build: hardening, doc, cleanup build rules

diff --git a/config.mk b/config.mk
index 5b99b347854e1be330a335e49d1bd0f60d2f7726..9c45b6a588033d2ce33eb1ace59acc68af73d118 100644 (file)
--- a/config.mk
+++ b/config.mk
@@ -13,10 +13,12 @@ ETCDIR := $(PREFIX)/etc/kresd
 
 # Tools
 CC     ?= cc
-BUILD_LDFLAGS += $(LDFLAGS)
-BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -fPIC -Wtype-limits -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib)
-BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(MAJOR).$(MINOR).$(PATCH)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\"" -DETCDIR="\"$(ETCDIR)\""
 RM     := rm -f
 LN      := ln -s
 XXD     := ./scripts/embed.sh
 INSTALL := install
+
+# Flags
+BUILD_LDFLAGS += $(LDFLAGS)
+BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -Wno-unused -Wtype-limits -Wformat -Wformat-security -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib)
+BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(MAJOR).$(MINOR).$(PATCH)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\"" -DETCDIR="\"$(ETCDIR)\""

diff --git a/daemon/daemon.mk b/daemon/daemon.mk
index e56fad1f79e121ccb2c7575548be74e7bbd53588..50a5c1b1f2088f6ccda80e8a23fa58107467a088 100644 (file)
--- a/daemon/daemon.mk
+++ b/daemon/daemon.mk
@@ -24,6 +24,7 @@ endif
 bindings-install: $(kresd_DIST) $(DESTDIR)$(MODULEDIR)
        $(INSTALL) -m 0644 $(kresd_DIST) $(DESTDIR)$(MODULEDIR)
 
+kresd_CFLAGS := -fPIE
 kresd_DEPEND := $(libkres)
 kresd_LIBS := $(libkres_TARGET) $(libknot_LIBS) $(libdnssec_LIBS) $(libuv_LIBS) $(lua_LIBS)
 

diff --git a/doc/build.rst b/doc/build.rst
index 819a54e0bc035a4f31d2e278f150931beb5c3f7c..383b37b5f736c8c095b7a4e7f24709e57cb98d4e 100644 (file)
--- a/doc/build.rst
+++ b/doc/build.rst
@@ -123,6 +123,24 @@ Alternatively you can build only specific parts of the project, i.e. ``library``
 
 .. note:: Documentation is not built by default, run ``make doc`` to build it.
 
+Building with security compiler flags
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Knot DNS Resolver enables certain `security compile-time flags <https://wiki.debian.org/Hardening#Notes_on_Memory_Corruption_Mitigation_Methods>`_ that do not affect performance.
+You can add more flags to the build by appending them to `CFLAGS` variable, e.g. ``make CFLAGS="-fstack-protector"``.
+
+  .. csv-table::
+   :header: "Method", "Status", "Notes"
+
+   "-fstack-protector", "*disabled*", "(must be specifically enabled in CFLAGS)"
+   "-D_FORTIFY_SOURCE=2", "**enabled**", ""
+   "-pie", "**enabled**", "enables ASLR for kresd (disable with ``make HARDENING=no``)"
+   "RELRO", "**enabled**", "full [#]_"
+
+You can also disable ELF hardening when it's unsupported with ``make HARDENING=no``.
+
+.. [#] See `checksec.sh <http://www.trapkit.de/tools/checksec.html>`_
+
 Building for packages
 ~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/lib/lib.mk b/lib/lib.mk
index 9f09c58fcbada9273619af89f3c8b53d394b8bb8..f068e23fdaa24ff27453770b706a33da09441623 100644 (file)
--- a/lib/lib.mk
+++ b/lib/lib.mk
@@ -48,7 +48,7 @@ libkres_HEADERS := \
 
 # Dependencies
 libkres_DEPEND := 
-libkres_CFLAGS := -fvisibility=hidden
+libkres_CFLAGS := -fvisibility=hidden -fPIC
 libkres_LIBS := $(libknot_LIBS) $(libdnssec_LIBS)
 libkres_TARGET := -L$(abspath lib) -lkres
 

diff --git a/modules/cachectl/cachectl.mk b/modules/cachectl/cachectl.mk
index 6707dbdca13ee5258270c1956ac8d7cdd63f6b88..cb21be1bb1f921ac443239c2b4bd206032a050cf 100644 (file)
--- a/modules/cachectl/cachectl.mk
+++ b/modules/cachectl/cachectl.mk
@@ -1,4 +1,4 @@
-cachectl_CFLAGS := -fvisibility=hidden
+cachectl_CFLAGS := -fvisibility=hidden -fPIC
 cachectl_SOURCES := modules/cachectl/cachectl.c
 cachectl_DEPEND := $(libkres)
 cachectl_LIBS := $(libkres_TARGET) $(libkres_LIBS)

diff --git a/modules/hints/hints.mk b/modules/hints/hints.mk
index c726391189068189237c857bc720e533971f73af..3573027f7af31253bd361ea37932665563c87303 100644 (file)
--- a/modules/hints/hints.mk
+++ b/modules/hints/hints.mk
@@ -1,4 +1,4 @@
-hints_CFLAGS := -fvisibility=hidden
+hints_CFLAGS := -fvisibility=hidden -fPIC
 hints_SOURCES := modules/hints/hints.c
 hints_DEPEND := $(libkres)
 hints_LIBS := $(libkres_TARGET) $(libkres_LIBS)

diff --git a/modules/stats/stats.mk b/modules/stats/stats.mk
index ef8a55e8304701625f5fed1a9205c9959f04eaf3..b56c072a95c513d8c167053d49f92749c1dee8fb 100644 (file)
--- a/modules/stats/stats.mk
+++ b/modules/stats/stats.mk
@@ -1,4 +1,4 @@
-stats_CFLAGS := -fvisibility=hidden
+stats_CFLAGS := -fvisibility=hidden -fPIC
 stats_SOURCES := modules/stats/stats.c
 stats_DEPEND := $(libkres)
 stats_LIBS := $(libkres_TARGET) $(libkres_LIBS)

diff --git a/platform.mk b/platform.mk
index 182755389ea68cd0dc7ad4a0bbdfbf237690e2f1..7d85a13212723cf7636c53d8dcbe2978dd10d436 100644 (file)
--- a/platform.mk
+++ b/platform.mk
@@ -2,6 +2,7 @@
 # Don't touch this unless you're changing the way targets are compiled
 # You have been warned
 
+# Platform-dependent stuff checks
 CCLD := $(CC)
 CGO := go tool cgo
 GO := go
@@ -27,9 +28,18 @@ else
         PLATFORM := Darwin
         LIBEXT := .dylib
         MODTYPE := dynamiclib
+        # OS X specific hardening since -pie doesn't work
+        ifneq ($(HARDENING),no)
+            BINFLAGS += -Wl,-pie
+        endif
     else
         PLATFORM := POSIX
         LDFLAGS += -pthread -lm -Wl,-E
+        # ELF hardening options
+        ifneq ($(HARDENING),no)
+            BINFLAGS += -pie
+            LDFLAGS += -Wl,-z,relro,-z,now
+        endif
         ifeq (,$(findstring BSD,$(UNAME)))
             LDFLAGS += -ldl
         endif
@@ -41,16 +51,12 @@ ifeq ($(V),1)
        quiet = $($1)
 else
        quiet = @echo "  $1     $2"; $($1)
-endif  
-
-%.o: %.c
-       $(call quiet,CC,$<) $(BUILD_CFLAGS) -MMD -MP -c $< -o $@
+endif
 
 # Make objects and depends (name)
 define make_objs
 $(1)_OBJ := $$($(1)_SOURCES:.c=.o)
 $(1)_DEP := $$($(1)_SOURCES:.c=.d)
-
 -include $$($(1)_DEP)
 endef
 
@@ -67,13 +73,17 @@ endif
 else
 $$(eval $$(call make_objs,$(1)))
 endif
+# Rules to generate objects with custom CFLAGS and binary/library
+$$($(1)_OBJ): $$($(1)_SOURCES)
+       $(call quiet,CC,$$(@:%.o=%.c)) $(BUILD_CFLAGS) $$($(1)_CFLAGS) -MMD -MP -c $$(@:%.o=%.c) -o $$@
 $(1) := $(2)/$(1)$(3)
 $(2)/$(1)$(3): $$($(1)_OBJ) $$($(1)_DEPEND)
 ifeq ($(4),-$(ARTYPE))
        $(call quiet,AR,$$@) rcs $$@ $$($(1)_OBJ)
 else
-       $(call quiet,CCLD,$$@) $(BUILD_CFLAGS) $$($(1)_CFLAGS) $$($(1)_OBJ) -o $$@ $(4) $$($(1)_LIBS) $(BUILD_LDFLAGS)
+       $(call quiet,CCLD,$$@) $$($(1)_CFLAGS) $(BUILD_CFLAGS) $$($(1)_OBJ) -o $$@ $(4) $$($(1)_LDFLAGS) $$($(1)_LIBS) $(BUILD_LDFLAGS)
 endif
+# Additional rules
 $(1)-clean:
        $(RM) $$($(1)_OBJ) $$($(1)_DEP) $(2)/$(1)$(3)
 ifeq ($(6), yes)

diff --git a/tests/unit.mk b/tests/unit.mk
index 98967130bee91537a5a98a8b24ea05c710fa3bc8..ef819622254c08fcc2401771a957e3e03f108762 100644 (file)
--- a/tests/unit.mk
+++ b/tests/unit.mk
@@ -14,6 +14,7 @@ tests_BIN := \
        test_zonecut \
        test_rplan
 
+mock_cmodule_CFLAGS := -fPIC
 mock_cmodule_SOURCES := tests/mock_cmodule.c
 $(eval $(call make_lib,mock_cmodule,tests))
 
@@ -23,6 +24,7 @@ tests_LIBS :=  $(libkres_TARGET) $(libkres_LIBS) $(cmocka_LIBS)
 
 # Make test binaries
 define make_test
+$(1)_CFLAGS := -fPIE
 $(1)_SOURCES := tests/$(1).c
 $(1)_LIBS := $(tests_LIBS)
 $(1)_DEPEND := $(tests_DEPEND)