[Spice-devel] [vdagent-win PATCH] Enable some security options on output executables

Frediano Ziglio fziglio at redhat.com
Fri Aug 18 11:09:54 UTC 2017 

> 
> Enable NX (prevent data to be executable) and ASLR (address
> randomisation).
> 
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
>  Makefile.am | 27 ++++++++++++++++++++++++---
>  1 file changed, 24 insertions(+), 3 deletions(-)
> 
> diff --git a/Makefile.am b/Makefile.am
> index 62640f2..3556681 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -20,11 +20,31 @@ endif
>  # -lversion is needed for the GetFileVersion* API which is used by vdlog.cpp
>  LIBS = -lversion
>  
> +# binutils does not take into account entry point when
> +# -pie is used so we need to provide it manually
> +ENTRY_PREFIX := $(if $(filter x86_64,$(host_cpu)),,_)
> +
> +# --dynamicbase to enable ASLR protection
> +# --nxcompat is to enable NX protection
> +# --pie as --dynamicbase requires relocations
> +LDFLAGS_SECURITY_COMMON = \
> +	-Wl,--dynamicbase -Wl,-pie \
> +	-Wl,--nxcompat \
> +	$(NULL)
> +LDFLAGS_SECURITY_GUI = $(LDFLAGS_SECURITY_COMMON) \
> +	-Wl,-e,$(ENTRY_PREFIX)WinMainCRTStartup \
> +	-mwindows \
> +	$(NULL)
> +LDFLAGS_SECURITY_CUI = $(LDFLAGS_SECURITY_COMMON) \
> +	-Wl,-e,$(ENTRY_PREFIX)mainCRTStartup \
> +	-mconsole \
> +	$(NULL)
> +
>  bin_PROGRAMS = vdagent vdservice
>  
>  vdagent_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32
>  vdagent_rc.$(OBJEXT)
>  vdagent_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS)
> -vdagent_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,windows
> +vdagent_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_GUI)
>  vdagent_SOURCES =			\
>  	common/vdcommon.cpp             \
>  	common/vdcommon.h		\
> @@ -53,6 +73,7 @@ vdagent_rc.$(OBJEXT): vdagent/vdagent.rc
>  MAINTAINERCLEANFILES += vdagent_rc.$(OBJEXT)
>  
>  vdservice_LDADD = -lwtsapi32 vdservice_rc.$(OBJEXT)
> +vdservice_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
>  vdservice_SOURCES =			\
>  	common/stdint.h			\
>  	common/vdcommon.cpp             \
> @@ -71,7 +92,7 @@ check_PROGRAMS = imagetest
>  
>  imagetest_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32
>  imagetest_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS)
> -imagetest_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console
> +imagetest_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
>  imagetest_SOURCES =			\
>  	common/vdcommon.cpp             \
>  	common/vdcommon.h		\
> @@ -91,7 +112,7 @@ check_PROGRAMS += test-log-win
>  TESTS += test-log
>  EXTRA_DIST += test-log
>  
> -test_log_win_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console
> +test_log_win_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
>  test_log_win_SOURCES =			\
>  	common/vdcommon.cpp             \
>  	common/vdcommon.h		\

Part of the complexity of this patch is due to this issue:

https://sourceware.org/bugzilla/show_bug.cgi?id=21964

Frediano

More information about the Spice-devel mailing list