aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJulien Dusser <julien.dusser@free.fr>2018-01-08 23:47:06 +0100
committerHauke Mehrtens <hauke@hauke-m.de>2018-01-27 16:46:45 +0100
commitdf0bd42fdeb76c9bc51b816c3df699db123c0024 (patch)
tree1057e289580397c014b2c9c4460057e9e7ac8367
parentca7e8627dbbbcae0d1bfacea51d9b564617195de (diff)
downloadupstream-df0bd42fdeb76c9bc51b816c3df699db123c0024.tar.gz
upstream-df0bd42fdeb76c9bc51b816c3df699db123c0024.tar.bz2
upstream-df0bd42fdeb76c9bc51b816c3df699db123c0024.zip
build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
-rw-r--r--config/Config-build.in16
-rw-r--r--include/hardened-ld-pie.specs2
-rw-r--r--include/hardening.mk7
-rw-r--r--package/utils/busybox/Makefile3
4 files changed, 28 insertions, 0 deletions
diff --git a/config/Config-build.in b/config/Config-build.in
index 7ec7653a9a..660da1c47f 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -184,6 +184,22 @@ menu "Global build settings"
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile.
+ config PKG_ASLR_PIE
+ bool
+ prompt "User space ASLR PIE compilation"
+ select BUSYBOX_DEFAULT_PIE
+ default n
+ help
+ Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+ This enables package build as Position Independent Executables (PIE)
+ to protect against "return-to-text" attacks. This belongs to the
+ feature of Address Space Layout Randomisation (ASLR), which is
+ implemented by the kernel and the ELF loader by randomising the
+ location of memory allocations. This makes memory addresses harder
+ to predict when an attacker is attempting a memory-corruption exploit.
+ You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+ Makefile.
+
choice
prompt "User space Stack-Smashing Protection"
depends on USE_MUSL
diff --git a/include/hardened-ld-pie.specs b/include/hardened-ld-pie.specs
new file mode 100644
index 0000000000..7317b19a17
--- /dev/null
+++ b/include/hardened-ld-pie.specs
@@ -0,0 +1,2 @@
+*self_spec:
++ %{no-pie|static|r|shared:;:-pie}
diff --git a/include/hardening.mk b/include/hardening.mk
index c277081c51..06a61789ef 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -6,6 +6,7 @@
#
PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_ASLR_PIE ?= 1
PKG_SSP ?= 1
PKG_FORTIFY_SOURCE ?= 1
PKG_RELRO ?= 1
@@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
TARGET_CFLAGS += -Wformat -Werror=format-security
endif
endif
+ifdef CONFIG_PKG_ASLR_PIE
+ ifeq ($(strip $(PKG_ASLR_PIE)),1)
+ TARGET_CFLAGS += -fPIC
+ TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
+ endif
+endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
ifeq ($(strip $(PKG_SSP)),1)
TARGET_CFLAGS += -fstack-protector
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 8866756aea..4f85cc9614 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -22,6 +22,9 @@ PKG_BUILD_PARALLEL:=1
PKG_CHECK_FORMAT_SECURITY:=0
PKG_INSTALL:=1
+#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
+PKG_ASLR_PIE:=0
+
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE
PKG_CPE_ID:=cpe:/a:busybox:busybox