|
28.1.1
by Kees Cook
* hardening-check: add color, based on a patch from Simon Ruderich. |
1 |
#!/usr/bin/make -f
|
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
2 |
#
|
|
28.1.1
by Kees Cook
* hardening-check: add color, based on a patch from Simon Ruderich. |
3 |
# Copyright (C) 2009-2012 Kees Cook <kees@debian.org>
|
|
19
by Kees Cook
* hardening.make: |
4 |
# License: GPLv2 or newer
|
5 |
#
|
|
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
6 |
# This file is intended to be included in a Debian rules file so that the
|
7 |
# the calculated HARDENING_CFLAGS and HARDENING_LDFLAGS from this makefile
|
|
|
19
by Kees Cook
* hardening.make: |
8 |
# can by used in the package's CFLAGS (and/or CXXFLAGS) and LDFLAGS to
|
|
22
by Kees Cook
* debian/README.Debian: update for gcc versions, include minimal |
9 |
# harden the security of a package's resulting binaries. For example:
|
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
10 |
#
|
11 |
# include /usr/share/hardening-includes/hardening.make
|
|
12 |
# CFLAGS += $(HARDENING_CFLAGS)
|
|
13 |
# LDFLAGS += $(HARDENING_LDFLAGS)
|
|
14 |
#
|
|
|
19
by Kees Cook
* hardening.make: |
15 |
# and if you need it for C++ compilations:
|
16 |
#
|
|
17 |
# CXXFLAGS += $(HARDENING_CFLAGS)
|
|
18 |
#
|
|
19 |
#
|
|
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
20 |
# By default, all hardening options that are valid for a given architecture
|
|
22
by Kees Cook
* debian/README.Debian: update for gcc versions, include minimal |
21 |
# are enabled. The following can be set before or after including this
|
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
22 |
# makefile:
|
23 |
# To disable all hardening: DEB_BUILD_HARDENING:=0
|
|
24 |
# To disable PIE: DEB_BUILD_HARDENING_PIE:=0
|
|
25 |
# To disable stack protector: DEB_BUILD_HARDENING_STACKPROTECTOR:=0
|
|
26 |
# To disable Fortify Source: DEB_BUILD_HARDENING_FORTIFY:=0
|
|
27 |
# To disable format string checks: DEB_BUILD_HARDENING_FORMAT:=0
|
|
|
12.1.2
by Kees Cook
* debian/rules: fix up arch/arch-indep rules to avoid rebuilding |
28 |
# To disable readonly relocations: DEB_BUILD_HARDENING_RELRO:=0
|
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
29 |
# To disable BIND_NOW: DEB_BUILD_HARDENING_BINDNOW:=0
|
30 |
#
|
|
31 |
# For more details, see https://wiki.debian.org/Hardening
|
|
|
12.1.2
by Kees Cook
* debian/rules: fix up arch/arch-indep rules to avoid rebuilding |
32 |
#
|
33 |
# Thanks to Ryan Niebur for help with the Makefile magicks.
|
|
34 |
#
|
|
35 |
# -- Kees Cook <kees@debian.org>
|
|
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
36 |
|
|
26
by Kees Cook
* debian/control: update VCS tags for bzr. |
37 |
DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH 2>/dev/null) |
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
38 |
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) |
39 |
||
40 |
DEB_BUILD_HARDENING ?= 1 |
|
41 |
||
|
20
by Kees Cook
hardening.make: enable PIE on hurd (Closes: 586215), thanks to |
42 |
ifneq (,$(filter $(DEB_HOST_ARCH_OS), linux knetbsd hurd )) |
43 |
# PIE enabled only on linux, knetbsd, and hurd (bugs 430455 and 586215) |
|
|
26
by Kees Cook
* debian/control: update VCS tags for bzr. |
44 |
ifeq (,$(filter $(DEB_HOST_ARCH), hppa m68k mips mipsel avr32 )) |
|
18.1.1
by Kees Cook
hardening.make: disable PIE on avr32 (Closes: 574716). |
45 |
# disabled on hppa (bug number needed) |
46 |
# disabled on m68k (bug 451192) |
|
|
13
by Kees Cook
* hardening.make: |
47 |
# disabled on mips/mipsel (toolchain bug 532821) |
|
18.1.1
by Kees Cook
hardening.make: disable PIE on avr32 (Closes: 574716). |
48 |
# disabled on avr32 (bug 574716) |
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
49 |
DEB_BUILD_HARDENING_PIE ?= 1 |
50 |
endif |
|
51 |
endif |
|
52 |
DEB_BUILD_HARDENING_PIE ?= 0 |
|
53 |
||
|
26
by Kees Cook
* debian/control: update VCS tags for bzr. |
54 |
ifneq (,$(filter $(DEB_HOST_ARCH), ia64 alpha mips mipsel hppa arm )) |
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
55 |
# Stack protector disabled on ia64, alpha, mips, mipsel, hppa. |
56 |
# "warning: -fstack-protector not supported for this target" |
|
|
13
by Kees Cook
* hardening.make: |
57 |
# Stack protector disabled on arm (ok on armel). |
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
58 |
# compiler supports it incorrectly (leads to SEGV) |
59 |
DEB_BUILD_HARDENING_STACKPROTECTOR ?= 0 |
|
60 |
endif |
|
61 |
DEB_BUILD_HARDENING_STACKPROTECTOR ?= 1 |
|
62 |
||
|
26
by Kees Cook
* debian/control: update VCS tags for bzr. |
63 |
ifneq (,$(filter $(DEB_HOST_ARCH), ia64 hppa avr32 )) |
|
16
by Kees Cook
* hardening.make: correctly document how to disable PIE on a per-target |
64 |
DEB_BUILD_HARDENING_RELRO ?= 0 |
65 |
endif |
|
66 |
DEB_BUILD_HARDENING_RELRO ?= 1 |
|
67 |
||
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
68 |
DEB_BUILD_HARDENING_FORTIFY ?= 1 |
69 |
DEB_BUILD_HARDENING_FORMAT ?= 1 |
|
70 |
DEB_BUILD_HARDENING_BINDNOW ?= 1 |
|
71 |
||
72 |
_HARDENED_PIE_CFLAGS := -fPIE |
|
73 |
_HARDENED_PIE_LDFLAGS := -fPIE -pie |
|
74 |
||
|
24
by Kees Cook
* debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}: |
75 |
_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector --param ssp-buffer-size=4 |
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
76 |
|
|
26
by Kees Cook
* debian/control: update VCS tags for bzr. |
77 |
# Fortify Source requires that -O1 or higher is used, but that should be |
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
78 |
# handled outside of this include file. |
79 |
_HARDENED_FORTIFY_CFLAGS := -D_FORTIFY_SOURCE=2 |
|
80 |
||
|
24
by Kees Cook
* debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}: |
81 |
_HARDENED_FORMAT_CFLAGS := -Wformat -Wformat-security -Werror=format-security |
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
82 |
|
83 |
_HARDENED_RELRO_LDFLAGS := -Wl,-z,relro |
|
84 |
||
85 |
_HARDENED_BINDNOW_LDFLAGS := -Wl,-z,now |
|
86 |
||
87 |
_hardening_enabled = $(if $(filter $(DEB_BUILD_HARDENING), yes 1 on true),\ |
|
88 |
$(if $(filter $(1), yes 1 on true),$(2),),) |
|
89 |
||
90 |
HARDENING_CFLAGS ?= \ |
|
91 |
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_CFLAGS)) \ |
|
92 |
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_STACKPROTECTOR),$(_HARDENED_STACKPROTECTOR_CFLAGS)) \ |
|
93 |
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORTIFY),$(_HARDENED_FORTIFY_CFLAGS)) \ |
|
94 |
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORMAT),$(_HARDENED_FORMAT_CFLAGS)) \ |
|
95 |
||
96 |
HARDENING_LDFLAGS ?= \ |
|
97 |
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_LDFLAGS)) \ |
|
98 |
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_RELRO),$(_HARDENED_RELRO_LDFLAGS)) \ |
|
99 |
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_BINDNOW),$(_HARDENED_BINDNOW_LDFLAGS)) \ |
|
100 |
||
101 |
# Utility macros designed to allow package maintainer to force a given |
|
102 |
# hardening feature off in certain areas of a build without disabling |
|
|
22
by Kees Cook
* debian/README.Debian: update for gcc versions, include minimal |
103 |
# the option for the entire build. For example: |
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
104 |
# CFLAGS += $(HARDENING_CFLAGS) |
105 |
# monkey.o: monkey.c |
|
|
16
by Kees Cook
* hardening.make: correctly document how to disable PIE on a per-target |
106 |
# $(CC) $(CFLAGS) $(HARDENING_DISABLE_STACKPROTECTOR_CFLAGS) $< -o $@ |
107 |
HARDENING_DISABLE_STACKPROTECTOR_CFLAGS:=-fno-stack-protector |
|
|
12.1.1
by Kees Cook
* debian/{control,rules}: add "hardening-includes" for use in other |
108 |
HARDENING_DISABLE_FORTIFY_CFLAGS:=-U_FORTIFY_SOURCE |
109 |
HARDENING_DISABLE_FORMAT_CFLAGS:=-Wno-format-security |
|
110 |
HARDENING_DISABLE_RELRO_LDFLAGS:=-Wl,-z,norelro |
|
111 |
HARDENING_DISABLE_BINDNOW_LDFLAGS:=-Wl,-z,lazy |
|
|
24
by Kees Cook
* debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}: |
112 |
# Note: GCC does not have a way to just turn off pie (there is no "-nopie") |
|
16
by Kees Cook
* hardening.make: correctly document how to disable PIE on a per-target |
113 |
# so if PIE needs to be disabled for a specific target, the CFLAGS and LDFLAGS |
|
22
by Kees Cook
* debian/README.Debian: update for gcc versions, include minimal |
114 |
# need to be filtered. For example: |
|
16
by Kees Cook
* hardening.make: correctly document how to disable PIE on a per-target |
115 |
# monkey: monkey.c |
116 |
# $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \ |
|
117 |
# $(filter-out $(HARDENING_DISABLE_PIE_LDFLAGS_FILTER),$(LDFLAGS)) \ |
|
118 |
# $< -o $@ |
|
|
24
by Kees Cook
* debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}: |
119 |
# |
120 |
# Note: when building shared libraries, or with some build frameworks (e.g. |
|
121 |
# cmake) that pass "-fPIC" to everything, the "-fPIE" option must be filtered |
|
122 |
# out to avoid building shared objects that need PIC but end up only with PIE. |
|
123 |
# This is usually indicated by errors at link time that look like this: |
|
124 |
# relocation R_X86_64_PC32 against symbol `foo' can not be used when making a shared object; recompile with -fPIC |
|
125 |
# In these cases, the CFLAGS can be filtered to exclude "-fPIE" until this |
|
126 |
# is fixed in gcc correctly. For example, on one target: |
|
127 |
# monkey.o: monkey.c |
|
128 |
# $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \ |
|
129 |
# $< -c -o $@ |
|
130 |
# In cases where mixed shared objects and executable objects are being built, |
|
131 |
# "-fPIC" needs to actually replace "-fPIE", since gcc won't distinguish |
|
132 |
# between them yet. For example: |
|
133 |
# export CFLAGS=$(shell dpkg-buildflags --get CFLAGS) |
|
134 |
# CFLAGS += $(HARDENING_CFLAGS_PIC) \ |
|
135 |
# $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(HARDENING_CFLAGS)) |
|
136 |
# |
|
|
16
by Kees Cook
* hardening.make: correctly document how to disable PIE on a per-target |
137 |
HARDENING_DISABLE_PIE_CFLAGS_FILTER:=$(_HARDENED_PIE_CFLAGS) |
138 |
HARDENING_DISABLE_PIE_LDFLAGS_FILTER:=$(_HARDENED_PIE_LDFLAGS) |
|
|
24
by Kees Cook
* debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}: |
139 |
HARDENING_CFLAGS_PIC:=-fPIC |