[Spice-devel] [vdagent-win PATCH] Enable some security options on output executables

Uri Lublin uril at redhat.com
Sun Aug 20 08:27:30 UTC 2017 

On 08/18/2017 02:09 PM, Frediano Ziglio wrote:
>>
>> Enable NX (prevent data to be executable) and ASLR (address
>> randomisation).
>>
>> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
>> ---
>>   Makefile.am | 27 ++++++++++++++++++++++++---
>>   1 file changed, 24 insertions(+), 3 deletions(-)
>>
>> diff --git a/Makefile.am b/Makefile.am
>> index 62640f2..3556681 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -20,11 +20,31 @@ endif
>>   # -lversion is needed for the GetFileVersion* API which is used by vdlog.cpp
>>   LIBS = -lversion
>>   
>> +# binutils does not take into account entry point when
>> +# -pie is used so we need to provide it manually
>> +ENTRY_PREFIX := $(if $(filter x86_64,$(host_cpu)),,_)
>> +
>> +# --dynamicbase to enable ASLR protection
>> +# --nxcompat is to enable NX protection
>> +# --pie as --dynamicbase requires relocations

Hi Frediano,

man ld suggests that --dynamicbase should be used for 32 bit
and --high-entropy-va for 64 bit.

Regards,
     Uri.

>> +LDFLAGS_SECURITY_COMMON = \
>> +	-Wl,--dynamicbase -Wl,-pie \
>> +	-Wl,--nxcompat \
>> +	$(NULL)
>> +LDFLAGS_SECURITY_GUI = $(LDFLAGS_SECURITY_COMMON) \
>> +	-Wl,-e,$(ENTRY_PREFIX)WinMainCRTStartup \
>> +	-mwindows \
>> +	$(NULL)
>> +LDFLAGS_SECURITY_CUI = $(LDFLAGS_SECURITY_COMMON) \
>> +	-Wl,-e,$(ENTRY_PREFIX)mainCRTStartup \
>> +	-mconsole \
>> +	$(NULL)
>> +
>>   bin_PROGRAMS = vdagent vdservice
>>   
>>   vdagent_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32
>>   vdagent_rc.$(OBJEXT)
>>   vdagent_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS)
>> -vdagent_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,windows
>> +vdagent_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_GUI)
>>   vdagent_SOURCES =			\
>>   	common/vdcommon.cpp             \
>>   	common/vdcommon.h		\
>> @@ -53,6 +73,7 @@ vdagent_rc.$(OBJEXT): vdagent/vdagent.rc
>>   MAINTAINERCLEANFILES += vdagent_rc.$(OBJEXT)
>>   
>>   vdservice_LDADD = -lwtsapi32 vdservice_rc.$(OBJEXT)
>> +vdservice_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
>>   vdservice_SOURCES =			\
>>   	common/stdint.h			\
>>   	common/vdcommon.cpp             \
>> @@ -71,7 +92,7 @@ check_PROGRAMS = imagetest
>>   
>>   imagetest_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32
>>   imagetest_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS)
>> -imagetest_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console
>> +imagetest_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
>>   imagetest_SOURCES =			\
>>   	common/vdcommon.cpp             \
>>   	common/vdcommon.h		\
>> @@ -91,7 +112,7 @@ check_PROGRAMS += test-log-win
>>   TESTS += test-log
>>   EXTRA_DIST += test-log
>>   
>> -test_log_win_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console
>> +test_log_win_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
>>   test_log_win_SOURCES =			\
>>   	common/vdcommon.cpp             \
>>   	common/vdcommon.h		\
> 
> Part of the complexity of this patch is due to this issue:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=21964
> 
> Frediano
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
>

More information about the Spice-devel mailing list