Hardening flags

[Julien ÉLIE]

Hi Russ,

>> It seems that adding "-fPIE -pie" in CFLAGS could be worthwhile (because
>> INN is setuid), not only for rnews.
> 
> I think Debian just changes GCC to do this by default so that each
> application doesn't need to worry about it, although I'm not 100% sure.  I
> know it used to be part of the hardening flags and isn't any more, but
> innd on Debian is still built PIE, so I think something makes it happen
> automatically.
> 
> It's possible Fedora is now doing the same thing.  I believe Ubuntu has
> been doing this for a while.
> 
> (That said, I have no objections to adding the flags on platforms that
> support them.  The very minor speed hit seems unlikely to affect INN in
> any significant way.)

Suggested addition in configure.ac:

dnl Add hardening flags, if supported by the compiler.
INN_PROG_CC_FLAG([-fPIE], [CFLAGS="${CFLAGS} -fPIE"
                            LDFLAGS="${LDFLAGS} -fPIE -pie"], [])
INN_PROG_CC_FLAG([-fstack-protector-strong],
                  [CFLAGS="${CFLAGS} -fstack-protector-strong"], [])



However, when building the test suite with -fPIE, I encounter an error:

../libtool --mode=link gcc -fPIE -pie 
-L/home/iulius/work/cyrus-install/lib  -o authprogs/ident.t 
authprogs/ident-t.o tap/basic.o /home/iulius/work/inn/trunk/lib/libinn.la
libtool: link: gcc -fPIE -pie -o authprogs/.libs/ident.t 
authprogs/ident-t.o tap/basic.o  -L/home/iulius/work/cyrus-install/lib 
/home/iulius/work/inn/trunk/lib/.libs/libinn.so -Wl,-rpath 
-Wl,/home/iulius/work/test-inn-bdb/lib
/usr/bin/ld: authprogs/ident-t.o: relocation R_X86_64_32 against 
`.rodata.str1.1' can not be used when making a shared object; recompile 
with -fPIC


It seems that libtool automatically adds "--with-pic=both" to configure 
flags:

   --with-pic[=PKGS]       try to use only PIC/non-PIC objects
                           [default=use both]

Adding "--with-pic=yes" to configure flags solves the build issue...

Is is the right thing to do?  Forcing -fPIC with -fPIE?




> I've in general not tried to add hardening compiler flags to the INN build
> process since Debian injects them, but maybe it would be a good idea to
> import some of them (-fstack-protector-strong, -Wl,-z,relro, and
> -Wl,-z,now, for example).

To handle commas, there's the following change to add to rra-c-util:

--- m4/cc-flags.m4	(révision 10390)
+++ m4/cc-flags.m4	(copie de travail)
@@ -28,7 +28,7 @@

  dnl Used to build the result cache name.
  AC_DEFUN([_RRA_PROG_CC_FLAG_CACHE],
-[translit([rra_cv_compiler_c_$1], [-=+], [___])])
+[translit([rra_cv_compiler_c_$1], [-=+,], [____])])

  dnl Check whether a given flag is supported by the compiler.
  AC_DEFUN([RRA_PROG_CC_FLAG],




Which permits to add to configure.ac:

INN_PROG_CC_FLAG([-Wl,-z,relro],
                  [LDFLAGS="${LDFLAGS} -Wl,-z,relro"], [])
INN_PROG_CC_FLAG([-Wl,-z,now],
                  [LDFLAGS="${LDFLAGS} -Wl,-z,now"], [])


libtool transforms "-Wl,-z,relro -Wl,-z,now" to "-Wl,-z -Wl,relro -Wl,-z 
-Wl,now" when linking, which seems to be the same.

-- 
Julien ÉLIE

« Sum, ergo bibo ; bibo, ergo sum. »