Makefile: Apply minimum hardening to libs and applications.

-Wl,-z,defs: Disallows undefined symbols at link-time. -Wl,-z,relro: Relocation Read-Only protects the Global Offset Table (GOT) in ELF binaries from being overwritten. -Wl,-z,now: Tell the dynamic linker to resolve all symbols when the program is started, or when the shared library is loaded. Signed-off-by: Björn Esser <[email protected]>
openwall · Dec 22, 2024 · e78d7c7 · e78d7c7
1 parent b6ce07b
commit e78d7c7
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 6 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,16 @@
+2024-12-22  Björn Esser  <besser82 at fedoraproject.org>
+
+	Makefile: Apply minimum hardening to libs and applications.
+	-Wl,-z,defs: Disallows undefined symbols at link-time.
+	-Wl,-z,relro: Relocation Read-Only protects the Global Offset Table
+		      (GOT) in ELF binaries from being overwritten.
+	-Wl,-z,now: Tell the dynamic linker to resolve all symbols when the
+		    program is started, or when the shared library is loaded.
+	* Make.defs: Define HARDENING_FLAGS with linker-flags.
+	* libs/Makefile: Apply HARDENING_FLAGS for minimum hardening.
+	* pam_tcb/Makefile: Likewise.
+	* progs/Makefile: Likewise.
+
 2024-12-20  Björn Esser  <besser82 at fedoraproject.org>
 
 	libnss_tcb: Disallow potentially-malicious user names in getspnam(3).

diff --git a/Make.defs b/Make.defs
@@ -24,6 +24,7 @@ CFLAGS += -Werror
 endif
 #CFLAGS += -DFAIL_RECORD
 LDFLAGS += $(DBGFLAG) -L../libs
+HARDENING_FLAGS = -Wl,-z,defs -Wl,-z,relro -Wl,-z,now
 
 PREFIX = /usr
 SBINDIR = /sbin

diff --git a/libs/Makefile b/libs/Makefile
@@ -17,13 +17,15 @@ libtcb_a.o: libtcb.c
 	$(CC) $(CFLAGS) $(DBGFLAG) -c $< -o $@
 
 $(LIBTCB_LONG): libtcb.o $(LIB_MAP)
-	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ -Wl,-soname,$(LIBTCB) \
+	$(CC) $(CFLAGS) $(HARDENING_FLAGS) $(LDFLAGS) \
+		-shared -o $@ -Wl,-soname,$(LIBTCB) \
 		-Wl,--version-script=$(LIB_MAP) $<
 	ln -sf $@ $(LIBTCB)
 	ln -sf $(LIBTCB) libtcb.so
 
 $(LIBNSS): nss.o $(NSS_MAP) $(LIBTCB_LONG)
-	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ -Wl,-soname,$(LIBNSS) \
+	$(CC) $(CFLAGS) $(HARDENING_FLAGS) $(LDFLAGS) \
+		-shared -o $@ -Wl,-soname,$(LIBNSS) \
 		-Wl,--version-script=$(NSS_MAP) $< -ltcb
 
 .c.o:

diff --git a/pam_tcb/Makefile b/pam_tcb/Makefile
@@ -16,7 +16,8 @@ LIBOBJ = $(LIBSRC:.c=.o)
 all: $(PAM_TCB)
 
 $(PAM_TCB): $(LIBOBJ) $(PAM_MAP)
-	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $(PAM_TCB_SONAME) \
+	$(CC) $(CFLAGS) $(HARDENING_FLAGS) $(LDFLAGS) \
+		-shared -o $@ $(PAM_TCB_SONAME) \
 		-Wl,--version-script=$(PAM_MAP) $(LIBOBJ) -lcrypt -lpam -ltcb
 
 .c.o:

diff --git a/progs/Makefile b/progs/Makefile
@@ -7,13 +7,13 @@ CHKPWD = tcb_chkpwd
 all: $(CONVERT) $(UNCONVERT) $(CHKPWD)
 
 $(CONVERT): $(CONVERT).o
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
+	$(CC) $(CFLAGS) $(HARDENING_FLAGS) $(LDFLAGS) -o $@ $<
 
 $(UNCONVERT): $(UNCONVERT).o
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -ltcb
+	$(CC) $(CFLAGS) $(HARDENING_FLAGS) $(LDFLAGS) -o $@ $< -ltcb
 
 $(CHKPWD): $(CHKPWD).o
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -lcrypt
+	$(CC) $(CFLAGS) $(HARDENING_FLAGS) $(LDFLAGS) -o $@ $< -lcrypt
 
 .c.o:
 	$(CC) $(CFLAGS) -c $< -o $@