r1148 - in trunk/BOOK: chapter01 chapter06

robert at linuxfromscratch.org robert at linuxfromscratch.org
Mon Jun 11 04:34:45 PDT 2007


Author: robert
Date: 2007-06-11 05:34:45 -0600 (Mon, 11 Jun 2007)
New Revision: 1148

Modified:
   trunk/BOOK/chapter01/changelog.xml
   trunk/BOOK/chapter06/glibc.xml
Log:
Modified chap6 Glibc to harden programs, but not libraries

Modified: trunk/BOOK/chapter01/changelog.xml
===================================================================
--- trunk/BOOK/chapter01/changelog.xml	2007-06-11 10:37:16 UTC (rev 1147)
+++ trunk/BOOK/chapter01/changelog.xml	2007-06-11 11:34:45 UTC (rev 1148)
@@ -52,6 +52,10 @@
       <para>June 11th, 2007</para>
       <itemizedlist>
         <listitem>
+          <para>[robert]: Modified chap6 Glibc to harden programs, but not
+          libraries.</para>
+        </listitem>
+        <listitem>
           <para>[robert]: Added -fstack-protector-all and -fPIE GCC specs
           patches.</para>
         </listitem>

Modified: trunk/BOOK/chapter06/glibc.xml
===================================================================
--- trunk/BOOK/chapter06/glibc.xml	2007-06-11 10:37:16 UTC (rev 1147)
+++ trunk/BOOK/chapter06/glibc.xml	2007-06-11 11:34:45 UTC (rev 1148)
@@ -180,6 +180,15 @@
 
 <screen role="hardened_tmp"><userinput>patch -Np1 -i ../&glibc-hardened_tmp-patch;</userinput></screen>
 
+    <para>Add <envar>MUDFLAP_OPTIONS</envar> to the list of environment
+    variables which are removed by libc for suid programs. This will keep
+    local users, including root, from disabling bounds checking on suid
+    programs linked to
+    <filename class="libraryfile">libmudflap.so</filename>:</para>
+
+<screen><userinput>sed 's/#define UNSECURE_ENVVARS.*/&\
+  "MUDFLAP_OPTIONS\\0" \\/' -i.orig sysdeps/generic/unsecvars.h</userinput></screen>
+
     <para role="ssp">Glibc's configure script will fail several tests because
     <option>-fstack-protector[-all]</option> and <option>-nostdlib</option> are
     being used together and the conftest program is not getting linked to
@@ -196,61 +205,13 @@
 
 <screen role="ssp"><userinput>sed 's/fstack-protector/&-all/' -i.orig nscd/Makefile</userinput></screen>
 
-<para role="ssp">This next command adds the stack_chk_fail_local function
-to <filename class="libraryfile">libc.so</filename> so that
-<filename class="libraryfile">libc.so</filename> can be compiled with
-<option>-fstack-protector</option> (by the hardened GCC specs):</para>
+    <para role="aslr">The <command>ldconfig</command> program is statically
+    linked. The next command adds compiler options so it will not be built
+    as PIC unnessessarily:</para>
 
-<screen role="ssp"><userinput>sed 's/^$(common-objpfx)libc.so: $(elfobjdir)\/soinit.os \\/&\
-\t\t\t $(common-objpfx)debug\/stack_chk_fail_local.oS \\/' \
-    -i.orig Makerules</userinput></screen>
+<screen role="aslr"><userinput>sed 's/CFLAGS-ldconfig.c =/& -fno-PIC -fno-PIE/' \
+    -i.orig elf/Makefile</userinput></screen>
 
-    <para role="ssp">These next commands add <option>-fno-stack-protector</option>
-    to a few places:</para>
-
-<screen role="ssp"><userinput>sed 's/^CPPFLAGS += -DHAVE_INITFINI/& -fno-stack-protector/' \
-    -i.orig csu/Makefile
-
-sed 's/^CPPFLAGS-.os +=/& -fno-stack-protector/' \
-    -i.orig elf/Makefile
-
-sed 's/^CFLAGS-rtld :=/& -fno-stack-protector/' \
-    -i.orig elf/rtld-Rules
-
-sed -e 's/^CFLAGS-init.c =/& -fno-stack-protector/' \
-    -e 's/^CFLAGS-unwind.* =/& -fno-stack-protector/' \
-      -i nptl/Makefile</userinput></screen>
-
-    <para role="ssp">This sed command adds __stack_chk_fail to the expected
-    result from <filename class="libraryfile">libc.so</filename>, so the
-    testsuite passes:</para>
-
-<screen role="ssp"><userinput>sed 's/^libc.so: _Unwind_Find_FDE/&\nlibc.so: __stack_chk_fail/' \
-    -i.orig scripts/data/localplt-i386-linux-gnu.data</userinput></screen>
-
-    <para role="aslr">A few of Glibc's tests explicitly link to the non-pie
-    startfiles and will crash if linked with <option>-pie</option>. So we must add
-<option>-nopie</option> for these tests:</para>
-
-<screen role="aslr"><userinput>echo '
-LDFLAGS-tst-cancelx4 += -nopie
-LDFLAGS-tst-cancelx5 += -nopie
-LDFLAGS-tst-cancelx10 += -nopie
-LDFLAGS-tst-cancelx18 += -nopie' >> nptl/Makefile
-
-echo 'LDFLAGS-order += -nopie' >> elf/Makefile
-
-sed 's/LDFLAGS-default =/& -nopie/' -i.orig dlfcn/Makefile</userinput></screen>
-
-    <para>Add <envar>MUDFLAP_OPTIONS</envar> to the list of environment
-    variables which are removed by libc for suid programs. This will keep
-    local users, including root, from disabling bounds checking on suid
-    programs linked to
-    <filename class="libraryfile">libmudflap.so</filename>:</para>
-
-<screen><userinput>sed 's/#define UNSECURE_ENVVARS.*/&\
-  "MUDFLAP_OPTIONS\\0" \\/' -i.orig sysdeps/generic/unsecvars.h</userinput></screen>
-
     <para>The Glibc documentation recommends building Glibc outside of the source
     directory in a dedicated build directory:</para>
 
@@ -284,21 +245,71 @@
 
     </variablelist>
 
-    <para>Add <option>-nonow</option> to <envar>CC</envar> so the testsuite will
-    have better results. When Glibc's build uses <option>-Wl,-z,now</option> it
-    will supersede this <option>-nonow</option> option:</para>
+    <para>The Glibc libraries can not be built with
+    <parameter>-fstack-protector[-all]</parameter>,
+    <parameter>-D_FORTIFY_SOURCE</parameter>, or
+    <parameter>-Wl,-z,now</parameter>. The
+    <parameter>--enable-bind-now</parameter> configure option will add
+    <parameter>-Wl,-z,now</parameter> where it can be used. We can control
+    compiler options used during the build with the
+    <filename>configparms</filename> file. First we will build the libraries.
+    The following command will set up the <filename>configparms</filename>
+    file to only build the libraries, and to disable options we can't use:</para>
 
-<screen><userinput>sed 's/^CC =.*/& -nonow/' -i.orig config.make</userinput></screen>
+<screen><userinput>echo 'build-programs=no
+CC = gcc -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie
+CXX = g++ -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie
+' > configparms</userinput></screen>
 
-    <para>Compile the package:</para>
+    <para>Compile the libraries:</para>
 
 <screen><userinput>make</userinput></screen>
 
-    <para>To test the results, issue:</para>
+    <para>Remove the <filename>configparms</filename> file:</para>
 
-<screen><userinput>make CC="gcc -fno-stack-protector" LDFLAGS="-nonow" -k check 2>&1 \
-    | tee glibc-check-log ; grep Error glibc-check-log</userinput></screen>
+<screen><userinput>rm -v configparms</userinput></screen>
 
+    <para role="aslr">Glibc links startfiles explicitly. The following will
+    modify the link command used, so that the programs will be linked to the
+    sharable startfiles, and explicityly use <parameter>-fPIE</parameter>. The
+    <command>sln</command> is another statically linked program, so options
+    are added so it is not compiled as PIC:</para>
+
+<screen role="aslr"><userinput>echo 'CC = gcc -fPIE
+CXX = g++ -fPIE 
+CFLAGS-sln.c += -fno-PIC -fno-PIE
++link = $(CC) -nostdlib -nostartfiles -fPIE -pie -o $@ \
+ $(sysdep-LDFLAGS) $(config-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
+ -Wl,-z,combreloc -Wl,-z,relro -Wl,-z,now $(hashstyle-LDFLAGS) \
+ $(addprefix $(csu-objpfx),S$(start-installed-name)) \
+ $(+preinit) `$(CC) --print-file-name=crtbeginS.o` \
+ $(filter-out $(addprefix $(csu-objpfx),start.o \
+  $(start-installed-name))\
+ $(+preinit) $(link-extra-libs) \
+ $(common-objpfx)libc% $(+postinit),$^) \
+ $(link-extra-libs) $(link-libc) `$(CC) --print-file-name=crtendS.o` $(+postinit)
+' > configparms</userinput></screen>
+
+    <para>Any other compiler hardening options are passed by default, so they
+    do not need to be added to the <filename>configparms</filename> file.</para>
+
+    <para>Now run <command>make</command> again to build Glibc's programs:</para>
+
+<screen><userinput>make</userinput></screen>
+
+    <para>To test the results first create a new
+    <filename>configparms</filename> file to disable all hardening options:</para>
+
+<screen><userinput>rm -v configparms
+echo 'CC = gcc -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie
+CXX = g++ -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie
+' > configparms</userinput></screen>
+
+    <para>Then run the test suite:</para>
+
+<screen><userinput>make -k check 2>&1 | tee glibc-check-log ;
+    grep -n Error glibc-check-log</userinput></screen>
+
     <para>The Glibc test suite depends on features of the host system
     kernel. Under ideal conditions all tests, except
     <quote>posix/annexc.out (ignored)</quote>, should pass.</para>




More information about the hlfs-book mailing list