build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
This commit is contained in:
parent
ca7e8627db
commit
df0bd42fde
@ -184,6 +184,22 @@ menu "Global build settings"
|
|||||||
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
|
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
|
||||||
Makefile.
|
Makefile.
|
||||||
|
|
||||||
|
config PKG_ASLR_PIE
|
||||||
|
bool
|
||||||
|
prompt "User space ASLR PIE compilation"
|
||||||
|
select BUSYBOX_DEFAULT_PIE
|
||||||
|
default n
|
||||||
|
help
|
||||||
|
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
|
||||||
|
This enables package build as Position Independent Executables (PIE)
|
||||||
|
to protect against "return-to-text" attacks. This belongs to the
|
||||||
|
feature of Address Space Layout Randomisation (ASLR), which is
|
||||||
|
implemented by the kernel and the ELF loader by randomising the
|
||||||
|
location of memory allocations. This makes memory addresses harder
|
||||||
|
to predict when an attacker is attempting a memory-corruption exploit.
|
||||||
|
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
|
||||||
|
Makefile.
|
||||||
|
|
||||||
choice
|
choice
|
||||||
prompt "User space Stack-Smashing Protection"
|
prompt "User space Stack-Smashing Protection"
|
||||||
depends on USE_MUSL
|
depends on USE_MUSL
|
||||||
|
2
include/hardened-ld-pie.specs
Normal file
2
include/hardened-ld-pie.specs
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
*self_spec:
|
||||||
|
+ %{no-pie|static|r|shared:;:-pie}
|
@ -6,6 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
PKG_CHECK_FORMAT_SECURITY ?= 1
|
PKG_CHECK_FORMAT_SECURITY ?= 1
|
||||||
|
PKG_ASLR_PIE ?= 1
|
||||||
PKG_SSP ?= 1
|
PKG_SSP ?= 1
|
||||||
PKG_FORTIFY_SOURCE ?= 1
|
PKG_FORTIFY_SOURCE ?= 1
|
||||||
PKG_RELRO ?= 1
|
PKG_RELRO ?= 1
|
||||||
@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
|
|||||||
TARGET_CFLAGS += -Wformat -Werror=format-security
|
TARGET_CFLAGS += -Wformat -Werror=format-security
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
ifdef CONFIG_PKG_ASLR_PIE
|
||||||
|
ifeq ($(strip $(PKG_ASLR_PIE)),1)
|
||||||
|
TARGET_CFLAGS += -fPIC
|
||||||
|
TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
|
||||||
|
endif
|
||||||
|
endif
|
||||||
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
|
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
|
||||||
ifeq ($(strip $(PKG_SSP)),1)
|
ifeq ($(strip $(PKG_SSP)),1)
|
||||||
TARGET_CFLAGS += -fstack-protector
|
TARGET_CFLAGS += -fstack-protector
|
||||||
|
@ -22,6 +22,9 @@ PKG_BUILD_PARALLEL:=1
|
|||||||
PKG_CHECK_FORMAT_SECURITY:=0
|
PKG_CHECK_FORMAT_SECURITY:=0
|
||||||
PKG_INSTALL:=1
|
PKG_INSTALL:=1
|
||||||
|
|
||||||
|
#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
|
||||||
|
PKG_ASLR_PIE:=0
|
||||||
|
|
||||||
PKG_LICENSE:=GPL-2.0
|
PKG_LICENSE:=GPL-2.0
|
||||||
PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE
|
PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE
|
||||||
PKG_CPE_ID:=cpe:/a:busybox:busybox
|
PKG_CPE_ID:=cpe:/a:busybox:busybox
|
||||||
|
Loading…
Reference in New Issue
Block a user