_CFLAGS) \
 	$(COVERAGE_CFLAGS) \
 	-DQEMUD_PID_FILE="\"$(QEMUD_PID_FILE)\""

 libvirtd_LDFLAGS =					\
-	$(WARN_CFLAGS)					\
+	$(WARN_LDFLAGS)					\
+	$(PIE_LDFLAGS)					\
 	$(COVERAGE_LDFLAGS)

 libvirtd_LDADD =					\
--- a/m4/virt-compile-pie.m4
+++ b/m4/virt-compile-pie.m4
@ -0,0 +1,30 @@
+dnl
+dnl Check for support for position independent executables
+dnl
+dnl Copyright (C) 2013 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library.  If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([LIBVIRT_COMPILE_PIE],[
+    PIE_CFLAGS=
+    PIE_LDFLAGS=
+    gl_COMPILER_OPTION_IF([-fPIE -DPIE], [
+        PIE_CFLAGS="-fPIE -DPIE"
+        PIE_LDFLAGS="-pie"
+    ])
+    AC_SUBST([PIE_CFLAGS])
+    AC_SUBST([PIE_LDFLAGS])
+])
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -1670,9 +1670,11 @@ virtlockd_SOURCES = \
 		$(NULL)
 virtlockd_CFLAGS = \
 		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
 		$(NULL)
 virtlockd_LDFLAGS = \
 		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
 		$(CYGWIN_EXTRA_LDFLAGS) \
 		$(MINGW_EXTRA_LDFLAGS) \
 		$(NULL)
@ -1917,7 +1919,11 @@ libexec_PROGRAMS =
 if WITH_LIBVIRTD
 libexec_PROGRAMS += libvirt_iohelper
 libvirt_iohelper_SOURCES = $(UTIL_IO_HELPER_SOURCES)
-libvirt_iohelper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_iohelper_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 libvirt_iohelper_LDADD =		\
 		libvirt_util.la		\
 		../gnulib/lib/libgnu.la
@ -1925,7 +1931,10 @@ if WITH_DTRACE_PROBES
 libvirt_iohelper_LDADD += libvirt_probes.lo
 endif

-libvirt_iohelper_CFLAGS = $(AM_CFLAGS)
+libvirt_iohelper_CFLAGS = \
+		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
+		$(NULL)
 endif

 if WITH_STORAGE_DISK
@ -1933,7 +1942,11 @@ if WITH_LIBVIRTD
 libexec_PROGRAMS += libvirt_parthelper

 libvirt_parthelper_SOURCES = $(STORAGE_HELPER_DISK_SOURCES)
-libvirt_parthelper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_parthelper_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 libvirt_parthelper_LDADD =		\
 		$(LIBPARTED_LIBS)	\
 		libvirt_util.la		\
@ -1942,7 +1955,11 @@ if WITH_DTRACE_PROBES
 libvirt_parthelper_LDADD += libvirt_probes.lo
 endif

-libvirt_parthelper_CFLAGS = $(LIBPARTED_CFLAGS) $(AM_CFLAGS)
+libvirt_parthelper_CFLAGS = \
+		$(LIBPARTED_CFLAGS) \
+		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
+		$(NULL)
 endif
 endif
 EXTRA_DIST += $(STORAGE_HELPER_DISK_SOURCES)
@ -1952,8 +1969,16 @@ if WITH_SANLOCK
 libexec_PROGRAMS += libvirt_sanlock_helper

 libvirt_sanlock_helper_SOURCES = $(LOCK_DRIVER_SANLOCK_HELPER_SOURCES)
-libvirt_sanlock_helper_CFLAGS = -I$(top_srcdir)/src/conf $(AM_CFLAGS)
-libvirt_sanlock_helper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_sanlock_helper_CFLAGS = \
+		-I$(top_srcdir)/src/conf \
+		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
+		$(NULL)
+libvirt_sanlock_helper_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 libvirt_sanlock_helper_LDADD = libvirt.la
 endif

@ -1965,7 +1990,11 @@ libvirt_lxc_SOURCES =						\
 		$(LXC_CONTROLLER_SOURCES)			\
 		$(NODE_INFO_SOURCES)				\
 		$(DATATYPES_SOURCES)
-libvirt_lxc_LDFLAGS = $(WARN_CFLAGS) $(AM_LDFLAGS)
+libvirt_lxc_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 libvirt_lxc_LDADD =			\
 		$(FUSE_LIBS) \
 		libvirt-net-rpc-server.la \
@ -1981,8 +2010,10 @@ libvirt_lxc_LDADD += $(SECDRIVER_LIBS)
 libvirt_lxc_CFLAGS =				\
 		-I$(top_srcdir)/src/conf	\
 		$(AM_CFLAGS)                    \
+		$(PIE_CFLAGS)			\
 		$(LIBNL_CFLAGS)			\
-		$(FUSE_CFLAGS)
+		$(FUSE_CFLAGS)			\
+		$(NULL)
 if WITH_BLKID
 libvirt_lxc_CFLAGS += $(BLKID_CFLAGS)
 libvirt_lxc_LDADD += $(BLKID_LIBS)
@ -2003,7 +2034,11 @@ libexec_PROGRAMS += virt-aa-helper

 virt_aa_helper_SOURCES = $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES)

-virt_aa_helper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+virt_aa_helper_LDFLAGS = \
+		$(WARN_LDFLAGS) \
+		$(AM_LDFLAGS) \
+		$(PIE_LDFLAGS) \
+		$(NULL)
 virt_aa_helper_LDADD =						\
 		libvirt_conf.la					\
 		libvirt_util.la					\
@ -2014,7 +2049,9 @@ endif
 virt_aa_helper_CFLAGS =						\
 		-I$(top_srcdir)/src/conf			\
 		-I$(top_srcdir)/src/security			\
-		$(AM_CFLAGS)
+		$(AM_CFLAGS) \
+		$(PIE_CFLAGS) \
+		$(NULL)
 endif
 endif
 EXTRA_DIST += $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES)
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@ -99,6 +99,7 @@ virt_host_validate_SOURCES = \

 virt_host_validate_LDFLAGS = \
 		$(WARN_LDFLAGS) \
+		$(PIE_LDFLAGS) \
 		$(COVERAGE_LDFLAGS) \
 		$(NULL)

@ -109,6 +110,7 @@ virt_host_validate_LDADD = \

 virt_host_validate_CFLAGS = \
 		$(WARN_CFLAGS)					\
+		$(PIE_CFLAGS)					\
 		$(COVERAGE_CFLAGS)				\
 		$(NULL)

@ -131,7 +133,8 @@ virsh_SOURCES =							\
 virsh_LDFLAGS = $(WARN_LDFLAGS) $(COVERAGE_LDFLAGS)
 virsh_LDADD =							\
 		$(STATIC_BINARIES)				\
-		$(WARN_CFLAGS)					\
+		$(WARN_LDFLAGS)					\
+		$(PIE_LDFLAGS)					\
 		../src/libvirt.la				\
 		../src/libvirt-lxc.la				\
 		../src/libvirt-qemu.la				\
@ -140,6 +143,7 @@ virsh_LDADD =							\
 		$(VIRSH_LIBS)
 virsh_CFLAGS =							\
 		$(WARN_CFLAGS)					\
+		$(PIE_CFLAGS)					\
 		$(COVERAGE_CFLAGS)				\
 		$(LIBXML_CFLAGS)				\
 		$(READLINE_CFLAGS)