[Spice-devel] [vdagent-win PATCH] Enable some security options on output executables
Frediano Ziglio
fziglio at redhat.com
Sun Aug 20 09:51:30 UTC 2017
>
> On 08/18/2017 02:09 PM, Frediano Ziglio wrote:
> >>
> >> Enable NX (prevent data to be executable) and ASLR (address
> >> randomisation).
> >>
> >> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> >> ---
> >> Makefile.am | 27 ++++++++++++++++++++++++---
> >> 1 file changed, 24 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/Makefile.am b/Makefile.am
> >> index 62640f2..3556681 100644
> >> --- a/Makefile.am
> >> +++ b/Makefile.am
> >> @@ -20,11 +20,31 @@ endif
> >> # -lversion is needed for the GetFileVersion* API which is used by
> >> vdlog.cpp
> >> LIBS = -lversion
> >>
> >> +# binutils does not take into account entry point when
> >> +# -pie is used so we need to provide it manually
> >> +ENTRY_PREFIX := $(if $(filter x86_64,$(host_cpu)),,_)
> >> +
> >> +# --dynamicbase to enable ASLR protection
> >> +# --nxcompat is to enable NX protection
> >> +# --pie as --dynamicbase requires relocations
>
> Hi Frediano,
>
> man ld suggests that --dynamicbase should be used for 32 bit
> and --high-entropy-va for 64 bit.
>
> Regards,
> Uri.
>
I have another patch for that but it basically states that
--high-entropy-va is not reliable on binutils.
You should have an high image base but currently binutils
fails to change the image base to these addresses.
This bug (2 years old) ask to do some changes in this respect
https://sourceware.org/bugzilla/show_bug.cgi?id=19011
but there are no much progress on it.
Frediano
> >> +LDFLAGS_SECURITY_COMMON = \
> >> + -Wl,--dynamicbase -Wl,-pie \
> >> + -Wl,--nxcompat \
> >> + $(NULL)
> >> +LDFLAGS_SECURITY_GUI = $(LDFLAGS_SECURITY_COMMON) \
> >> + -Wl,-e,$(ENTRY_PREFIX)WinMainCRTStartup \
> >> + -mwindows \
> >> + $(NULL)
> >> +LDFLAGS_SECURITY_CUI = $(LDFLAGS_SECURITY_COMMON) \
> >> + -Wl,-e,$(ENTRY_PREFIX)mainCRTStartup \
> >> + -mconsole \
> >> + $(NULL)
> >> +
> >> bin_PROGRAMS = vdagent vdservice
> >>
> >> vdagent_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32
> >> vdagent_rc.$(OBJEXT)
> >> vdagent_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS)
> >> -vdagent_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,windows
> >> +vdagent_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_GUI)
> >> vdagent_SOURCES = \
> >> common/vdcommon.cpp \
> >> common/vdcommon.h \
> >> @@ -53,6 +73,7 @@ vdagent_rc.$(OBJEXT): vdagent/vdagent.rc
> >> MAINTAINERCLEANFILES += vdagent_rc.$(OBJEXT)
> >>
> >> vdservice_LDADD = -lwtsapi32 vdservice_rc.$(OBJEXT)
> >> +vdservice_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
> >> vdservice_SOURCES = \
> >> common/stdint.h \
> >> common/vdcommon.cpp \
> >> @@ -71,7 +92,7 @@ check_PROGRAMS = imagetest
> >>
> >> imagetest_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32
> >> imagetest_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS)
> >> -imagetest_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console
> >> +imagetest_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
> >> imagetest_SOURCES = \
> >> common/vdcommon.cpp \
> >> common/vdcommon.h \
> >> @@ -91,7 +112,7 @@ check_PROGRAMS += test-log-win
> >> TESTS += test-log
> >> EXTRA_DIST += test-log
> >>
> >> -test_log_win_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console
> >> +test_log_win_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI)
> >> test_log_win_SOURCES = \
> >> common/vdcommon.cpp \
> >> common/vdcommon.h \
> >
> > Part of the complexity of this patch is due to this issue:
> >
> > https://sourceware.org/bugzilla/show_bug.cgi?id=21964
> >
More information about the Spice-devel
mailing list