Build all binaries with PIE

PIE (position independent executable) adds security to executables
by composing them entirely of position-independent code (PIC. The
.so libraries already build with -fPIC. This adds -fPIE which is
the equivalent to -fPIC, but for executables. This for allows Exec
Shield to use address space layout randomization to prevent attackers
from knowing where existing executable code is during a security
attack using exploits that rely on knowing the offset of the
executable code in the binary, such as return-to-libc attacks.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/configure.ac b/configure.ac
index 0df9e5ccd1124177564e21afff59d06f894e7b33..c4cd33ea00aeff1dca350c03adf7cb328d659671 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -145,6 +145,7 @@ VERSION_SCRIPT_FLAGS=-Wl,--version-script=
 AC_MSG_RESULT([$VERSION_SCRIPT_FLAGS])
 
 LIBVIRT_COMPILE_WARNINGS
+LIBVIRT_COMPILE_PIE
 
 LIBVIRT_CHECK_APPARMOR
 LIBVIRT_CHECK_ATTR

diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 4d5c2fd6665b0ee244b4e6163a4e16e991fce519..bf260b1b10a1ed26b06280828d87f45ef57a054c 100644 (file)
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -106,12 +106,13 @@ libvirtd_SOURCES = $(DAEMON_SOURCES)
 libvirtd_CFLAGS = \
        $(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(SASL_CFLAGS) \
        $(XDR_CFLAGS) $(POLKIT_CFLAGS) $(DBUS_CFLAGS) $(LIBNL_CFLAGS) \
-       $(WARN_CFLAGS) \
+       $(WARN_CFLAGS) $(PIE_CFLAGS) \
        $(COVERAGE_CFLAGS) \
        -DQEMUD_PID_FILE="\"$(QEMUD_PID_FILE)\""
 
 libvirtd_LDFLAGS =                                     \
-       $(WARN_CFLAGS)                                  \
+       $(WARN_LDFLAGS)                                 \
+       $(PIE_LDFLAGS)                                  \
        $(COVERAGE_LDFLAGS)
 
 libvirtd_LDADD =                                       \

diff --git a/m4/virt-compile-pie.m4 b/m4/virt-compile-pie.m4
new file mode 100644 (file)
index 0000000..1b62041
--- /dev/null
+++ b/m4/virt-compile-pie.m4
@@ -0,0 +1,30 @@
+dnl
+dnl Check for support for position independent executables
+dnl
+dnl Copyright (C) 2013 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library.  If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([LIBVIRT_COMPILE_PIE],[
+    PIE_CFLAGS=
+    PIE_LDFLAGS=
+    gl_COMPILER_OPTION_IF([-fPIE -DPIE], [
+        PIE_CFLAGS="-fPIE -DPIE"
+        PIE_LDFLAGS="-pie"
+    ])
+    AC_SUBST([PIE_CFLAGS])
+    AC_SUBST([PIE_LDFLAGS])
+])

diff --git a/src/Makefile.am b/src/Makefile.am
index 3f69d39e0f3fb93ac0e9370febe6bd9ec6c48d10..b33737f33738e4f999f244b75df3975751ff2cc8 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1670,9 +1670,11 @@ virtlockd_SOURCES = \
                $(NULL)
 virtlockd_CFLAGS = \
                $(AM_CFLAGS) \
+               $(PIE_CFLAGS) \
                $(NULL)
 virtlockd_LDFLAGS = \
                $(AM_LDFLAGS) \
+               $(PIE_LDFLAGS) \
                $(CYGWIN_EXTRA_LDFLAGS) \
                $(MINGW_EXTRA_LDFLAGS) \
                $(NULL)
@@ -1917,7 +1919,11 @@ libexec_PROGRAMS =
 if WITH_LIBVIRTD
 libexec_PROGRAMS += libvirt_iohelper
 libvirt_iohelper_SOURCES = $(UTIL_IO_HELPER_SOURCES)
-libvirt_iohelper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_iohelper_LDFLAGS = \
+               $(WARN_LDFLAGS) \
+               $(AM_LDFLAGS) \
+               $(PIE_LDFLAGS) \
+               $(NULL)
 libvirt_iohelper_LDADD =               \
                libvirt_util.la         \
                ../gnulib/lib/libgnu.la
@@ -1925,7 +1931,10 @@ if WITH_DTRACE_PROBES
 libvirt_iohelper_LDADD += libvirt_probes.lo
 endif
 
-libvirt_iohelper_CFLAGS = $(AM_CFLAGS)
+libvirt_iohelper_CFLAGS = \
+               $(AM_CFLAGS) \
+               $(PIE_CFLAGS) \
+               $(NULL)
 endif
 
 if WITH_STORAGE_DISK
@@ -1933,7 +1942,11 @@ if WITH_LIBVIRTD
 libexec_PROGRAMS += libvirt_parthelper
 
 libvirt_parthelper_SOURCES = $(STORAGE_HELPER_DISK_SOURCES)
-libvirt_parthelper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_parthelper_LDFLAGS = \
+               $(WARN_LDFLAGS) \
+               $(AM_LDFLAGS) \
+               $(PIE_LDFLAGS) \
+               $(NULL)
 libvirt_parthelper_LDADD =             \
                $(LIBPARTED_LIBS)       \
                libvirt_util.la         \
@@ -1942,7 +1955,11 @@ if WITH_DTRACE_PROBES
 libvirt_parthelper_LDADD += libvirt_probes.lo
 endif
 
-libvirt_parthelper_CFLAGS = $(LIBPARTED_CFLAGS) $(AM_CFLAGS)
+libvirt_parthelper_CFLAGS = \
+               $(LIBPARTED_CFLAGS) \
+               $(AM_CFLAGS) \
+               $(PIE_CFLAGS) \
+               $(NULL)
 endif
 endif
 EXTRA_DIST += $(STORAGE_HELPER_DISK_SOURCES)
@@ -1952,8 +1969,16 @@ if WITH_SANLOCK
 libexec_PROGRAMS += libvirt_sanlock_helper
 
 libvirt_sanlock_helper_SOURCES = $(LOCK_DRIVER_SANLOCK_HELPER_SOURCES)
-libvirt_sanlock_helper_CFLAGS = -I$(top_srcdir)/src/conf $(AM_CFLAGS)
-libvirt_sanlock_helper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+libvirt_sanlock_helper_CFLAGS = \
+               -I$(top_srcdir)/src/conf \
+               $(AM_CFLAGS) \
+               $(PIE_CFLAGS) \
+               $(NULL)
+libvirt_sanlock_helper_LDFLAGS = \
+               $(WARN_LDFLAGS) \
+               $(AM_LDFLAGS) \
+               $(PIE_LDFLAGS) \
+               $(NULL)
 libvirt_sanlock_helper_LDADD = libvirt.la
 endif
 
@@ -1965,7 +1990,11 @@ libvirt_lxc_SOURCES =                                            \
                $(LXC_CONTROLLER_SOURCES)                       \
                $(NODE_INFO_SOURCES)                            \
                $(DATATYPES_SOURCES)
-libvirt_lxc_LDFLAGS = $(WARN_CFLAGS) $(AM_LDFLAGS)
+libvirt_lxc_LDFLAGS = \
+               $(WARN_LDFLAGS) \
+               $(AM_LDFLAGS) \
+               $(PIE_LDFLAGS) \
+               $(NULL)
 libvirt_lxc_LDADD =                    \
                $(FUSE_LIBS) \
                libvirt-net-rpc-server.la \
@@ -1981,8 +2010,10 @@ libvirt_lxc_LDADD += $(SECDRIVER_LIBS)
 libvirt_lxc_CFLAGS =                           \
                -I$(top_srcdir)/src/conf        \
                $(AM_CFLAGS)                    \
+               $(PIE_CFLAGS)                   \
                $(LIBNL_CFLAGS)                 \
-               $(FUSE_CFLAGS)
+               $(FUSE_CFLAGS)                  \
+               $(NULL)
 if WITH_BLKID
 libvirt_lxc_CFLAGS += $(BLKID_CFLAGS)
 libvirt_lxc_LDADD += $(BLKID_LIBS)
@@ -2003,7 +2034,11 @@ libexec_PROGRAMS += virt-aa-helper
 
 virt_aa_helper_SOURCES = $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES)
 
-virt_aa_helper_LDFLAGS = $(WARN_LDFLAGS) $(AM_LDFLAGS)
+virt_aa_helper_LDFLAGS = \
+               $(WARN_LDFLAGS) \
+               $(AM_LDFLAGS) \
+               $(PIE_LDFLAGS) \
+               $(NULL)
 virt_aa_helper_LDADD =                                         \
                libvirt_conf.la                                 \
                libvirt_util.la                                 \
@@ -2014,7 +2049,9 @@ endif
 virt_aa_helper_CFLAGS =                                                \
                -I$(top_srcdir)/src/conf                        \
                -I$(top_srcdir)/src/security                    \
-               $(AM_CFLAGS)
+               $(AM_CFLAGS) \
+               $(PIE_CFLAGS) \
+               $(NULL)
 endif
 endif
 EXTRA_DIST += $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES)

diff --git a/tools/Makefile.am b/tools/Makefile.am
index 0010c39bc95202f3be1c0ff0c40ac200a9b90eaf..09a9bdd4554d35087efdf8313c01f000135186b9 100644 (file)
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -99,6 +99,7 @@ virt_host_validate_SOURCES = \
 
 virt_host_validate_LDFLAGS = \
                $(WARN_LDFLAGS) \
+               $(PIE_LDFLAGS) \
                $(COVERAGE_LDFLAGS) \
                $(NULL)
 
@@ -109,6 +110,7 @@ virt_host_validate_LDADD = \
 
 virt_host_validate_CFLAGS = \
                $(WARN_CFLAGS)                                  \
+               $(PIE_CFLAGS)                                   \
                $(COVERAGE_CFLAGS)                              \
                $(NULL)
 
@@ -131,7 +133,8 @@ virsh_SOURCES =                                                     \
 virsh_LDFLAGS = $(WARN_LDFLAGS) $(COVERAGE_LDFLAGS)
 virsh_LDADD =                                                  \
                $(STATIC_BINARIES)                              \
-               $(WARN_CFLAGS)                                  \
+               $(WARN_LDFLAGS)                                 \
+               $(PIE_LDFLAGS)                                  \
                ../src/libvirt.la                               \
                ../src/libvirt-lxc.la                           \
                ../src/libvirt-qemu.la                          \
@@ -140,6 +143,7 @@ virsh_LDADD =                                                       \
                $(VIRSH_LIBS)
 virsh_CFLAGS =                                                 \
                $(WARN_CFLAGS)                                  \
+               $(PIE_CFLAGS)                                   \
                $(COVERAGE_CFLAGS)                              \
                $(LIBXML_CFLAGS)                                \
                $(READLINE_CFLAGS)