[oe] -pie in SECURITY_CFLAGS (was: Re: [meta-oe][PATCH 1/3] meson: update Meson devtool to 0.40.1)
Patrick Ohly
patrick.ohly at intel.com
Fri Jun 9 14:34:02 UTC 2017
On Fri, 2017-06-09 at 13:24 +0000, Khem Raj wrote:
>
> On Fri, Jun 9, 2017 at 1:43 AM Patrick Ohly <patrick.ohly at intel.com>
> wrote:
>
> On Wed, 2017-06-07 at 21:44 +0000, Peter Kjellerstedt wrote:
> > My guess is that the problem stems from the fact that
> security_flags.inc
> > adds -pie (which is a linker flag) to SECURITY_CFLAGS rather
> than
> > SECURITY_LDFLAGS...
>
> I think I've seen that cause problems elsewhere when the
> CFLAGS came
> after -shared, because then the compiler ended up trying to
> produce a
> pie executable instead of a shared library.
>
> Perhaps we should finally address that in security_flags.inc
> instead of
> working around it?
>
>
> This patch is removing -pie from compiler and linker flags which does
> not result in intended behavior for executable when linked they will
> not be using -pie
The patch had some syntax errors (fixed version below), but it had the
code which adds -pie to TARGET_LDFLAGS when it is in SECURITY_CFLAGS, so
conceptually the flag shouldn't get lost entirely.
Are you saying that one cannot rely on TARGET_LDFLAGS being used during
linking?
I've tested with m4, and it seems to work okay:
$ grep -w -e -pie tmp-glibc/work/corei7-64-refkit-linux/m4/1.4.18-r0/temp/log.do_compile
x86_64-refkit-linux-gcc -m64 -march=corei7 -mtune=corei7 -mfpmath=sse -msse4.2 --sysroot=/fast/build/refkit/intel-corei7-64/tmp-glibc/work/corei7-64-refkit-linux/m4/1.4.18-r0/recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fdebug-prefix-map=/fast/build/refkit/intel-corei7-64/tmp-glibc/work/corei7-64-refkit-linux/m4/1.4.18-r0=/usr/src/debug/m4/1.4.18-r0 -fdebug-prefix-map=/fast/build/refkit/intel-corei7-64/tmp-glibc/work/corei7-64-refkit-linux/m4/1.4.18-r0/recipe-sysroot-native= -fdebug-prefix-map=/fast/build/refkit/intel-corei7-64/tmp-glibc/work/corei7-64-refkit-linux/m4/1.4.18-r0/recipe-sysroot= -fstack-protector-strong -fpie -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -pie -fstack-protector-strong -Wl,-z,relro,-z,now -o m4 m4.o builtin.o debug.o eval.o format.o freeze.o input.o macro.o output.o path.o symtab.o ../lib/libm4.a
$ file tmp-glibc/work/corei7-64-refkit-linux/m4/1.4.18-r0/packages-split/m4/usr/bin/m4
tmp-glibc/work/corei7-64-refkit-linux/m4/1.4.18-r0/packages-split/m4/usr/bin/m4: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f10d0a26299dcb8c5bd0f1c82ed492aea2d8f0ac, stripped
I assume "ELF 64-bit LSB shared object" instead of "ELF 64-bit LSB
executable" means "pie executable"?
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index e162abeb3d9..b1781ceab42 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -12,6 +12,9 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE
# Error on use of format strings that represent possible security problems
SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
+# For history reasons and simplicity, -pie is listed here as part of CFLAGS.
+# In practice, it ends up getting used as part of LDFLAGS, as it should
+# be because it is a linker flag.
SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
@@ -94,8 +97,8 @@ SECURITY_STRINGFORMAT_pn-busybox = ""
SECURITY_STRINGFORMAT_pn-gcc = ""
SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
-TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
-TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_CFLAGS_append_class-target = " ${@ oe.utils.str_filter_out('-pie', '${SECURITY_CFLAGS}', d) }"
+TARGET_LDFLAGS_append_class-target = " ${@ oe.utils.str_filter('-pie', '${SECURITY_CFLAGS}', d) } ${SECURITY_LDFLAGS}"
SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong"
SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong"
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
More information about the Openembedded-devel
mailing list