Enable full RELRO mode

By passing the flags -z relro -z now to the linker, we can force it to resolve all library symbols at startup, instead of on-demand. This allows it to then make the global offset table (GOT) read-only, which makes some security attacks harder. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2025-02-25 18:55:26 -06:00 · 2013-04-03 12:36:32 +01:00
parent 1150999ca4
commit fc8c1787d8
5 changed files with 67 additions and 12 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -146,6 +146,7 @@ AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS])
 LIBVIRT_COMPILE_WARNINGS
 LIBVIRT_COMPILE_PIE
 LIBVIRT_LINKER_RELRO
 LIBVIRT_CHECK_APPARMOR
 LIBVIRT_CHECK_ATTR
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -113,6 +113,7 @@ libvirtd_CFLAGS = \
 libvirtd_LDFLAGS =					\
 	$(WARN_LDFLAGS)					\
 	$(PIE_LDFLAGS)					\
 	$(RELRO_LDFLAGS)				\
 	$(COVERAGE_LDFLAGS)
 libvirtd_LDADD =					\
--- a/m4/virt-linker-relro.m4
+++ b/m4/virt-linker-relro.m4
@@ -0,0 +1,32 @@
 dnl
 dnl Check for -z now and -z relro linker flags
 dnl
 dnl Copyright (C) 2013 Red Hat, Inc.
 dnl
 dnl This library is free software; you can redistribute it and/or
 dnl modify it under the terms of the GNU Lesser General Public
 dnl License as published by the Free Software Foundation; either
 dnl version 2.1 of the License, or (at your option) any later version.
 dnl
 dnl This library is distributed in the hope that it will be useful,
 dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
 dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 dnl Lesser General Public License for more details.
 dnl
 dnl You should have received a copy of the GNU Lesser General Public
 dnl License along with this library.  If not, see
 dnl <http://www.gnu.org/licenses/>.
 dnl
 AC_DEFUN([LIBVIRT_LINKER_RELRO],[
    AC_MSG_CHECKING([for how to force completely read-only GOT table])
    RELRO_LDFLAGS=
    `$LD --help 2>&1 | grep -- "-z relro" >/dev/null` && \
        RELRO_LDFLAGS="-Wl,-z -Wl,relro"
    `$LD --help 2>&1 | grep -- "-z now" >/dev/null` && \
        RELRO_LDFLAGS="$RELRO_LDFLAGS -Wl,-z -Wl,now"
    AC_SUBST([RELRO_LDFLAGS])
    AC_MSG_RESULT([$RELRO_LDFLAGS])
 ])
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1537,10 +1537,15 @@ libvirt_lxc.def: $(srcdir)/libvirt_lxc.syms
 # Empty source list - it merely links a bunch of convenience libs together
 libvirt_la_SOURCES =
-libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \
+libvirt_la_LDFLAGS = \
 		$(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \
 		-version-info $(LIBVIRT_VERSION_INFO) \
-		    $(LIBVIRT_NODELETE) $(AM_LDFLAGS) \
+		$(LIBVIRT_NODELETE) \
-		    $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS)
+		$(AM_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(CYGWIN_EXTRA_LDFLAGS) \
 		$(MINGW_EXTRA_LDFLAGS) \
 		$(NULL)
 libvirt_la_BUILT_LIBADD += ../gnulib/lib/libgnu.la
 libvirt_la_LIBADD += \
 		    $(DRIVER_MODULE_LIBS) \
@@ -1616,18 +1621,26 @@ endif
 EXTRA_DIST += libvirt_probes.d libvirt_qemu_probes.d
 libvirt_qemu_la_SOURCES = libvirt-qemu.c
-libvirt_qemu_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_QEMU_SYMBOL_FILE) \
+libvirt_qemu_la_LDFLAGS = \
 		$(VERSION_SCRIPT_FLAGS)$(LIBVIRT_QEMU_SYMBOL_FILE) \
 		-version-info $(LIBVIRT_VERSION_INFO) \
-			  $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) \
+		$(AM_LDFLAGS) \
-			  $(AM_LDFLAGS)
+		$(RELRO_LDFLAGS) \
 		$(CYGWIN_EXTRA_LDFLAGS) \
 		$(MINGW_EXTRA_LDFLAGS) \
 		$(NULL)
 libvirt_qemu_la_CFLAGS = $(AM_CFLAGS)
 libvirt_qemu_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
 libvirt_lxc_la_SOURCES = libvirt-lxc.c
-libvirt_lxc_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_LXC_SYMBOL_FILE) \
+libvirt_lxc_la_LDFLAGS = \
 		$(VERSION_SCRIPT_FLAGS)$(LIBVIRT_LXC_SYMBOL_FILE) \
 		-version-info $(LIBVIRT_VERSION_INFO) \
-			  $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) \
+		$(AM_LDFLAGS) \
-			  $(AM_LDFLAGS)
+		$(RELRO_LDFLAGS) \
 		$(CYGWIN_EXTRA_LDFLAGS) \
 		$(MINGW_EXTRA_LDFLAGS) \
 		$(NULL)
 libvirt_lxc_la_CFLAGS = $(AM_CFLAGS)
 libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
 EXTRA_DIST += $(LIBVIRT_LXC_SYMBOL_FILE)
@@ -1675,6 +1688,7 @@ virtlockd_CFLAGS = \
 virtlockd_LDFLAGS = \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(CYGWIN_EXTRA_LDFLAGS) \
 		$(MINGW_EXTRA_LDFLAGS) \
 		$(NULL)
@@ -1923,6 +1937,7 @@ libvirt_iohelper_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(NULL)
 libvirt_iohelper_LDADD =		\
 		libvirt_util.la		\
@@ -1946,6 +1961,7 @@ libvirt_parthelper_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(NULL)
 libvirt_parthelper_LDADD =		\
 		$(LIBPARTED_LIBS)	\
@@ -1978,6 +1994,7 @@ libvirt_sanlock_helper_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(NULL)
 libvirt_sanlock_helper_LDADD = libvirt.la
 endif
@@ -1994,6 +2011,7 @@ libvirt_lxc_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(NULL)
 libvirt_lxc_LDADD =			\
 		$(FUSE_LIBS) \
@@ -2038,6 +2056,7 @@ virt_aa_helper_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(AM_LDFLAGS) \
 		$(PIE_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(NULL)
 virt_aa_helper_LDADD =						\
 		libvirt_conf.la					\
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -100,6 +100,7 @@ virt_host_validate_SOURCES = \
 virt_host_validate_LDFLAGS = \
 		$(WARN_LDFLAGS) \
 		$(PIE_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(COVERAGE_LDFLAGS) \
 		$(NULL)
@@ -135,6 +136,7 @@ virsh_LDADD =							\
 		$(STATIC_BINARIES)				\
 		$(WARN_LDFLAGS)					\
 		$(PIE_LDFLAGS)					\
 		$(RELRO_LDFLAGS) \
 		../src/libvirt.la				\
 		../src/libvirt-lxc.la				\
 		../src/libvirt-qemu.la				\