Re: [devel] [PATCH 1 of 1] build: Add extra GCC hardening compilation flags [#650]

[Hans Nordebäck]

a ticket for this  already exists http://sourceforge.net/p/opensaf/tickets/320/ 
 /BR HansN

-----Original Message-----
From: Anders Widell [mailto:anders.wid...@ericsson.com] 
Sent: den 9 december 2013 12:45
To: mathi.naic...@oracle.com
Cc: opensaf-devel@lists.sourceforge.net
Subject: [devel] [PATCH 1 of 1] build: Add extra GCC hardening compilation 
flags [#650]

 00-README.conf               |   2 +-
 Makefile.common              |   4 ++--
 README                       |  16 ++++++++++++----
 configure.ac                 |  18 ++++++++++++++++++
 tools/cluster_sim_uml/README |   2 +-
 5 files changed, 34 insertions(+), 8 deletions(-)


By default, build with the extra hardening flags "-D_FORTIFY_SOURCE=2 
-fstack-protector" for improved security and enhanced run-time error detection. 
The flags can be overridden by setting the environment variable 
OSAF_HARDEN_FLAGS when building OpenSAF.

Note that -D_FORTIFY_SOURCE=2 is only enabled in optimized builds. To reduce 
the risk that a user accidentally builds without optimization by overriding the 
default CFLAGS and/or CXXFLAGS, the README files have been updated to recommend 
passing preprocessor definitions using CPPFLAGS instead of CFLAGS.

diff --git a/00-README.conf b/00-README.conf
--- a/00-README.conf
+++ b/00-README.conf
@@ -85,7 +85,7 @@ file does not have to be changed unless:
 - OpenSAF should run as a different UNIX group and user than the default 
'opensaf'
   group/user.
 
-       If OpenSAF was built with the flags "CFLAGS=-DRUNASROOT", then
+       If OpenSAF was built with the flags "CPPFLAGS=-DRUNASROOT", then
        change OPENSAF_GROUP and OPENSAF_USER to root i.e. for old (<4.2) 
behaviour.
 
        For any other user, change OPENSAF_GROUP and OPENSAF_USER accordingly 
diff --git a/Makefile.common b/Makefile.common
--- a/Makefile.common
+++ b/Makefile.common
@@ -12,8 +12,8 @@ AM_CPPFLAGS = \
        $(CORE_INCLUDES) \
        $(all_includes)
 
-AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC -AM_CXXFLAGS = -Wall 
-fno-strict-aliasing -Werror -fPIC -D__STDC_FORMAT_MACROS
+AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC 
+@OSAF_HARDEN_FLAGS@ AM_CXXFLAGS = -Wall -fno-strict-aliasing -Werror 
+-fPIC -D__STDC_FORMAT_MACROS @OSAF_HARDEN_FLAGS@
 AM_LDFLAGS = -ldl -lrt -lpthread
 
 #
diff --git a/README b/README
--- a/README
+++ b/README
@@ -293,7 +293,7 @@ 1.1.1, 1.1.2 etc.
 To re-enable the old (pre 4.3) non flat addressing, configure the constant
 MDS_USE_SUBSLOT_ID=1 at configure time as in:
 
-    % ./configure CFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..."
+    % ./configure CPPFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..."
 
 In the non flat scheme, the slot ID is shifted up 4 bits and subslot ID is  
added in the 4 LSB. The consequence of this is reduced number of @@ -308,7 
+308,7 @@ 2) Run as root (optional)  If the old (<4.2) behaviour of running all 
processes as root is desired, use  the following configure command:
 
-    % ./configure CFLAGS=-DRUNASROOT
+    % ./configure CPPFLAGS=-DRUNASROOT
 
 
 3) Configure TIPC importance (optional) @@ -317,13 +317,21 @@ The default TIPC 
importance is LOW for a  In some cases the default importance must be changed 
if e.g. an application starves the LOW importance communication level.
 To change the default importance, use the following configure command
 
-   % ./configure CFLAGS=-DTIPCIMPORTANCE=level
+   % ./configure CPPFLAGS=-DTIPCIMPORTANCE=level
    where level is any of TIPC_LOW_IMPORTANCE, TIPC_MEDIUM_IMPORTANCE or 
TIPC_HIGH_IMPORTANCE
-   e.g. configure CFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE
+   e.g. configure CPPFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE
 
 Note: Giving same importance to AVND & all other Opensaf models is not 
preferred option. The behavior is unsupported.
 
 
+4) Configure GCC hardening options (optional)
+
+By default, the options "-fstack-protector -D_FORTIFY_SOURCE=2" are 
+passed to GCC for improved security. You can override these options by 
+setting the OSAF_HARDEN_FLAGS when configuring OpenSAF. For example:
+
+   % ./configure OSAF_HARDEN_FLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2"
+
 If you are using a released archive (dist tarball) follow the simple common
 steps:
 
diff --git a/configure.ac b/configure.ac
--- a/configure.ac
+++ b/configure.ac
@@ -545,6 +545,22 @@ if test "$enable_imm_pbe" = yes; then
        PKG_CHECK_MODULES([SQLITE3], [sqlite3])  fi
 
+if test -z "$OSAF_HARDEN_FLAGS"; then
+       # _FORTIFY_SOURCE requires optimization, so only enable it in optimized
+       # builds, i.e. when -O is present in both CFLAGS and CXXFLAGS.
+       if echo "${CFLAGS}" | grep -q -- -O; then
+               if echo "${CXXFLAGS}" | grep -q -- -O; then
+                       OSAF_HARDEN_FLAGS="-D_FORTIFY_SOURCE=2"
+               fi
+       fi
+       # Also check for -O0 (which explicitly disables optimisation)
+       if echo "${CFLAGS} ${CXXFLAGS}" | grep -q -- -O0; then
+               OSAF_HARDEN_FLAGS=""
+       fi
+       OSAF_HARDEN_FLAGS="${OSAF_HARDEN_FLAGS} -fstack-protector"
+fi
+AC_SUBST(OSAF_HARDEN_FLAGS)
+
 #############################################
 # Checks for header files.
 #############################################
@@ -925,8 +941,10 @@ echo ""
 echo " Compiling Options:"
 echo "${ECHO_T}  C Compiler: ${CC}"
 echo "${ECHO_T}  C++ Compiler: ${CXX}"
+echo "${ECHO_T}  CPPFLAGS: ${CPPFLAGS} ${AM_CPPFLAGS}"
 echo "${ECHO_T}  CFLAGS: ${CFLAGS} ${AM_CFLAGS}"
 echo "${ECHO_T}  CXXFLAGS: ${CXXFLAGS} ${AM_CXXFLAGS}"
+echo "${ECHO_T}  OSAF_HARDEN_FLAGS: ${OSAF_HARDEN_FLAGS}"
 echo "${ECHO_T}  LDFLAGS: ${LDFLAGS}"
 echo "${ECHO_T}  Enable RPATH: ${enable_rpath}"
 
diff --git a/tools/cluster_sim_uml/README b/tools/cluster_sim_uml/README
--- a/tools/cluster_sim_uml/README
+++ b/tools/cluster_sim_uml/README
@@ -77,7 +77,7 @@ When the UML root file system is generat  DESTDIR set to the 
UML root file system. Make sure you have a default  configured Opensaf like 
this:
 
-$ ./configure CFLAGS=-DRUNASROOT
+$ ./configure CPPFLAGS=-DRUNASROOT
 
 - Execute './build_uml'.
 

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel