[Buildroot] [PATCH v2 2/2] security hardening: add RELFO, FORTIFY options

["Stefan Fröberg" <stefan.froberg@petroprogram.com>]

6.11.2017, 23:14, Arnout Vandecappelle kirjoitti:
> @@ -181,6 +184,28 @@ TARGET_CXXFLAGS += -fstack-protector-all
>   TARGET_FCFLAGS += -fstack-protector-all
>   endif
>   
> +ifeq ($(BR2_RELRO_PARTIAL),y)
> +TARGET_CFLAGS += $(TARGET_CFLAGS_RELRO)
> +TARGET_CXXFLAGS += $(TARGET_CFLAGS_RELRO)
> +TARGET_FCFLAGS += $(TARGET_CFLAGS_RELRO)
>   Since these are linker flags, it _should_ be sufficient to add them to LDFLAGS.
> There may be some packages that don't listen to LDFLAGS so in that sense it
> could be a good idea to add it to CFLAGS as well, but I tend to prefer to fix
> the packages. Only, there is no easy way to detect that LDFLAGS are ignored.
>

There could be a way to tell if package shows middle finger to 
CFLAGS/CXXFLAGS/LDFLAGS
and just ignores the hardening options.

There's a little perl script called hardening-check that could be used 
to do post installation checking
of what packages actually respected the flags.

http://manpages.ubuntu.com/manpages/trusty/man1/hardening-check.1.html

I have a copy of that perl script here:
https://www.orwell1984.today/hardening-check

I also did the following little test:
1. First compiled turbovnc against i686-uclibc without any hardening and 
then running
"hardening-check -c output/target/usr/bin/Xvnc" with following results:

output/target/usr/bin/Xvnc:
  Position Independent Executable: ^[no, normal executable!^[
  Stack protected: ^[no, not found!^[
  Fortify Source functions: ^[no, only unprotected functions found!^[
  Read-only relocations: ^[yes^[
  Immediate binding: ^[no, not found!^[

2. Then forced the gcc compiler to use hardening features by using GCC 
Spec File, so that
if turbovnc did ignore CFLAGS/CXXFLAGS/LDFLAGS it would still be 
forcefeed the right
hardening options, like this:

- Dump the built-in specs file "$(HOST_CC) -dumpspecs > specs" and then 
edit it
to enable all the hardening stuff
(here's mine for i686-uclibc, forgot to enable stack-protection: 
https://www.orwell1984.today/specs)

- Find location where gcc looks for specs file "dirname $($(HOST_CC)  
--print-libgcc-file-name)"
and move the edited specs file there

- Rebuild turbovnc

- And finally, check "hardening-check -c output/target/usr/bin/Xvnc" 
with following result:

output/target/usr/bin/Xvnc:
  Position Independent Executable: ^[yes^[
  Stack protected: ^[no, not found!^[
  Fortify Source functions: no, only unprotected functions found!^[
  Read-only relocations: ^[yes^[
  Immediate binding: ^[yes^[

Here turbovnc built with pie, relro,now and if I would have remember to 
enable stack protection in toolchain,
also with stack protection.

So that's a one way to force & check hardening afterwards. But have to 
admit, not very elegant way.

Maybe there could be hardened directory with some premade "profiles" 
(gcc spec files) for various arch-lib combos
which could be selected from menu and then the buildroot cross-compiler 
would have
it's `dirname $($HOST_CC) --print-libgcc-file-name`/specs be a just 
symlink to that arch-lib combos like this:

output/host/lib/gcc/i686-buildroot-linux-uclibc/6.4.0/specs --> 
../../../../../../hardened/i686/uclibc/specs

If selecting vanilla, non-hardened toolchain from menu, it would just 
remove the symlink.
And maybe there could be an option to run hardening-check script at the 
end of installation.

Just throwing thoughts around
-S-