From: Marek Vavruša <marek.vavrusa@nic.cz>
Date: Tue, 8 Dec 2015 18:38:24 +0000 (+0100)
Subject: build: hardening, doc, cleanup build rules
X-Git-Tag: v1.0.0-beta3~42^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=967ce709e47144a6a82fa5cdc989c487cff78c35;p=thirdparty%2Fknot-resolver.git

build: hardening, doc, cleanup build rules
---

diff --git a/config.mk b/config.mk
index 5b99b3478..9c45b6a58 100644
--- a/config.mk
+++ b/config.mk
@@ -13,10 +13,12 @@ ETCDIR := $(PREFIX)/etc/kresd
 
 # Tools
 CC	?= cc
-BUILD_LDFLAGS += $(LDFLAGS)
-BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -fPIC -Wtype-limits -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib)
-BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(MAJOR).$(MINOR).$(PATCH)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\"" -DETCDIR="\"$(ETCDIR)\""
 RM	:= rm -f
 LN      := ln -s
 XXD     := ./scripts/embed.sh
 INSTALL := install
+
+# Flags
+BUILD_LDFLAGS += $(LDFLAGS)
+BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -Wno-unused -Wtype-limits -Wformat -Wformat-security -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib)
+BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(MAJOR).$(MINOR).$(PATCH)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\"" -DETCDIR="\"$(ETCDIR)\""
diff --git a/daemon/daemon.mk b/daemon/daemon.mk
index e56fad1f7..50a5c1b1f 100644
--- a/daemon/daemon.mk
+++ b/daemon/daemon.mk
@@ -24,6 +24,7 @@ endif
 bindings-install: $(kresd_DIST) $(DESTDIR)$(MODULEDIR)
 	$(INSTALL) -m 0644 $(kresd_DIST) $(DESTDIR)$(MODULEDIR)
 
+kresd_CFLAGS := -fPIE
 kresd_DEPEND := $(libkres)
 kresd_LIBS := $(libkres_TARGET) $(libknot_LIBS) $(libdnssec_LIBS) $(libuv_LIBS) $(lua_LIBS)
 
diff --git a/doc/build.rst b/doc/build.rst
index 819a54e0b..383b37b5f 100644
--- a/doc/build.rst
+++ b/doc/build.rst
@@ -123,6 +123,24 @@ Alternatively you can build only specific parts of the project, i.e. ``library``
 
 .. note:: Documentation is not built by default, run ``make doc`` to build it.
 
+Building with security compiler flags
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Knot DNS Resolver enables certain `security compile-time flags <https://wiki.debian.org/Hardening#Notes_on_Memory_Corruption_Mitigation_Methods>`_ that do not affect performance.
+You can add more flags to the build by appending them to `CFLAGS` variable, e.g. ``make CFLAGS="-fstack-protector"``.
+
+  .. csv-table::
+   :header: "Method", "Status", "Notes"
+
+   "-fstack-protector", "*disabled*", "(must be specifically enabled in CFLAGS)"
+   "-D_FORTIFY_SOURCE=2", "**enabled**", ""
+   "-pie", "**enabled**", "enables ASLR for kresd (disable with ``make HARDENING=no``)"
+   "RELRO", "**enabled**", "full [#]_"
+
+You can also disable ELF hardening when it's unsupported with ``make HARDENING=no``.
+
+.. [#] See `checksec.sh <http://www.trapkit.de/tools/checksec.html>`_
+
 Building for packages
 ~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/lib/lib.mk b/lib/lib.mk
index 9f09c58fc..f068e23fd 100644
--- a/lib/lib.mk
+++ b/lib/lib.mk
@@ -48,7 +48,7 @@ libkres_HEADERS := \
 
 # Dependencies
 libkres_DEPEND := 
-libkres_CFLAGS := -fvisibility=hidden
+libkres_CFLAGS := -fvisibility=hidden -fPIC
 libkres_LIBS := $(libknot_LIBS) $(libdnssec_LIBS)
 libkres_TARGET := -L$(abspath lib) -lkres
 
diff --git a/modules/cachectl/cachectl.mk b/modules/cachectl/cachectl.mk
index 6707dbdca..cb21be1bb 100644
--- a/modules/cachectl/cachectl.mk
+++ b/modules/cachectl/cachectl.mk
@@ -1,4 +1,4 @@
-cachectl_CFLAGS := -fvisibility=hidden
+cachectl_CFLAGS := -fvisibility=hidden -fPIC
 cachectl_SOURCES := modules/cachectl/cachectl.c
 cachectl_DEPEND := $(libkres)
 cachectl_LIBS := $(libkres_TARGET) $(libkres_LIBS)
diff --git a/modules/hints/hints.mk b/modules/hints/hints.mk
index c72639118..3573027f7 100644
--- a/modules/hints/hints.mk
+++ b/modules/hints/hints.mk
@@ -1,4 +1,4 @@
-hints_CFLAGS := -fvisibility=hidden
+hints_CFLAGS := -fvisibility=hidden -fPIC
 hints_SOURCES := modules/hints/hints.c
 hints_DEPEND := $(libkres)
 hints_LIBS := $(libkres_TARGET) $(libkres_LIBS)
diff --git a/modules/stats/stats.mk b/modules/stats/stats.mk
index ef8a55e83..b56c072a9 100644
--- a/modules/stats/stats.mk
+++ b/modules/stats/stats.mk
@@ -1,4 +1,4 @@
-stats_CFLAGS := -fvisibility=hidden
+stats_CFLAGS := -fvisibility=hidden -fPIC
 stats_SOURCES := modules/stats/stats.c
 stats_DEPEND := $(libkres)
 stats_LIBS := $(libkres_TARGET) $(libkres_LIBS)
diff --git a/platform.mk b/platform.mk
index 182755389..7d85a1321 100644
--- a/platform.mk
+++ b/platform.mk
@@ -2,6 +2,7 @@
 # Don't touch this unless you're changing the way targets are compiled
 # You have been warned
 
+# Platform-dependent stuff checks
 CCLD := $(CC)
 CGO := go tool cgo
 GO := go
@@ -27,9 +28,18 @@ else
         PLATFORM := Darwin
         LIBEXT := .dylib
         MODTYPE := dynamiclib
+        # OS X specific hardening since -pie doesn't work
+        ifneq ($(HARDENING),no)
+            BINFLAGS += -Wl,-pie
+        endif
     else
         PLATFORM := POSIX
         LDFLAGS += -pthread -lm -Wl,-E
+        # ELF hardening options
+        ifneq ($(HARDENING),no)
+            BINFLAGS += -pie
+            LDFLAGS += -Wl,-z,relro,-z,now
+        endif
         ifeq (,$(findstring BSD,$(UNAME)))
             LDFLAGS += -ldl
         endif
@@ -41,16 +51,12 @@ ifeq ($(V),1)
 	quiet = $($1)
 else
 	quiet = @echo "  $1	$2"; $($1)
-endif	
-
-%.o: %.c
-	$(call quiet,CC,$<) $(BUILD_CFLAGS) -MMD -MP -c $< -o $@
+endif
 
 # Make objects and depends (name)
 define make_objs
 $(1)_OBJ := $$($(1)_SOURCES:.c=.o)
 $(1)_DEP := $$($(1)_SOURCES:.c=.d)
-
 -include $$($(1)_DEP)
 endef
 
@@ -67,13 +73,17 @@ endif
 else
 $$(eval $$(call make_objs,$(1)))
 endif
+# Rules to generate objects with custom CFLAGS and binary/library
+$$($(1)_OBJ): $$($(1)_SOURCES)
+	$(call quiet,CC,$$(@:%.o=%.c)) $(BUILD_CFLAGS) $$($(1)_CFLAGS) -MMD -MP -c $$(@:%.o=%.c) -o $$@
 $(1) := $(2)/$(1)$(3)
 $(2)/$(1)$(3): $$($(1)_OBJ) $$($(1)_DEPEND)
 ifeq ($(4),-$(ARTYPE))
 	$(call quiet,AR,$$@) rcs $$@ $$($(1)_OBJ)
 else
-	$(call quiet,CCLD,$$@) $(BUILD_CFLAGS) $$($(1)_CFLAGS) $$($(1)_OBJ) -o $$@ $(4) $$($(1)_LIBS) $(BUILD_LDFLAGS)
+	$(call quiet,CCLD,$$@) $$($(1)_CFLAGS) $(BUILD_CFLAGS) $$($(1)_OBJ) -o $$@ $(4) $$($(1)_LDFLAGS) $$($(1)_LIBS) $(BUILD_LDFLAGS)
 endif
+# Additional rules
 $(1)-clean:
 	$(RM) $$($(1)_OBJ) $$($(1)_DEP) $(2)/$(1)$(3)
 ifeq ($(6), yes)
diff --git a/tests/unit.mk b/tests/unit.mk
index 98967130b..ef8196222 100644
--- a/tests/unit.mk
+++ b/tests/unit.mk
@@ -14,6 +14,7 @@ tests_BIN := \
 	test_zonecut \
 	test_rplan
 
+mock_cmodule_CFLAGS := -fPIC
 mock_cmodule_SOURCES := tests/mock_cmodule.c
 $(eval $(call make_lib,mock_cmodule,tests))
 
@@ -23,6 +24,7 @@ tests_LIBS :=  $(libkres_TARGET) $(libkres_LIBS) $(cmocka_LIBS)
 
 # Make test binaries
 define make_test
+$(1)_CFLAGS := -fPIE
 $(1)_SOURCES := tests/$(1).c
 $(1)_LIBS := $(tests_LIBS)
 $(1)_DEPEND := $(tests_DEPEND)