Enable full RELRO mode

By passing the flags -z relro -z now to the linker, we can force
it to resolve all library symbols at startup, instead of on-demand.
This allows it to then make the global offset table (GOT) read-only,
which makes some security attacks harder.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit fc8c1787d8)

configure.ac

@@ -142,6 +142,7 @@ AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS])
 
 LIBVIRT_COMPILE_WARNINGS
 LIBVIRT_COMPILE_PIE
+LIBVIRT_LINKER_RELRO
 
 LIBVIRT_CHECK_APPARMOR
 LIBVIRT_CHECK_ATTR

daemon/Makefile.am

@@ -113,6 +113,7 @@ libvirtd_CFLAGS = \
 libvirtd_LDFLAGS =					\
 	$(WARN_LDFLAGS)					\
 	$(PIE_LDFLAGS)					\
+	$(RELRO_LDFLAGS)				\
 	$(COVERAGE_LDFLAGS)
 
 libvirtd_LDADD =					\

m4/virt-linker-relro.m4

@@ -0,0 +1,32 @@
+dnl
+dnl Check for -z now and -z relro linker flags
+dnl
+dnl Copyright (C) 2013 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library.  If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([LIBVIRT_LINKER_RELRO],[
+    AC_MSG_CHECKING([for how to force completely read-only GOT table])
+
+    RELRO_LDFLAGS=
+    `$LD --help 2>&1 | grep -- "-z relro" >/dev/null` && \
+        RELRO_LDFLAGS="-Wl,-z -Wl,relro"
+    `$LD --help 2>&1 | grep -- "-z now" >/dev/null` && \
+        RELRO_LDFLAGS="$RELRO_LDFLAGS -Wl,-z -Wl,now"
+    AC_SUBST([RELRO_LDFLAGS])
+
+    AC_MSG_RESULT([$RELRO_LDFLAGS])
+])

src/Makefile.am

@@ -1537,10 +1537,15 @@ libvirt_lxc.def: $(srcdir)/libvirt_lxc.syms
 
 # Empty source list - it merely links a bunch of convenience libs together
 libvirt_la_SOURCES =
-libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \
-		     -version-info $(LIBVIRT_VERSION_INFO) \
-		    $(LIBVIRT_NODELETE) $(AM_LDFLAGS) \
-		    $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS)
+libvirt_la_LDFLAGS = \
+		$(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \
+		-version-info $(LIBVIRT_VERSION_INFO) \
+		$(LIBVIRT_NODELETE) \
+		$(AM_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
+		$(CYGWIN_EXTRA_LDFLAGS) \
+		$(MINGW_EXTRA_LDFLAGS) \
+		$(NULL)
 libvirt_la_BUILT_LIBADD += ../gnulib/lib/libgnu.la
 libvirt_la_LIBADD += \
 		    $(DRIVER_MODULE_LIBS) \
@@ -1616,18 +1621,26 @@ endif
 EXTRA_DIST += libvirt_probes.d libvirt_qemu_probes.d
 
 libvirt_qemu_la_SOURCES = libvirt-qemu.c
-libvirt_qemu_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_QEMU_SYMBOL_FILE) \
-			  -version-info $(LIBVIRT_VERSION_INFO) \
-			  $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) \
-			  $(AM_LDFLAGS)
+libvirt_qemu_la_LDFLAGS = \
+		$(VERSION_SCRIPT_FLAGS)$(LIBVIRT_QEMU_SYMBOL_FILE) \
+		-version-info $(LIBVIRT_VERSION_INFO) \
+		$(AM_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
+		$(CYGWIN_EXTRA_LDFLAGS) \
+		$(MINGW_EXTRA_LDFLAGS) \
+		$(NULL)
 libvirt_qemu_la_CFLAGS = $(AM_CFLAGS)
 libvirt_qemu_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
 
 libvirt_lxc_la_SOURCES = libvirt-lxc.c
-libvirt_lxc_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_LXC_SYMBOL_FILE) \
-			  -version-info $(LIBVIRT_VERSION_INFO) \
-			  $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) \
-			  $(AM_LDFLAGS)
+libvirt_lxc_la_LDFLAGS = \
+		$(VERSION_SCRIPT_FLAGS)$(LIBVIRT_LXC_SYMBOL_FILE) \
+		-version-info $(LIBVIRT_VERSION_INFO) \
+		$(AM_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
+		$(CYGWIN_EXTRA_LDFLAGS) \
+		$(MINGW_EXTRA_LDFLAGS) \
+		$(NULL)
 libvirt_lxc_la_CFLAGS = $(AM_CFLAGS)
 libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
 EXTRA_DIST += $(LIBVIRT_LXC_SYMBOL_FILE)
@@ -1675,6 +1688,7 @@ virtlockd_CFLAGS = \
 virtlockd_LDFLAGS = \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
 		$(CYGWIN_EXTRA_LDFLAGS) \
 		$(MINGW_EXTRA_LDFLAGS) \
 		$(NULL)
@@ -1923,6 +1937,7 @@ libvirt_iohelper_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
 		$(NULL)
 libvirt_iohelper_LDADD =		\
 		libvirt_util.la		\
@@ -1946,6 +1961,7 @@ libvirt_parthelper_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
 		$(NULL)
 libvirt_parthelper_LDADD =		\
 		$(LIBPARTED_LIBS)	\
@@ -1978,6 +1994,7 @@ libvirt_sanlock_helper_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
 		$(NULL)
 libvirt_sanlock_helper_LDADD = libvirt.la
 endif
@@ -1994,6 +2011,7 @@ libvirt_lxc_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
 		$(NULL)
 libvirt_lxc_LDADD =			\
 		$(FUSE_LIBS) \
@@ -2038,6 +2056,7 @@ virt_aa_helper_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
 		$(NULL)
 virt_aa_helper_LDADD =						\
 		libvirt_conf.la					\

tools/Makefile.am

@@ -100,6 +100,7 @@ virt_host_validate_SOURCES = \
 virt_host_validate_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(PIE_LDFLAGS) \
+		$(RELRO_LDFLAGS) \
 		$(COVERAGE_LDFLAGS) \
 		$(NULL)
 
@@ -135,6 +136,7 @@ virsh_LDADD =							\
 		$(STATIC_BINARIES)				\
 		$(WARN_LDFLAGS)					\
 		$(PIE_LDFLAGS)					\
+		$(RELRO_LDFLAGS) \
 		../src/libvirt.la				\
 		../src/libvirt-lxc.la				\
 		../src/libvirt-qemu.la				\