hardening.make (revision 140)

To get this branch, use:

bzr branch
/loggerhead/hardening/master


#!/usr/bin/make -f
#
# Copyright (C) 2009-2012 Kees Cook <kees@debian.org>
# License: GPLv2 or newer
#
# This file is intended to be included in a Debian rules file so that the
# the calculated HARDENING_CFLAGS and HARDENING_LDFLAGS from this makefile
# can by used in the package's CFLAGS (and/or CXXFLAGS) and LDFLAGS to
# harden the security of a package's resulting binaries. For example:
#
#   include /usr/share/hardening-includes/hardening.make
#   CFLAGS += $(HARDENING_CFLAGS)
#   LDFLAGS += $(HARDENING_LDFLAGS)
#
# and if you need it for C++ compilations:
#
#   CXXFLAGS += $(HARDENING_CFLAGS)
#
#
# By default, all hardening options that are valid for a given architecture
# are enabled. The following can be set before or after including this
# makefile:
#   To disable all hardening:        DEB_BUILD_HARDENING:=0
#   To disable PIE:                  DEB_BUILD_HARDENING_PIE:=0
#   To disable stack protector:      DEB_BUILD_HARDENING_STACKPROTECTOR:=0
#   To disable Fortify Source:       DEB_BUILD_HARDENING_FORTIFY:=0
#   To disable format string checks: DEB_BUILD_HARDENING_FORMAT:=0
#   To disable readonly relocations: DEB_BUILD_HARDENING_RELRO:=0
#   To disable BIND_NOW:             DEB_BUILD_HARDENING_BINDNOW:=0
#
# For more details, see https://wiki.debian.org/Hardening
#
# Thanks to Ryan Niebur for help with the Makefile magicks.
#
# -- Kees Cook <kees@debian.org>

DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH 2>/dev/null)
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null)

DEB_BUILD_HARDENING ?= 1

ifneq (,$(filter $(DEB_HOST_ARCH_OS), linux knetbsd hurd ))
  # PIE enabled only on linux, knetbsd, and hurd (bugs 430455 and 586215)
  ifeq (,$(filter $(DEB_HOST_ARCH), hppa m68k mips mipsel avr32 ))
    # disabled on hppa (bug number needed)
    # disabled on m68k (bug 451192)
    # disabled on mips/mipsel (toolchain bug 532821)
    # disabled on avr32 (bug 574716)
    DEB_BUILD_HARDENING_PIE ?= 1
  endif
endif
DEB_BUILD_HARDENING_PIE ?= 0

ifneq (,$(filter $(DEB_HOST_ARCH), ia64 alpha mips mipsel hppa arm ))
  # Stack protector disabled on ia64, alpha, mips, mipsel, hppa.
  #   "warning: -fstack-protector not supported for this target"
  # Stack protector disabled on arm (ok on armel).
  #   compiler supports it incorrectly (leads to SEGV)
  DEB_BUILD_HARDENING_STACKPROTECTOR ?= 0
endif
DEB_BUILD_HARDENING_STACKPROTECTOR ?= 1

ifneq (,$(filter $(DEB_HOST_ARCH), ia64 hppa avr32 ))
  DEB_BUILD_HARDENING_RELRO ?= 0
endif
DEB_BUILD_HARDENING_RELRO ?= 1

DEB_BUILD_HARDENING_FORTIFY ?= 1
DEB_BUILD_HARDENING_FORMAT ?= 1
DEB_BUILD_HARDENING_BINDNOW ?= 1

_HARDENED_PIE_CFLAGS  := -fPIE
_HARDENED_PIE_LDFLAGS := -fPIE -pie

_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector --param ssp-buffer-size=4

# Fortify Source requires that -O1 or higher is used, but that should be
# handled outside of this include file.
_HARDENED_FORTIFY_CFLAGS  := -D_FORTIFY_SOURCE=2

_HARDENED_FORMAT_CFLAGS   := -Wformat -Wformat-security -Werror=format-security

_HARDENED_RELRO_LDFLAGS   := -Wl,-z,relro

_HARDENED_BINDNOW_LDFLAGS := -Wl,-z,now

_hardening_enabled = $(if $(filter $(DEB_BUILD_HARDENING), yes 1 on true),\
$(if $(filter $(1), yes 1 on true),$(2),),)

HARDENING_CFLAGS ?= \
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_CFLAGS)) \
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_STACKPROTECTOR),$(_HARDENED_STACKPROTECTOR_CFLAGS)) \
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORTIFY),$(_HARDENED_FORTIFY_CFLAGS)) \
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORMAT),$(_HARDENED_FORMAT_CFLAGS)) \

HARDENING_LDFLAGS ?= \
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_LDFLAGS)) \
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_RELRO),$(_HARDENED_RELRO_LDFLAGS)) \
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_BINDNOW),$(_HARDENED_BINDNOW_LDFLAGS)) \

# Utility macros designed to allow package maintainer to force a given
# hardening feature off in certain areas of a build without disabling
# the option for the entire build. For example:
#   CFLAGS += $(HARDENING_CFLAGS)
#   monkey.o: monkey.c
#       $(CC) $(CFLAGS) $(HARDENING_DISABLE_STACKPROTECTOR_CFLAGS) $< -o $@
HARDENING_DISABLE_STACKPROTECTOR_CFLAGS:=-fno-stack-protector
HARDENING_DISABLE_FORTIFY_CFLAGS:=-U_FORTIFY_SOURCE
HARDENING_DISABLE_FORMAT_CFLAGS:=-Wno-format-security
HARDENING_DISABLE_RELRO_LDFLAGS:=-Wl,-z,norelro
HARDENING_DISABLE_BINDNOW_LDFLAGS:=-Wl,-z,lazy
# Note: GCC does not have a way to just turn off pie (there is no "-nopie")
# so if PIE needs to be disabled for a specific target, the CFLAGS and LDFLAGS
# need to be filtered. For example:
#   monkey: monkey.c
#       $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \
#             $(filter-out $(HARDENING_DISABLE_PIE_LDFLAGS_FILTER),$(LDFLAGS)) \
#             $< -o $@
#
# Note: when building shared libraries, or with some build frameworks (e.g.
# cmake) that pass "-fPIC" to everything, the "-fPIE" option must be filtered
# out to avoid building shared objects that need PIC but end up only with PIE.
# This is usually indicated by errors at link time that look like this:
#  relocation R_X86_64_PC32 against symbol `foo' can not be used when making a shared object; recompile with -fPIC
# In these cases, the CFLAGS can be filtered to exclude "-fPIE" until this
# is fixed in gcc correctly. For example, on one target:
#   monkey.o: monkey.c
#       $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \
#             $< -c -o $@
# In cases where mixed shared objects and executable objects are being built,
# "-fPIC" needs to actually replace "-fPIE", since gcc won't distinguish
# between them yet. For example:
#   export CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
#   CFLAGS += $(HARDENING_CFLAGS_PIC) \
#             $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(HARDENING_CFLAGS))
#
HARDENING_DISABLE_PIE_CFLAGS_FILTER:=$(_HARDENED_PIE_CFLAGS)
HARDENING_DISABLE_PIE_LDFLAGS_FILTER:=$(_HARDENED_PIE_LDFLAGS)
HARDENING_CFLAGS_PIC:=-fPIC

Loggerhead 1.17 is a web-based interface for Bazaar branches

Line	Revision	Contents
1	132	#!/usr/bin/make -f
2	59	#
3	132	# Copyright (C) 2009-2012 Kees Cook <kees@debian.org>
4	97	# License: GPLv2 or newer
5		#
6	59	# This file is intended to be included in a Debian rules file so that the
7		# the calculated HARDENING_CFLAGS and HARDENING_LDFLAGS from this makefile
8	98	# can by used in the package's CFLAGS (and/or CXXFLAGS) and LDFLAGS to
9	106	# harden the security of a package's resulting binaries. For example:
10	59	#
11		# include /usr/share/hardening-includes/hardening.make
12		# CFLAGS += $(HARDENING_CFLAGS)
13		# LDFLAGS += $(HARDENING_LDFLAGS)
14		#
15	98	# and if you need it for C++ compilations:
16		#
17		# CXXFLAGS += $(HARDENING_CFLAGS)
18		#
19		#
20	59	# By default, all hardening options that are valid for a given architecture
21	106	# are enabled. The following can be set before or after including this
22	59	# makefile:
23		# To disable all hardening: DEB_BUILD_HARDENING:=0
24		# To disable PIE: DEB_BUILD_HARDENING_PIE:=0
25		# To disable stack protector: DEB_BUILD_HARDENING_STACKPROTECTOR:=0
26		# To disable Fortify Source: DEB_BUILD_HARDENING_FORTIFY:=0
27		# To disable format string checks: DEB_BUILD_HARDENING_FORMAT:=0
28	64	# To disable readonly relocations: DEB_BUILD_HARDENING_RELRO:=0
29	59	# To disable BIND_NOW: DEB_BUILD_HARDENING_BINDNOW:=0
30		#
31		# For more details, see https://wiki.debian.org/Hardening
32	63	#
33	64	# Thanks to Ryan Niebur for help with the Makefile magicks.
34		#
35	63	# -- Kees Cook <kees@debian.org>
36	59
37	123	DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH 2>/dev/null)
38	59	DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null)
39
40		DEB_BUILD_HARDENING ?= 1
41
42	100	ifneq (,$(filter $(DEB_HOST_ARCH_OS), linux knetbsd hurd ))
43		# PIE enabled only on linux, knetbsd, and hurd (bugs 430455 and 586215)
44	123	ifeq (,$(filter $(DEB_HOST_ARCH), hppa m68k mips mipsel avr32 ))
45	93	# disabled on hppa (bug number needed)
46		# disabled on m68k (bug 451192)
47	71	# disabled on mips/mipsel (toolchain bug 532821)
48	93	# disabled on avr32 (bug 574716)
49	59	DEB_BUILD_HARDENING_PIE ?= 1
50		endif
51		endif
52		DEB_BUILD_HARDENING_PIE ?= 0
53
54	123	ifneq (,$(filter $(DEB_HOST_ARCH), ia64 alpha mips mipsel hppa arm ))
55	59	# Stack protector disabled on ia64, alpha, mips, mipsel, hppa.
56		# "warning: -fstack-protector not supported for this target"
57	71	# Stack protector disabled on arm (ok on armel).
58	59	# compiler supports it incorrectly (leads to SEGV)
59		DEB_BUILD_HARDENING_STACKPROTECTOR ?= 0
60		endif
61		DEB_BUILD_HARDENING_STACKPROTECTOR ?= 1
62
63	123	ifneq (,$(filter $(DEB_HOST_ARCH), ia64 hppa avr32 ))
64	84	DEB_BUILD_HARDENING_RELRO ?= 0
65		endif
66		DEB_BUILD_HARDENING_RELRO ?= 1
67
68	59	DEB_BUILD_HARDENING_FORTIFY ?= 1
69		DEB_BUILD_HARDENING_FORMAT ?= 1
70		DEB_BUILD_HARDENING_BINDNOW ?= 1
71
72		_HARDENED_PIE_CFLAGS := -fPIE
73		_HARDENED_PIE_LDFLAGS := -fPIE -pie
74
75	114	_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector --param ssp-buffer-size=4
76	59
77	122	# Fortify Source requires that -O1 or higher is used, but that should be
78	59	# handled outside of this include file.
79		_HARDENED_FORTIFY_CFLAGS := -D_FORTIFY_SOURCE=2
80
81	112	_HARDENED_FORMAT_CFLAGS := -Wformat -Wformat-security -Werror=format-security
82	59
83		_HARDENED_RELRO_LDFLAGS := -Wl,-z,relro
84
85		_HARDENED_BINDNOW_LDFLAGS := -Wl,-z,now
86
87		_hardening_enabled = $(if $(filter $(DEB_BUILD_HARDENING), yes 1 on true),\
88		$(if $(filter $(1), yes 1 on true),$(2),),)
89
90		HARDENING_CFLAGS ?= \
91		$(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_CFLAGS)) \
92		$(call _hardening_enabled,$(DEB_BUILD_HARDENING_STACKPROTECTOR),$(_HARDENED_STACKPROTECTOR_CFLAGS)) \
93		$(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORTIFY),$(_HARDENED_FORTIFY_CFLAGS)) \
94		$(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORMAT),$(_HARDENED_FORMAT_CFLAGS)) \
95
96		HARDENING_LDFLAGS ?= \
97		$(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_LDFLAGS)) \
98		$(call _hardening_enabled,$(DEB_BUILD_HARDENING_RELRO),$(_HARDENED_RELRO_LDFLAGS)) \
99		$(call _hardening_enabled,$(DEB_BUILD_HARDENING_BINDNOW),$(_HARDENED_BINDNOW_LDFLAGS)) \
100
101		# Utility macros designed to allow package maintainer to force a given
102		# hardening feature off in certain areas of a build without disabling
103	106	# the option for the entire build. For example:
104	59	# CFLAGS += $(HARDENING_CFLAGS)
105		# monkey.o: monkey.c
106	83	# $(CC) $(CFLAGS) $(HARDENING_DISABLE_STACKPROTECTOR_CFLAGS) $< -o $@
107		HARDENING_DISABLE_STACKPROTECTOR_CFLAGS:=-fno-stack-protector
108	59	HARDENING_DISABLE_FORTIFY_CFLAGS:=-U_FORTIFY_SOURCE
109		HARDENING_DISABLE_FORMAT_CFLAGS:=-Wno-format-security
110		HARDENING_DISABLE_RELRO_LDFLAGS:=-Wl,-z,norelro
111		HARDENING_DISABLE_BINDNOW_LDFLAGS:=-Wl,-z,lazy
112	116	# Note: GCC does not have a way to just turn off pie (there is no "-nopie")
113	83	# so if PIE needs to be disabled for a specific target, the CFLAGS and LDFLAGS
114	106	# need to be filtered. For example:
115	83	# monkey: monkey.c
116		# $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \
117		# $(filter-out $(HARDENING_DISABLE_PIE_LDFLAGS_FILTER),$(LDFLAGS)) \
118		# $< -o $@
119	116	#
120		# Note: when building shared libraries, or with some build frameworks (e.g.
121		# cmake) that pass "-fPIC" to everything, the "-fPIE" option must be filtered
122		# out to avoid building shared objects that need PIC but end up only with PIE.
123		# This is usually indicated by errors at link time that look like this:
124		# relocation R_X86_64_PC32 against symbol `foo' can not be used when making a shared object; recompile with -fPIC
125		# In these cases, the CFLAGS can be filtered to exclude "-fPIE" until this
126		# is fixed in gcc correctly. For example, on one target:
127		# monkey.o: monkey.c
128		# $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \
129		# $< -c -o $@
130		# In cases where mixed shared objects and executable objects are being built,
131		# "-fPIC" needs to actually replace "-fPIE", since gcc won't distinguish
132		# between them yet. For example:
133		# export CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
134		# CFLAGS += $(HARDENING_CFLAGS_PIC) \
135		# $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(HARDENING_CFLAGS))
136		#
137	83	HARDENING_DISABLE_PIE_CFLAGS_FILTER:=$(_HARDENED_PIE_CFLAGS)
138		HARDENING_DISABLE_PIE_LDFLAGS_FILTER:=$(_HARDENED_PIE_LDFLAGS)
139	116	HARDENING_CFLAGS_PIC:=-fPIC