From nobody Thu May 15 04:40:50 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1509111178508380.1470798651293; Fri, 27 Oct 2017 06:32:58 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C06A4C050047; Fri, 27 Oct 2017 13:32:56 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A1A7A7BAE4; Fri, 27 Oct 2017 13:32:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 63D8F1804486; Fri, 27 Oct 2017 13:32:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v9RDVwAG000959 for ; Fri, 27 Oct 2017 09:31:58 -0400 Received: by smtp.corp.redhat.com (Postfix) id 7271C60C8A; Fri, 27 Oct 2017 13:31:58 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-204-199.brq.redhat.com [10.40.204.199]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6102F60BEB; Fri, 27 Oct 2017 13:31:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C06A4C050047 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: "Daniel P. Berrange" To: libvir-list@redhat.com Date: Fri, 27 Oct 2017 14:31:43 +0100 Message-Id: <20171027133143.2553-6-berrange@redhat.com> In-Reply-To: <20171027133143.2553-1-berrange@redhat.com> References: <20171027133143.2553-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH dbus 5/5] Build all binaries with PIE X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 27 Oct 2017 13:32:57 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" PIE (position independent executable) adds security to executables by composing them entirely of position-independent code (PIC. The .so libraries already build with -fPIC. This adds -fPIE which is the equivalent to -fPIC, but for executables. This for allows Exec Shield to use address space layout randomization to prevent attackers from knowing where existing executable code is during a security attack using exploits that rely on knowing the offset of the executable code in the binary, such as return-to-libc attacks. Signed-off-by: Daniel P. Berrange --- configure.ac | 1 + m4/virt-compile-pie.m4 | 35 +++++++++++++++++++++++++++++++++++ src/Makefile.am | 2 ++ 3 files changed, 38 insertions(+) create mode 100644 m4/virt-compile-pie.m4 diff --git a/configure.ac b/configure.ac index b9ccf93..228ea11 100644 --- a/configure.ac +++ b/configure.ac @@ -38,6 +38,7 @@ PKG_CHECK_MODULES(SYSTEMD, libsystemd >=3D $SYSTEMD_REQUI= RED) =20 LIBVIRT_COMPILE_WARNINGS LIBVIRT_LINKER_RELRO +LIBVIRT_COMPILE_PIE =20 AC_ARG_WITH(dbus-services, [AC_HELP_STRING([--with-dbus-services=3D], diff --git a/m4/virt-compile-pie.m4 b/m4/virt-compile-pie.m4 new file mode 100644 index 0000000..a2df38e --- /dev/null +++ b/m4/virt-compile-pie.m4 @@ -0,0 +1,35 @@ +dnl +dnl Check for support for position independent executables +dnl +dnl Copyright (C) 2013 Red Hat, Inc. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl . +dnl + +AC_DEFUN([LIBVIRT_COMPILE_PIE],[ + PIE_CFLAGS=3D + PIE_LDFLAGS=3D + case "$host" in + *-*-mingw* | *-*-msvc* | *-*-cygwin* ) + ;; dnl All code is position independent on Win32 target + *) + gl_COMPILER_OPTION_IF([-fPIE -DPIE -pie], [ + PIE_CFLAGS=3D"-fPIE -DPIE" + PIE_LDFLAGS=3D"-pie" + ]) + esac + AC_SUBST([PIE_CFLAGS]) + AC_SUBST([PIE_LDFLAGS]) +]) diff --git a/src/Makefile.am b/src/Makefile.am index 8dd8ecd..5d4cb04 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -20,12 +20,14 @@ libvirt_dbus_CFLAGS =3D \ $(SYSTEMD_CFLAGS) \ $(LIBVIRT_CFLAGS) \ $(WARN_CFLAGS) \ + $(PIE_CFLAGS) \ $(NULL) =20 libvirt_dbus_LDFLAGS =3D \ $(SYSTEMD_LDFLAGS) \ $(LIBVIRT_LDFLAGS) \ $(RELRO_LDFLAGS) \ + $(PID_LDFLAGS) \ $(NULL) =20 libvirt_dbus_LDADD =3D \ --=20 2.13.6 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list