diff options
| author | Julien Dusser <julien.dusser@free.fr> | 2018-01-08 23:47:06 +0100 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2018-01-27 16:46:45 +0100 |
| commit | df0bd42fdeb76c9bc51b816c3df699db123c0024 (patch) | |
| tree | 1057e289580397c014b2c9c4460057e9e7ac8367 | |
| parent | ca7e8627dbbbcae0d1bfacea51d9b564617195de (diff) | |
| download | openwrt-df0bd42fdeb76c9bc51b816c3df699db123c0024.tar.gz openwrt-df0bd42fdeb76c9bc51b816c3df699db123c0024.tar.bz2 openwrt-df0bd42fdeb76c9bc51b816c3df699db123c0024.zip | |
build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.
Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.
Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.
If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.
Original Work by: Yongkui Han <yonhan@cisco.com>
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
| -rw-r--r-- | config/Config-build.in | 16 | ||||
| -rw-r--r-- | include/hardened-ld-pie.specs | 2 | ||||
| -rw-r--r-- | include/hardening.mk | 7 | ||||
| -rw-r--r-- | package/utils/busybox/Makefile | 3 |
4 files changed, 28 insertions, 0 deletions
diff --git a/config/Config-build.in b/config/Config-build.in index 7ec7653a9a..660da1c47f 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -184,6 +184,22 @@ menu "Global build settings" this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package Makefile. + config PKG_ASLR_PIE + bool + prompt "User space ASLR PIE compilation" + select BUSYBOX_DEFAULT_PIE + default n + help + Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. + This enables package build as Position Independent Executables (PIE) + to protect against "return-to-text" attacks. This belongs to the + feature of Address Space Layout Randomisation (ASLR), which is + implemented by the kernel and the ELF loader by randomising the + location of memory allocations. This makes memory addresses harder + to predict when an attacker is attempting a memory-corruption exploit. + You can disable this per package by adding PKG_ASLR_PIE:=0 in the package + Makefile. + choice prompt "User space Stack-Smashing Protection" depends on USE_MUSL diff --git a/include/hardened-ld-pie.specs b/include/hardened-ld-pie.specs new file mode 100644 index 0000000000..7317b19a17 --- /dev/null +++ b/include/hardened-ld-pie.specs @@ -0,0 +1,2 @@ +*self_spec: ++ %{no-pie|static|r|shared:;:-pie} diff --git a/include/hardening.mk b/include/hardening.mk index c277081c51..06a61789ef 100644 --- a/include/hardening.mk +++ b/include/hardening.mk @@ -6,6 +6,7 @@ # PKG_CHECK_FORMAT_SECURITY ?= 1 +PKG_ASLR_PIE ?= 1 PKG_SSP ?= 1 PKG_FORTIFY_SOURCE ?= 1 PKG_RELRO ?= 1 @@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY TARGET_CFLAGS += -Wformat -Werror=format-security endif endif +ifdef CONFIG_PKG_ASLR_PIE + ifeq ($(strip $(PKG_ASLR_PIE)),1) + TARGET_CFLAGS += -fPIC + TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs + endif +endif ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR ifeq ($(strip $(PKG_SSP)),1) TARGET_CFLAGS += -fstack-protector diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile index 8866756aea..4f85cc9614 100644 --- a/package/utils/busybox/Makefile +++ b/package/utils/busybox/Makefile @@ -22,6 +22,9 @@ PKG_BUILD_PARALLEL:=1 PKG_CHECK_FORMAT_SECURITY:=0 PKG_INSTALL:=1 +#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc. +PKG_ASLR_PIE:=0 + PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE PKG_CPE_ID:=cpe:/a:busybox:busybox |