[arch-projects] [devtools] [PATCH] enforce hardening flags and use PIE on x86_64

Wed Jul 23 16:17:25 EDT 2014

PIE is required for full address space layout optimization (ASLR) and
there is little to no benefit from ASLR without it since global ELF
tables (GOT/PLT) and application code are at known locations.

A wrapper script is required in order to pass the correct flags for
executables without changing the flags for libraries. It adds `-pie`
when linking (no `-c` switch) if `-static` or `-shared` are not passed,
and `-fPIE` whenever `-fPIC` is not already there. This technique comes
from the Debian hardening wrappers.

Position independent code is expensive on i686, so it's only enabled by
default on x86_64 where the cost is negligible. It can be enabled on a
package-by-package basis on i686. The same cost already exists for any
code in a dynamic library.

The hardening-wrapper package also enforces the chosen hardening flags
even when build systems aren't using CFLAGS / CXXFLAGS / LDFLAGS from
the environment. It would need to be moved from [community] to [core].
---
 archbuild.in     |  5 +++--
 makechrootpkg.in | 12 +++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/archbuild.in b/archbuild.in
index ae2f511..419ae5b 100644
--- a/archbuild.in
+++ b/archbuild.in
@@ -2,7 +2,7 @@
 
 m4_include(lib/common.sh)
 
-base_packages=(base-devel)
+base_packages=(base-devel hardening-wrapper)
 makechrootpkg_args=(-c -n)
 
 cmd="${0##*/}"
@@ -67,11 +67,12 @@ if ${clean_first} || [[ ! -d "${chroots}/${repo}-${arch}" ]]; then
 		"${base_packages[@]}" || abort
 else
 	lock 9 "${chroots}/${repo}-${arch}/root.lock" "Locking clean chroot"
+	# upgrade and install any new packages from base_packages
 	arch-nspawn \
 		-C "@pkgdatadir@/pacman-${repo}.conf" \
 		-M "@pkgdatadir@/makepkg-${arch}.conf" \
 		"${chroots}/${repo}-${arch}/root" \
-                pacman -Syu --noconfirm || abort
+		pacman -Syu --noconfirm --needed "${base_packages[@]}" || abort
 fi
 
 msg "Building in chroot for [${repo}] (${arch})..."
diff --git a/makechrootpkg.in b/makechrootpkg.in
index 97c7780..ad804fc 100644
--- a/makechrootpkg.in
+++ b/makechrootpkg.in
@@ -320,7 +320,17 @@ _chrootbuild() {
 		exit 1
 	fi
 
-	sudo -u nobody makepkg $makepkg_args || exit 1
+	# enforced compiler hardening flags (can be overriden in a PKGBUILD)
+	export HARDENING_BINDNOW=0 HARDENING_FORTIFY=2 HARDENING_RELRO=1
+	export HARDENING_STACK_CHECK=0 HARDENING_STACK_PROTECTOR=2
+	. /etc/makepkg.conf
+	if [[ $CARCH = i686 ]]; then
+		export HARDENING_PIE=0
+	else
+		export HARDENING_PIE=1
+	fi
+
+	sudo -E -u nobody makepkg $makepkg_args || exit 1
 
 	if $run_namcap; then
 		pacman -S --needed --noconfirm namcap
-- 
2.0.2
