build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
This commit is contained in:
parent
ca7e8627db
commit
df0bd42fde
@ -184,6 +184,22 @@ menu "Global build settings"
|
||||
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
|
||||
Makefile.
|
||||
|
||||
config PKG_ASLR_PIE
|
||||
bool
|
||||
prompt "User space ASLR PIE compilation"
|
||||
select BUSYBOX_DEFAULT_PIE
|
||||
default n
|
||||
help
|
||||
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
|
||||
This enables package build as Position Independent Executables (PIE)
|
||||
to protect against "return-to-text" attacks. This belongs to the
|
||||
feature of Address Space Layout Randomisation (ASLR), which is
|
||||
implemented by the kernel and the ELF loader by randomising the
|
||||
location of memory allocations. This makes memory addresses harder
|
||||
to predict when an attacker is attempting a memory-corruption exploit.
|
||||
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
|
||||
Makefile.
|
||||
|
||||
choice
|
||||
prompt "User space Stack-Smashing Protection"
|
||||
depends on USE_MUSL
|
||||
|
2
include/hardened-ld-pie.specs
Normal file
2
include/hardened-ld-pie.specs
Normal file
@ -0,0 +1,2 @@
|
||||
*self_spec:
|
||||
+ %{no-pie|static|r|shared:;:-pie}
|
@ -6,6 +6,7 @@
|
||||
#
|
||||
|
||||
PKG_CHECK_FORMAT_SECURITY ?= 1
|
||||
PKG_ASLR_PIE ?= 1
|
||||
PKG_SSP ?= 1
|
||||
PKG_FORTIFY_SOURCE ?= 1
|
||||
PKG_RELRO ?= 1
|
||||
@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
|
||||
TARGET_CFLAGS += -Wformat -Werror=format-security
|
||||
endif
|
||||
endif
|
||||
ifdef CONFIG_PKG_ASLR_PIE
|
||||
ifeq ($(strip $(PKG_ASLR_PIE)),1)
|
||||
TARGET_CFLAGS += -fPIC
|
||||
TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
|
||||
endif
|
||||
endif
|
||||
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
|
||||
ifeq ($(strip $(PKG_SSP)),1)
|
||||
TARGET_CFLAGS += -fstack-protector
|
||||
|
@ -22,6 +22,9 @@ PKG_BUILD_PARALLEL:=1
|
||||
PKG_CHECK_FORMAT_SECURITY:=0
|
||||
PKG_INSTALL:=1
|
||||
|
||||
#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
|
||||
PKG_ASLR_PIE:=0
|
||||
|
||||
PKG_LICENSE:=GPL-2.0
|
||||
PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE
|
||||
PKG_CPE_ID:=cpe:/a:busybox:busybox
|
||||
|
Loading…
Reference in New Issue
Block a user