NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Build all binaries with PIE

Browse Source 
PIE (position independent executable) adds security to executables
by composing them entirely of position-independent code (PIC. The
.so libraries already build with -fPIC. This adds -fPIE which is
the equivalent to -fPIC, but for executables. This for allows Exec
Shield to use address space layout randomization to prevent attackers
from knowing where existing executable code is during a security
attack using exploits that rely on knowing the offset of the
executable code in the binary, such as return-to-libc attacks.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange
2013-04-03 11:32:15 +01:00
parent 24ca8fae64
commit 1150999ca4
5 changed files with 86 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
configure.ac
View File

@@ -145,6 +145,7 @@ VERSION_SCRIPT_FLAGS=-Wl,--version-script=
AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS]) AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS])
LIBVIRT_COMPILE_WARNINGS LIBVIRT_COMPILE_WARNINGS
LIBVIRT_COMPILE_PIE
LIBVIRT_CHECK_APPARMOR LIBVIRT_CHECK_APPARMOR
LIBVIRT_CHECK_ATTR LIBVIRT_CHECK_ATTR

5
daemon/Makefile.am
View File

@@ -106,12 +106,13 @@ libvirtd_SOURCES = $(DAEMON_SOURCES)
libvirtd_CFLAGS = \ libvirtd_CFLAGS = \
$(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(SASL_CFLAGS) \ $(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(SASL_CFLAGS) \
$(XDR_CFLAGS) $(POLKIT_CFLAGS) $(DBUS_CFLAGS) $(LIBNL_CFLAGS) \ $(XDR_CFLAGS) $(POLKIT_CFLAGS) $(DBUS_CFLAGS) $(LIBNL_CFLAGS) \
$(WARN_CFLAGS) \ $(WARN_CFLAGS) $(PIE_CFLAGS) \
$(COVERAGE_CFLAGS) \ $(COVERAGE_CFLAGS) \
-DQEMUD_PID_FILE="\"$(QEMUD_PID_FILE)\"" -DQEMUD_PID_FILE="\"$(QEMUD_PID_FILE)\""
libvirtd_LDFLAGS = \ libvirtd_LDFLAGS = \
$(WARN_CFLAGS) \ $(WARN_LDFLAGS) \
$(PIE_LDFLAGS) \
$(COVERAGE_LDFLAGS) $(COVERAGE_LDFLAGS)
libvirtd_LDADD = \ libvirtd_LDADD = \

30
m4/virt-compile-pie.m4 Normal file
View File

@@ -0,0 +1,30 @@
dnl
dnl Check for support for position independent executables
dnl
dnl Copyright (C) 2013 Red Hat, Inc.
dnl
dnl This library is free software; you can redistribute it and/or
dnl modify it under the terms of the GNU Lesser General Public
dnl License as published by the Free Software Foundation; either
dnl version 2.1 of the License, or (at your option) any later version.
dnl
dnl This library is distributed in the hope that it will be useful,
dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
dnl Lesser General Public License for more details.
dnl
dnl You should have received a copy of the GNU Lesser General Public
dnl License along with this library. If not, see
dnl <http://www.gnu.org/licenses/>.
dnl
AC_DEFUN([LIBVIRT_COMPILE_PIE],[
PIE_CFLAGS=
PIE_LDFLAGS=
gl_COMPILER_OPTION_IF([-fPIE -DPIE], [
PIE_CFLAGS="-fPIE -DPIE"
PIE_LDFLAGS="-pie"
])
AC_SUBST([PIE_CFLAGS])
AC_SUBST([PIE_LDFLAGS])
])

57
src/Makefile.am
View File

@@ -1670,9 +1670,11 @@ virtlockd_SOURCES = \
$(NULL) $(NULL)
virtlockd_CFLAGS = \ virtlockd_CFLAGS = \
$(AM_CFLAGS) \ $(AM_CFLAGS) \
$(PIE_CFLAGS) \
$(NULL) $(NULL)
virtlockd_LDFLAGS = \ virtlockd_LDFLAGS = \
$(AM_LDFLAGS) \ $(AM_LDFLAGS) \
$(PIE_LDFLAGS) \
$(CYGWIN_EXTRA_LDFLAGS) \ $(CYGWIN_EXTRA_LDFLAGS) \
$(MINGW_EXTRA_LDFLAGS) \ $(MINGW_EXTRA_LDFLAGS) \
$(NULL) $(NULL)
@@ -1917,7 +1919,11 @@ libexec_PROGRAMS =
if WITH_LIBVIRTD if WITH_LIBVIRTD
libexec_PROGRAMS += libvirt_iohelper libexec_PROGRAMS += libvirt_iohelper
libvirt_iohelper_SOURCES = $(UTIL_IO_HELPER_SOURCES) libvirt_iohelper_SOURCES = $(UTIL_IO_HELPER_SOURCES)
libvirt_iohelper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS) libvirt_iohelper_LDFLAGS = \
$(WARN_LDFLAGS) \
$(AM_LDFLAGS) \
$(PIE_LDFLAGS) \
$(NULL)
libvirt_iohelper_LDADD = \ libvirt_iohelper_LDADD = \
libvirt_util.la \ libvirt_util.la \
../gnulib/lib/libgnu.la ../gnulib/lib/libgnu.la
@@ -1925,7 +1931,10 @@ if WITH_DTRACE_PROBES
libvirt_iohelper_LDADD += libvirt_probes.lo libvirt_iohelper_LDADD += libvirt_probes.lo
endif endif
libvirt_iohelper_CFLAGS = $(AM_CFLAGS) libvirt_iohelper_CFLAGS = \
$(AM_CFLAGS) \
$(PIE_CFLAGS) \
$(NULL)
endif endif
if WITH_STORAGE_DISK if WITH_STORAGE_DISK
@@ -1933,7 +1942,11 @@ if WITH_LIBVIRTD
libexec_PROGRAMS += libvirt_parthelper libexec_PROGRAMS += libvirt_parthelper
libvirt_parthelper_SOURCES = $(STORAGE_HELPER_DISK_SOURCES) libvirt_parthelper_SOURCES = $(STORAGE_HELPER_DISK_SOURCES)
libvirt_parthelper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS) libvirt_parthelper_LDFLAGS = \
$(WARN_LDFLAGS) \
$(AM_LDFLAGS) \
$(PIE_LDFLAGS) \
$(NULL)
libvirt_parthelper_LDADD = \ libvirt_parthelper_LDADD = \
$(LIBPARTED_LIBS) \ $(LIBPARTED_LIBS) \
libvirt_util.la \ libvirt_util.la \
@@ -1942,7 +1955,11 @@ if WITH_DTRACE_PROBES
libvirt_parthelper_LDADD += libvirt_probes.lo libvirt_parthelper_LDADD += libvirt_probes.lo
endif endif
libvirt_parthelper_CFLAGS = $(LIBPARTED_CFLAGS) $(AM_CFLAGS) libvirt_parthelper_CFLAGS = \
$(LIBPARTED_CFLAGS) \
$(AM_CFLAGS) \
$(PIE_CFLAGS) \
$(NULL)
endif endif
endif endif
EXTRA_DIST += $(STORAGE_HELPER_DISK_SOURCES) EXTRA_DIST += $(STORAGE_HELPER_DISK_SOURCES)
@@ -1952,8 +1969,16 @@ if WITH_SANLOCK
libexec_PROGRAMS += libvirt_sanlock_helper libexec_PROGRAMS += libvirt_sanlock_helper
libvirt_sanlock_helper_SOURCES = $(LOCK_DRIVER_SANLOCK_HELPER_SOURCES) libvirt_sanlock_helper_SOURCES = $(LOCK_DRIVER_SANLOCK_HELPER_SOURCES)
libvirt_sanlock_helper_CFLAGS = -I$(top_srcdir)/src/conf $(AM_CFLAGS) libvirt_sanlock_helper_CFLAGS = \
libvirt_sanlock_helper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS) -I$(top_srcdir)/src/conf \
$(AM_CFLAGS) \
$(PIE_CFLAGS) \
$(NULL)
libvirt_sanlock_helper_LDFLAGS = \
$(WARN_LDFLAGS) \
$(AM_LDFLAGS) \
$(PIE_LDFLAGS) \
$(NULL)
libvirt_sanlock_helper_LDADD = libvirt.la libvirt_sanlock_helper_LDADD = libvirt.la
endif endif
@@ -1965,7 +1990,11 @@ libvirt_lxc_SOURCES = \
$(LXC_CONTROLLER_SOURCES) \ $(LXC_CONTROLLER_SOURCES) \
$(NODE_INFO_SOURCES) \ $(NODE_INFO_SOURCES) \
$(DATATYPES_SOURCES) $(DATATYPES_SOURCES)
libvirt_lxc_LDFLAGS = $(WARN_CFLAGS) $(AM_LDFLAGS) libvirt_lxc_LDFLAGS = \
$(WARN_LDFLAGS) \
$(AM_LDFLAGS) \
$(PIE_LDFLAGS) \
$(NULL)
libvirt_lxc_LDADD = \ libvirt_lxc_LDADD = \
$(FUSE_LIBS) \ $(FUSE_LIBS) \
libvirt-net-rpc-server.la \ libvirt-net-rpc-server.la \
@@ -1981,8 +2010,10 @@ libvirt_lxc_LDADD += $(SECDRIVER_LIBS)
libvirt_lxc_CFLAGS = \ libvirt_lxc_CFLAGS = \
-I$(top_srcdir)/src/conf \ -I$(top_srcdir)/src/conf \
$(AM_CFLAGS) \ $(AM_CFLAGS) \
$(PIE_CFLAGS) \
$(LIBNL_CFLAGS) \ $(LIBNL_CFLAGS) \
$(FUSE_CFLAGS) $(FUSE_CFLAGS) \
$(NULL)
if WITH_BLKID if WITH_BLKID
libvirt_lxc_CFLAGS += $(BLKID_CFLAGS) libvirt_lxc_CFLAGS += $(BLKID_CFLAGS)
libvirt_lxc_LDADD += $(BLKID_LIBS) libvirt_lxc_LDADD += $(BLKID_LIBS)
@@ -2003,7 +2034,11 @@ libexec_PROGRAMS += virt-aa-helper
virt_aa_helper_SOURCES = $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES) virt_aa_helper_SOURCES = $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES)
virt_aa_helper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS) virt_aa_helper_LDFLAGS = \
$(WARN_LDFLAGS) \
$(AM_LDFLAGS) \
$(PIE_LDFLAGS) \
$(NULL)
virt_aa_helper_LDADD = \ virt_aa_helper_LDADD = \
libvirt_conf.la \ libvirt_conf.la \
libvirt_util.la \ libvirt_util.la \
@@ -2014,7 +2049,9 @@ endif
virt_aa_helper_CFLAGS = \ virt_aa_helper_CFLAGS = \
-I$(top_srcdir)/src/conf \ -I$(top_srcdir)/src/conf \
-I$(top_srcdir)/src/security \ -I$(top_srcdir)/src/security \
$(AM_CFLAGS) $(AM_CFLAGS) \
$(PIE_CFLAGS) \
$(NULL)
endif endif
endif endif
EXTRA_DIST += $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES) EXTRA_DIST += $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES)

6
tools/Makefile.am
View File

@@ -99,6 +99,7 @@ virt_host_validate_SOURCES = \
virt_host_validate_LDFLAGS = \ virt_host_validate_LDFLAGS = \
$(WARN_LDFLAGS) \ $(WARN_LDFLAGS) \
$(PIE_LDFLAGS) \
$(COVERAGE_LDFLAGS) \ $(COVERAGE_LDFLAGS) \
$(NULL) $(NULL)
@@ -109,6 +110,7 @@ virt_host_validate_LDADD = \
virt_host_validate_CFLAGS = \ virt_host_validate_CFLAGS = \
$(WARN_CFLAGS) \ $(WARN_CFLAGS) \
$(PIE_CFLAGS) \
$(COVERAGE_CFLAGS) \ $(COVERAGE_CFLAGS) \
$(NULL) $(NULL)
@@ -131,7 +133,8 @@ virsh_SOURCES = \
virsh_LDFLAGS = $(WARN_LDFLAGS) $(COVERAGE_LDFLAGS) virsh_LDFLAGS = $(WARN_LDFLAGS) $(COVERAGE_LDFLAGS)
virsh_LDADD = \ virsh_LDADD = \
$(STATIC_BINARIES) \ $(STATIC_BINARIES) \
$(WARN_CFLAGS) \ $(WARN_LDFLAGS) \
$(PIE_LDFLAGS) \
../src/libvirt.la \ ../src/libvirt.la \
../src/libvirt-lxc.la \ ../src/libvirt-lxc.la \
../src/libvirt-qemu.la \ ../src/libvirt-qemu.la \
@@ -140,6 +143,7 @@ virsh_LDADD = \
$(VIRSH_LIBS) $(VIRSH_LIBS)
virsh_CFLAGS = \ virsh_CFLAGS = \
$(WARN_CFLAGS) \ $(WARN_CFLAGS) \
$(PIE_CFLAGS) \
$(COVERAGE_CFLAGS) \ $(COVERAGE_CFLAGS) \
$(LIBXML_CFLAGS) \ $(LIBXML_CFLAGS) \
$(READLINE_CFLAGS) $(READLINE_CFLAGS)