From 776b44f17b44b92b08f8cc37ec87e74ac68762ea Mon Sep 17 00:00:00 2001 From: moneromooo-monero Date: Fri, 22 Dec 2017 21:48:31 +0000 Subject: [PATCH] Add misc hardening flags to the cmake machinery See https://wiki.debian.org/Hardening#User_Space --- CMakeLists.txt | 90 ++++++++++++++++++++-- cmake/CheckLinkerFlag.c | 14 ++++ cmake/CheckLinkerFlag.cmake | 47 +++++++++++ external/db_drivers/liblmdb/CMakeLists.txt | 1 + external/easylogging++/CMakeLists.txt | 1 + src/blockchain_utilities/CMakeLists.txt | 4 +- src/blocks/CMakeLists.txt | 4 +- src/daemon/CMakeLists.txt | 4 +- tests/gtest/cmake/internal_utils.cmake | 2 +- 9 files changed, 153 insertions(+), 14 deletions(-) create mode 100644 cmake/CheckLinkerFlag.c create mode 100644 cmake/CheckLinkerFlag.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt index 11c549d7c..ef2677cbf 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -27,6 +27,13 @@ # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers +list(INSERT CMAKE_MODULE_PATH 0 + "${CMAKE_SOURCE_DIR}/cmake") +include(CheckCCompilerFlag) +include(CheckCXXCompilerFlag) +include(CheckLinkerFlag) +include(CheckLibraryExists) + if (IOS) INCLUDE(CmakeLists_IOS.txt) endif() @@ -48,6 +55,31 @@ function (die msg) message(FATAL_ERROR "${BoldRed}${msg}${ColourReset}") endfunction () +function (add_c_flag_if_supported flag var) + string(REPLACE "-" "_" supported ${flag}_c) + check_c_compiler_flag(${flag} ${supported}) + if(${${supported}}) + set(${var} "${${var}} ${flag}" PARENT_SCOPE) + endif() +endfunction() + +function (add_cxx_flag_if_supported flag var) + string(REPLACE "-" "_" supported ${flag}_cxx) + check_cxx_compiler_flag(${flag} ${supported}) + if(${${supported}}) + set(${var} "${${var}} ${flag}" PARENT_SCOPE) + endif() +endfunction() + +function (add_linker_flag_if_supported flag var) + string(REPLACE "-" "_" supported ${flag}_ld) + string(REPLACE "," "_" supported ${flag}_ld) + check_linker_flag(${flag} ${supported}) + if(${${supported}}) + set(${var} "${${var}} ${flag}" PARENT_SCOPE) + endif() +endfunction() + if(NOT CMAKE_BUILD_TYPE) set(CMAKE_BUILD_TYPE Release CACHE STRING "Build type" FORCE) message(STATUS "Setting default build type: ${CMAKE_BUILD_TYPE}") @@ -210,11 +242,11 @@ endif() if (BUILD_SHARED_LIBS) message(STATUS "Building internal libraries with position independent code") - set(PIC_FLAG "-fPIC") add_definitions("-DBUILD_SHARED_LIBS") else() message(STATUS "Building internal libraries as static") endif() +set(PIC_FLAG "-fPIC") if(MINGW) string(REGEX MATCH "^[^/]:/[^/]*" msys2_install_path "${CMAKE_C_COMPILER}") @@ -470,6 +502,52 @@ else() set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-strict-aliasing") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-strict-aliasing") + # if those don't work for your compiler, single it out where appropriate + if(CMAKE_BUILD_TYPE STREQUAL "Release") + set(C_SECURITY_FLAGS "${C_SECURITY_FLAGS} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1") + set(CXX_SECURITY_FLAGS "${CXX_SECURITY_FLAGS} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1") + endif() + + # warnings + add_c_flag_if_supported(-Wformat C_SECURITY_FLAGS) + add_cxx_flag_if_supported(-Wformat CXX_SECURITY_FLAGS) + add_c_flag_if_supported(-Wformat-security C_SECURITY_FLAGS) + add_cxx_flag_if_supported(-Wformat-security CXX_SECURITY_FLAGS) + + # -fstack-protector + add_c_flag_if_supported(-fstack-protector C_SECURITY_FLAGS) + add_cxx_flag_if_supported(-fstack-protector CXX_SECURITY_FLAGS) + add_c_flag_if_supported(-fstack-protector-strong C_SECURITY_FLAGS) + add_cxx_flag_if_supported(-fstack-protector-strong CXX_SECURITY_FLAGS) + + # linker + if (NOT WIN32) + # Windows binaries die on startup with PIE + add_linker_flag_if_supported(-pie LD_SECURITY_FLAGS) + endif() + add_linker_flag_if_supported(-Wl,-z,relro LD_SECURITY_FLAGS) + add_linker_flag_if_supported(-Wl,-z,now LD_SECURITY_FLAGS) + add_linker_flag_if_supported(-Wl,-z,noexecstack noexecstack_SUPPORTED) + if (noexecstack_SUPPORTED) + set(LD_SECURITY_FLAGS "${LD_SECURITY_FLAGS} -Wl,-z,noexecstack") + set(LD_RAW_FLAGS ${LD_RAW_FLAGS} -z noexecstack) + endif() + add_linker_flag_if_supported(-Wl,-z,noexecheap noexecheap_SUPPORTED) + if (noexecheap_SUPPORTED) + set(LD_SECURITY_FLAGS "${LD_SECURITY_FLAGS} -Wl,-z,noexecheap") + set(LD_RAW_FLAGS ${LD_RAW_FLAGS} -z noexecheap) + endif() + + # some windows linker bits + if (WIN32) + add_linker_flag_if_supported(-Wl,--dynamicbase LD_SECURITY_FLAGS) + add_linker_flag_if_supported(-Wl,--nxcompat LD_SECURITY_FLAGS) + endif() + + message(STATUS "Using C security hardening flags: ${C_SECURITY_FLAGS}") + message(STATUS "Using C++ security hardening flags: ${CXX_SECURITY_FLAGS}") + message(STATUS "Using linker security hardening flags: ${LD_SECURITY_FLAGS}") + option(NO_AES "Explicitly disable AES support" ${NO_AES}) if(NO_AES) @@ -498,8 +576,9 @@ else() message(STATUS "AES support disabled") endif() - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_FLAG} ${WARNINGS} ${C_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG}") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_CPP_FLAG} ${WARNINGS} ${CXX_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_FLAG} ${WARNINGS} ${C_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG} ${C_SECURITY_FLAGS}") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_CPP_FLAG} ${WARNINGS} ${CXX_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG} ${CXX_SECURITY_FLAGS}") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${LD_SECURITY_FLAGS}") # With GCC 6.1.1 the compiled binary malfunctions due to aliasing. Until that # is fixed in the code (Issue #847), force compiler to be conservative. @@ -586,6 +665,7 @@ else() if(ANDROID AND NOT BUILD_GUI_DEPS STREQUAL "ON" OR IOS) #From Android 5: "only position independent executables (PIE) are supported" message(STATUS "Enabling PIE executable") + set(PIC_FLAG "") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIE") set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_CXX_FLAGS} -fPIE -pie") @@ -778,11 +858,7 @@ option(BUILD_GUI_DEPS "Build GUI dependencies." OFF) option(INSTALL_VENDORED_LIBUNBOUND "Install libunbound binary built from source vendored with this repo." OFF) -include(CheckCCompilerFlag) - CHECK_C_COMPILER_FLAG(-std=c11 HAVE_C11) -include(CheckLibraryExists) - check_library_exists(c memset_s "string.h" HAVE_MEMSET_S) check_library_exists(c explicit_bzero "strings.h" HAVE_EXPLICIT_BZERO) diff --git a/cmake/CheckLinkerFlag.c b/cmake/CheckLinkerFlag.c new file mode 100644 index 000000000..a0dcc168d --- /dev/null +++ b/cmake/CheckLinkerFlag.c @@ -0,0 +1,14 @@ +#ifdef __CLASSIC_C__ +int main() +{ + int ac; + char* av[]; +#else +int main(int ac, char* av[]) +{ +#endif + if (ac > 1000) { + return *av[0]; + } + return 0; +} diff --git a/cmake/CheckLinkerFlag.cmake b/cmake/CheckLinkerFlag.cmake new file mode 100644 index 000000000..a3879d0be --- /dev/null +++ b/cmake/CheckLinkerFlag.cmake @@ -0,0 +1,47 @@ +include(CheckCCompilerFlag) + +macro(CHECK_LINKER_FLAG flag VARIABLE) + if(NOT DEFINED "${VARIABLE}") + if(NOT CMAKE_REQUIRED_QUIET) + message(STATUS "Looking for ${flag} linker flag") + endif() + + set(_cle_source ${CMAKE_SOURCE_DIR}/cmake/CheckLinkerFlag.c) + + set(saved_CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) + set(CMAKE_C_FLAGS "${flag}") + try_compile(${VARIABLE} + ${CMAKE_BINARY_DIR} + ${_cle_source} + COMPILE_DEFINITIONS ${CMAKE_REQUIRED_DEFINITIONS} ${flag} + CMAKE_FLAGS + OUTPUT_VARIABLE OUTPUT) + unset(_cle_source) + set(CMAKE_C_FLAGS ${saved_CMAKE_C_FLAGS}) + unset(saved_CMAKE_C_FLAGS) + + if ("${OUTPUT}" MATCHES "warning.*ignored") + set(${VARIABLE} 0) + endif() + + if(${VARIABLE}) + if(NOT CMAKE_REQUIRED_QUIET) + message(STATUS "Looking for ${flag} linker flag - found") + endif() + set(${VARIABLE} 1 CACHE INTERNAL "Have linker flag ${flag}") + file(APPEND ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeOutput.log + "Determining if the ${flag} linker flag is supported " + "passed with the following output:\n" + "${OUTPUT}\n\n") + else() + if(NOT CMAKE_REQUIRED_QUIET) + message(STATUS "Looking for ${flag} linker flag - not found") + endif() + set(${VARIABLE} "" CACHE INTERNAL "Have linker flag ${flag}") + file(APPEND ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeError.log + "Determining if the ${flag} linker flag is suppored " + "failed with the following output:\n" + "${OUTPUT}\n\n") + endif() + endif() +endmacro() diff --git a/external/db_drivers/liblmdb/CMakeLists.txt b/external/db_drivers/liblmdb/CMakeLists.txt index d3d3df6ad..3a09712de 100644 --- a/external/db_drivers/liblmdb/CMakeLists.txt +++ b/external/db_drivers/liblmdb/CMakeLists.txt @@ -54,3 +54,4 @@ if(${ARCH_WIDTH} EQUAL 32) target_compile_definitions(lmdb PUBLIC -DMDB_VL32) endif() +set_property(TARGET lmdb APPEND PROPERTY COMPILE_FLAGS "-fPIC") diff --git a/external/easylogging++/CMakeLists.txt b/external/easylogging++/CMakeLists.txt index 97d0bf571..8fe3fa487 100644 --- a/external/easylogging++/CMakeLists.txt +++ b/external/easylogging++/CMakeLists.txt @@ -54,4 +54,5 @@ if (BUILD_GUI_DEPS) ARCHIVE DESTINATION ${lib_folder} LIBRARY DESTINATION ${lib_folder}) endif() +set_property(TARGET easylogging APPEND PROPERTY COMPILE_FLAGS "-fPIC") diff --git a/src/blockchain_utilities/CMakeLists.txt b/src/blockchain_utilities/CMakeLists.txt index bd32e0c55..6c55e8d2d 100644 --- a/src/blockchain_utilities/CMakeLists.txt +++ b/src/blockchain_utilities/CMakeLists.txt @@ -29,9 +29,9 @@ set(blocksdat "") if(PER_BLOCK_CHECKPOINT) if(APPLE) - add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && touch stub.c && ${CMAKE_C_COMPILER} -o stub.o -c stub.c COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} -r -sectcreate __DATA __blocks_dat ../blocks/checkpoints.dat -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o stub.o && rm -f stub.*) + add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && touch stub.c && ${CMAKE_C_COMPILER} -o stub.o -c stub.c COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -sectcreate __DATA __blocks_dat ../blocks/checkpoints.dat -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o stub.o && rm -f stub.*) else() - add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && cp ../blocks/checkpoints.dat blocks.dat && ${CMAKE_LINKER} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o blocks.dat && rm -f blocks.dat) + add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && cp ../blocks/checkpoints.dat blocks.dat && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o blocks.dat && rm -f blocks.dat) endif() set(blocksdat "blocksdat.o") endif() diff --git a/src/blocks/CMakeLists.txt b/src/blocks/CMakeLists.txt index 3a866af5b..9317d585b 100644 --- a/src/blocks/CMakeLists.txt +++ b/src/blocks/CMakeLists.txt @@ -30,8 +30,8 @@ if(APPLE) add_library(blocks STATIC blockexports.c) set_target_properties(blocks PROPERTIES LINKER_LANGUAGE C) else() - add_custom_command(OUTPUT blocks.o MAIN_DEPENDENCY blocks.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocks.o blocks.dat) - add_custom_command(OUTPUT testnet_blocks.o MAIN_DEPENDENCY testnet_blocks.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/testnet_blocks.o testnet_blocks.dat) + add_custom_command(OUTPUT blocks.o MAIN_DEPENDENCY blocks.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocks.o blocks.dat) + add_custom_command(OUTPUT testnet_blocks.o MAIN_DEPENDENCY testnet_blocks.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/testnet_blocks.o testnet_blocks.dat) add_library(blocks STATIC blocks.o testnet_blocks.o blockexports.c) set_target_properties(blocks PROPERTIES LINKER_LANGUAGE C) endif() diff --git a/src/daemon/CMakeLists.txt b/src/daemon/CMakeLists.txt index ad84db450..49d3bc836 100644 --- a/src/daemon/CMakeLists.txt +++ b/src/daemon/CMakeLists.txt @@ -29,9 +29,9 @@ set(blocksdat "") if(PER_BLOCK_CHECKPOINT) if(APPLE) - add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && touch stub.c && ${CMAKE_C_COMPILER} -o stub.o -c stub.c COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} -r -sectcreate __DATA __blocks_dat ../blocks/checkpoints.dat -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o stub.o && rm -f stub.*) + add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && touch stub.c && ${CMAKE_C_COMPILER} -o stub.o -c stub.c COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -sectcreate __DATA __blocks_dat ../blocks/checkpoints.dat -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o stub.o && rm -f stub.*) else() - add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && cp ../blocks/checkpoints.dat blocks.dat && ${CMAKE_LINKER} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o blocks.dat && rm -f blocks.dat) + add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && cp ../blocks/checkpoints.dat blocks.dat && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o blocks.dat && rm -f blocks.dat) endif() set(blocksdat "blocksdat.o") endif() diff --git a/tests/gtest/cmake/internal_utils.cmake b/tests/gtest/cmake/internal_utils.cmake index 93e6dbb7c..364db5970 100644 --- a/tests/gtest/cmake/internal_utils.cmake +++ b/tests/gtest/cmake/internal_utils.cmake @@ -87,7 +87,7 @@ macro(config_compiler_and_linker) set(cxx_no_exception_flags "-D_HAS_EXCEPTIONS=0") set(cxx_no_rtti_flags "-GR-") elseif (CMAKE_COMPILER_IS_GNUCXX) - set(cxx_base_flags "-Wall -Wshadow") + set(cxx_base_flags "-Wall -Wshadow -fPIC") set(cxx_exception_flags "-fexceptions") set(cxx_no_exception_flags "-fno-exceptions") # Until version 4.3.2, GCC doesn't define a macro to indicate