From fc8c1787d8b8eb6c462b8e5b49c2b3ccf3669bc0 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Wed, 3 Apr 2013 12:36:32 +0100 Subject: [PATCH] Enable full RELRO mode By passing the flags -z relro -z now to the linker, we can force it to resolve all library symbols at startup, instead of on-demand. This allows it to then make the global offset table (GOT) read-only, which makes some security attacks harder. Signed-off-by: Daniel P. Berrange --- configure.ac | 1 + daemon/Makefile.am | 1 + m4/virt-linker-relro.m4 | 32 ++++++++++++++++++++++++++++++ src/Makefile.am | 43 +++++++++++++++++++++++++++++------------ tools/Makefile.am | 2 ++ 5 files changed, 67 insertions(+), 12 deletions(-) create mode 100644 m4/virt-linker-relro.m4 diff --git a/configure.ac b/configure.ac index c4cd33ea00..11b332f772 100644 --- a/configure.ac +++ b/configure.ac @@ -146,6 +146,7 @@ AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS]) LIBVIRT_COMPILE_WARNINGS LIBVIRT_COMPILE_PIE +LIBVIRT_LINKER_RELRO LIBVIRT_CHECK_APPARMOR LIBVIRT_CHECK_ATTR diff --git a/daemon/Makefile.am b/daemon/Makefile.am index bf260b1b10..3532bd5e95 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -113,6 +113,7 @@ libvirtd_CFLAGS = \ libvirtd_LDFLAGS = \ $(WARN_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(COVERAGE_LDFLAGS) libvirtd_LDADD = \ diff --git a/m4/virt-linker-relro.m4 b/m4/virt-linker-relro.m4 new file mode 100644 index 0000000000..9bca90ec8d --- /dev/null +++ b/m4/virt-linker-relro.m4 @@ -0,0 +1,32 @@ +dnl +dnl Check for -z now and -z relro linker flags +dnl +dnl Copyright (C) 2013 Red Hat, Inc. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl . +dnl + +AC_DEFUN([LIBVIRT_LINKER_RELRO],[ + AC_MSG_CHECKING([for how to force completely read-only GOT table]) + + RELRO_LDFLAGS= + `$LD --help 2>&1 | grep -- "-z relro" >/dev/null` && \ + RELRO_LDFLAGS="-Wl,-z -Wl,relro" + `$LD --help 2>&1 | grep -- "-z now" >/dev/null` && \ + RELRO_LDFLAGS="$RELRO_LDFLAGS -Wl,-z -Wl,now" + AC_SUBST([RELRO_LDFLAGS]) + + AC_MSG_RESULT([$RELRO_LDFLAGS]) +]) diff --git a/src/Makefile.am b/src/Makefile.am index b33737f337..78b4ab6cb0 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1537,10 +1537,15 @@ libvirt_lxc.def: $(srcdir)/libvirt_lxc.syms # Empty source list - it merely links a bunch of convenience libs together libvirt_la_SOURCES = -libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \ - -version-info $(LIBVIRT_VERSION_INFO) \ - $(LIBVIRT_NODELETE) $(AM_LDFLAGS) \ - $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) +libvirt_la_LDFLAGS = \ + $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \ + -version-info $(LIBVIRT_VERSION_INFO) \ + $(LIBVIRT_NODELETE) \ + $(AM_LDFLAGS) \ + $(RELRO_LDFLAGS) \ + $(CYGWIN_EXTRA_LDFLAGS) \ + $(MINGW_EXTRA_LDFLAGS) \ + $(NULL) libvirt_la_BUILT_LIBADD += ../gnulib/lib/libgnu.la libvirt_la_LIBADD += \ $(DRIVER_MODULE_LIBS) \ @@ -1616,18 +1621,26 @@ endif EXTRA_DIST += libvirt_probes.d libvirt_qemu_probes.d libvirt_qemu_la_SOURCES = libvirt-qemu.c -libvirt_qemu_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_QEMU_SYMBOL_FILE) \ - -version-info $(LIBVIRT_VERSION_INFO) \ - $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) \ - $(AM_LDFLAGS) +libvirt_qemu_la_LDFLAGS = \ + $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_QEMU_SYMBOL_FILE) \ + -version-info $(LIBVIRT_VERSION_INFO) \ + $(AM_LDFLAGS) \ + $(RELRO_LDFLAGS) \ + $(CYGWIN_EXTRA_LDFLAGS) \ + $(MINGW_EXTRA_LDFLAGS) \ + $(NULL) libvirt_qemu_la_CFLAGS = $(AM_CFLAGS) libvirt_qemu_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD) libvirt_lxc_la_SOURCES = libvirt-lxc.c -libvirt_lxc_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_LXC_SYMBOL_FILE) \ - -version-info $(LIBVIRT_VERSION_INFO) \ - $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) \ - $(AM_LDFLAGS) +libvirt_lxc_la_LDFLAGS = \ + $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_LXC_SYMBOL_FILE) \ + -version-info $(LIBVIRT_VERSION_INFO) \ + $(AM_LDFLAGS) \ + $(RELRO_LDFLAGS) \ + $(CYGWIN_EXTRA_LDFLAGS) \ + $(MINGW_EXTRA_LDFLAGS) \ + $(NULL) libvirt_lxc_la_CFLAGS = $(AM_CFLAGS) libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD) EXTRA_DIST += $(LIBVIRT_LXC_SYMBOL_FILE) @@ -1675,6 +1688,7 @@ virtlockd_CFLAGS = \ virtlockd_LDFLAGS = \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(CYGWIN_EXTRA_LDFLAGS) \ $(MINGW_EXTRA_LDFLAGS) \ $(NULL) @@ -1923,6 +1937,7 @@ libvirt_iohelper_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) libvirt_iohelper_LDADD = \ libvirt_util.la \ @@ -1946,6 +1961,7 @@ libvirt_parthelper_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) libvirt_parthelper_LDADD = \ $(LIBPARTED_LIBS) \ @@ -1978,6 +1994,7 @@ libvirt_sanlock_helper_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) libvirt_sanlock_helper_LDADD = libvirt.la endif @@ -1994,6 +2011,7 @@ libvirt_lxc_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) libvirt_lxc_LDADD = \ $(FUSE_LIBS) \ @@ -2038,6 +2056,7 @@ virt_aa_helper_LDFLAGS = \ $(WARN_LDFLAGS) \ $(AM_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(NULL) virt_aa_helper_LDADD = \ libvirt_conf.la \ diff --git a/tools/Makefile.am b/tools/Makefile.am index 09a9bdd455..07c9f43503 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -100,6 +100,7 @@ virt_host_validate_SOURCES = \ virt_host_validate_LDFLAGS = \ $(WARN_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ $(COVERAGE_LDFLAGS) \ $(NULL) @@ -135,6 +136,7 @@ virsh_LDADD = \ $(STATIC_BINARIES) \ $(WARN_LDFLAGS) \ $(PIE_LDFLAGS) \ + $(RELRO_LDFLAGS) \ ../src/libvirt.la \ ../src/libvirt-lxc.la \ ../src/libvirt-qemu.la \