Permalink
Browse files

HBSD: Introduce PIEified base.

Base is now able to compile as Position-Independent Executables (PIEs)
for amd64 and i386. Only a few applications are left as non-PIE. Some
applications, like /sbin/init, cannot be compiled as PIEs as they are
statically compiled.

This work has been tested on numerous machines, both on bare metal and
virtualized. Multiple package builds have run successfully.

PIEified base can be disabled for amd64 and i386 by setting
WITHOUT_PIE in src.conf(5) or enabled for other architectures by
setting WITH_PIE in src.conf(5). Since this is controlled by
src.conf(5), PIEified base does not affect out-of-tree builds of 3rd
party applications, like those found in the Ports tree.

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
Hat-tip-to:	Bryan Drewery <bdrewery@freebsd.org>
MFC-to:		10-STABLE

Squashed commit of the following:

commit 4a3e0fd
Merge: bea0b2c 83368e9
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Tue Apr 12 21:06:13 2016 -0400

    Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie

commit bea0b2c
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Tue Apr 12 21:01:11 2016 -0400

    HBSD: Tidy up base PIEification.

    Switch the PIE knob from make.conf(5) to src.conf(5). Add a
    conditional surrounding the PIE logic to prevent Ports failures, since
    Ports shares the host build framework (bsd.*.mk and friends). Document
    why the extra conditional is needed.

    PIEification is still opt-in per architecture, with support only for
    amd64 and i386 at the moment. I'm hoping ARM and ARM64 support will
    come at BSDCan.

    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

commit 1d066c7
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Tue Apr 12 20:58:17 2016 -0400

    HBSD: Optionally include src.opts.mk.

    By using .sinclude, the build framework will utilize src.opts.mk for
    base, but not for ports, since src.*.mk does not get installed into
    /usr/share/mk. This is needed to change the PIE knob from make.conf(5)
    to src.conf(5).

    Obtained-from:	@bdrewery <bdrewery@freebsd.org>
    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

commit 5878050
Merge: dad709a 2e9b0ff
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Mon Apr 11 11:47:40 2016 -0400

    Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie

commit dad709a
Merge: 0c3ce79 f2ee05d
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Sat Apr 9 12:40:01 2016 -0400

    Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie

commit 0c3ce79
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Sat Apr 9 09:59:51 2016 -0400

    HBSD: Key off -static being in LDFLAGS.

    Reported-by:	Oliver Pinter <oliver.pinter@hardenedbsd.org>
    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

commit 4846e3f
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Fri Apr 8 15:00:29 2016 -0400

    HBSD: Also key off NOPIE when adding the PIC flag for libraries.

    Some ports fail to link due to the aggressive PIEification of base.
    Adding support for NOPIE in bsd.lib.mk will allow workarounds to be
    placed in each port.

    Signed-off-by:  Shawn Webb <shawn.webb@hardenedbsd.org>

commit d70919d
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Fri Apr 8 11:08:32 2016 -0400

    HBSD: Bump __HardenedBSD_version to 45.

    For the PIEified base work.

    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

commit 84d8e20
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Fri Apr 8 10:59:29 2016 -0400

    HBSD: Only enable PIEified base for amd64 and i386.

    Compiling (nearly) all of base causes issues with booting arm64 (and
    likely arm, but I haven't verified that, yet). As I learn the arm64
    architecture, and as I learn its boot process and what code is
    involved with that, PIEified base will make its debut on arm64. I'm
    hoping to complete that during BSDCan.

    With this commit, PIEified base can be considered complete on amd64
    and i386.

    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

commit b2207b5
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Thu Apr 7 09:33:27 2016 -0400

    HBSD: Build shared toolchain by default.

    Building a shared toolchain allows the toolchain to compile as PIEs.

    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

commit 4e7d394
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Wed Apr 6 22:39:17 2016 -0400

    HBSD: Only force -fPIC for libs if MK_PIE is active.

    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

commit 1778a96
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Wed Apr 6 22:36:06 2016 -0400

    HBSD: Remove WANTS_PIE.

    Now that all of base can be compiled as a PIE, do not use WANTS_PIE
    for the select few applications that had it. Users can still disable
    PIE support by setting WITHOUT_PIE in src.conf(5).

    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

commit 5731247
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date:   Wed Apr 6 21:30:46 2016 -0400

    HBSD: Compile base as Position-Independent Executables (PIEs)

    Enable compiling nearly all of base as PIEs. Only 24 applications
    (listed below) do not get compiled as PIEs. This has been tested with
    a default make.conf(5) and src.conf(5) on amd64. More testing is
    needed, especially with custom make.conf(5) and src.conf(5) flags.

    Applications that aren't compiled as PIEs:
    	/sbin/init.bak
    	/sbin/init
    	/sbin/devd
    	/usr/sbin/nologin
    	/usr/bin/gprof
    	/usr/bin/ar
    	/usr/bin/ld.bfd
    	/usr/bin/clang++
    	/usr/bin/lldb
    	/usr/bin/cc
    	/usr/bin/clang
    	/usr/bin/mkulzma
    	/usr/bin/ld
    	/usr/bin/c++
    	/usr/bin/clang-tblgen
    	/usr/bin/clang-cpp
    	/usr/bin/cpp
    	/usr/bin/as
    	/usr/bin/llvm-tblgen
    	/usr/bin/elfcopy
    	/usr/bin/tblgen
    	/usr/bin/ranlib
    	/usr/bin/ldd32
    	/usr/bin/make

    Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
  • Loading branch information...
lattera committed Apr 15, 2016
1 parent 1b563b0 commit af54fe571376423e79a973ad9436a507ddd19514
View
@@ -1,3 +1,12 @@
+[20160408] PIEified base for amd64 and i386
+__HardenedBSD_version = 45
+
+ Remove WANTS_PIE.
+ Default PIE for base for amd64 and i386 only.
+ When PIE is enabled, compile non-static libraries with -fPIC.
+ Default WITH_SHARED_TOOLCHAIN to enabled by default.
+
+
[201603XX] noexec and ASLR changes
__HardenedBSD_version = 44
@@ -30,4 +30,6 @@ LIBADD.tls_dynamic_test+= pthread
LIBADD.tls_dlopen_test+= pthread
LDFLAGS.tls_dlopen_test+= -Wl,-rpath,${TESTSDIR} -Wl,-export-dynamic
+NOPIE= yes
+
.include <bsd.test.mk>
@@ -87,5 +87,7 @@ beforeinstall:
SUBDIR+= tests
.endif
+NOPIE= yes
+
.include <bsd.prog.mk>
.include <bsd.symver.mk>
View
@@ -42,7 +42,6 @@ SCRIPTS=dhclient-script
MAN= dhclient.8 dhclient.conf.5 dhclient.leases.5 dhcp-options.5 \
dhclient-script.8
LIBADD= util
-WANTS_PIE= yes
WARNS?= 2
View
@@ -4,7 +4,6 @@ PROG = natd
SRCS = natd.c icmp.c
WARNS?= 3
LIBADD = alias
-WANTS_PIE = yes
MAN = natd.8
.include <bsd.prog.mk>
View
@@ -6,7 +6,6 @@ MAN= routed.8
SRCS= if.c input.c main.c output.c parms.c radix.c rdisc.c table.c trace.c
WARNS?= 3
LIBADD= md
-WANTS_PIE= yes
SUBDIR= rtquery
@@ -34,7 +34,6 @@ LIBADD+= crypto
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
.endif
-WANTS_PIE= yes
.include <bsd.prog.mk>
@@ -51,7 +51,6 @@ LIBADD+= crypto
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
.endif
-WANTS_PIE= yes
.include <bsd.prog.mk>
View
@@ -13,6 +13,7 @@ __<bsd.init.mk>__:
.if exists(${.CURDIR}/../Makefile.inc)
.include "${.CURDIR}/../Makefile.inc"
.endif
+.sinclude <src.opts.mk>
.include <bsd.own.mk>
.MAIN: all
beforebuild: .PHONY .NOTMAIN
View
@@ -78,6 +78,19 @@ PICFLAG=-fpic
.endif
.endif
+.if defined(MK_PIE)
+# Ports will not have MK_PIE defined and the following logic requires
+# it be defined.
+
+.if !defined(NO_PIC)
+.if ${MK_PIE} != "no"
+.if !defined(NOPIE)
+CFLAGS+= ${PICFLAG}
+.endif
+.endif
+.endif
+.endif
+
PO_FLAG=-pg
.c.o:
View
@@ -60,7 +60,6 @@ __DEFAULT_YES_OPTIONS = \
NIS \
NLS \
OPENSSH \
- PIE \
PROFILE \
SSP \
SYMVER \
@@ -78,7 +77,6 @@ __DEFAULT_DEPENDENT_OPTIONS = \
STAGING_MAN/STAGING \
STAGING_PROG/STAGING \
-
.include <bsd.mkopt.mk>
#
View
@@ -12,14 +12,6 @@
CFLAGS+=${COPTS}
.endif
-.if defined(WANTS_PIE)
-.if ${MK_PIE} != "no"
-CFLAGS+= -fPIE
-CXXFLAGS+= -fPIE
-LDFLAGS+= -pie
-.endif
-.endif
-
.if ${MK_ASSERT_DEBUG} == "no"
CFLAGS+= -DNDEBUG
NO_WERROR=
@@ -60,6 +52,23 @@ STRIP?= -s
LDFLAGS+= -static
.endif
+.if defined(MK_PIE)
+# Ports will not have MK_PIE defined and the following logic requires
+# it be defined.
+
+.if ${LDFLAGS:M-static}
+NOPIE=yes
+.endif
+
+.if !defined(NOPIE)
+.if ${MK_PIE} != "no"
+CFLAGS+= -fPIE
+CXXFLAGS+= -fPIE
+LDFLAGS+= -pie
+.endif
+.endif
+.endif
+
.if ${MK_DEBUG_FILES} != "no"
PROG_FULL=${PROG}.full
# Use ${DEBUGDIR} for base system debug files, else .debug subdirectory
View
@@ -150,6 +150,7 @@ __DEFAULT_YES_OPTIONS = \
SENDMAIL \
SETUID_LOGIN \
SHAREDOCS \
+ SHARED_TOOLCHAIN \
SOURCELESS \
SOURCELESS_HOST \
SOURCELESS_UCODE \
@@ -186,7 +187,6 @@ __DEFAULT_NO_OPTIONS = \
OFED \
OPENLDAP \
PORTSNAP \
- SHARED_TOOLCHAIN \
SORT_THREADS \
SVN
@@ -256,6 +256,12 @@ BROKEN_OPTIONS+=LLDB
BROKEN_OPTIONS+=LIBSOFT
.endif
+.if ${__T} == "amd64" || ${__T} == "i386"
+__DEFAULT_YES_OPTIONS+=PIE
+.else
+__DEFAULT_NO_OPTIONS+=PIE
+.endif
+
.include <bsd.mkopt.mk>
#
@@ -28,4 +28,6 @@ BTXLDR= ${BTXDIR}/btxldr/btxldr
BTXKERN= ${BTXDIR}/btx/btx
BTXCRT= ${BTXDIR}/lib/crt0.o
+NOPIE= yes
+
.include "../Makefile.inc"
View
@@ -32,7 +32,7 @@
#ifndef _SYS_PAX_H
#define _SYS_PAX_H
-#define __HardenedBSD_version 44UL
+#define __HardenedBSD_version 45UL
#if defined(_KERNEL) || defined(_WANT_PRISON)
struct hbsd_features {
View
@@ -7,7 +7,6 @@ SRCS= netcat.c atomicio.c socks.c
CFLAGS+=-DIPSEC
LIBADD= ipsec
-WANTS_PIE= yes
WARNS?= 2
View
@@ -48,7 +48,6 @@ SRCS= \
SRCS+= vmm_instruction_emul.c
LIBADD= vmmapi md pthread
-WANTS_PIE= yes
WARNS?= 2
@@ -8,7 +8,6 @@ SRCS= bhyvectl.c
MAN= bhyvectl.8
LIBADD= vmmapi util
-WANTS_PIE= yes
WARNS?= 3
@@ -5,7 +5,6 @@ SRCS= bhyveload.c
MAN= bhyveload.8
LIBADD= vmmapi
-WANTS_PIE= yes
WARNS?= 3
View
@@ -15,7 +15,6 @@ MAN= ctld.8 ctl.conf.5
LIBADD= bsdxml l md sbuf util ucl m
-WANTS_PIE= yes
YFLAGS+= -v
CLEANFILES= y.tab.c y.tab.h y.output
View
@@ -4,6 +4,5 @@ PROG= daemon
MAN= daemon.8
LIBADD= util
-WANTS_PIE= yes
.include <bsd.prog.mk>
View
@@ -24,6 +24,5 @@ CFLAGS+= -DIPSEC
LIBADD+= ipsec
.endif
-WANTS_PIE= yes
.include <bsd.prog.mk>
View
@@ -10,7 +10,6 @@ MAN= iscsid.8
LIBADD= md util
-WANTS_PIE= yes
WARNS= 6
View
@@ -3,6 +3,5 @@
PROG= nfsd
MAN= nfsd.8 nfsv4.4 stablerestart.5
-WANTS_PIE= yes
.include <bsd.prog.mk>
@@ -3,6 +3,5 @@
PROG= nfsuserd
MAN= nfsuserd.8
WARNS?= 3
-WANTS_PIE= yes
.include <bsd.prog.mk>
View
@@ -4,6 +4,5 @@ PROG= powerd
MAN= powerd.8
LIBADD= util
-WANTS_PIE= yes
.include <bsd.prog.mk>
View
@@ -20,7 +20,6 @@ SRCS= rtadvd.c rrenum.c advcap.c if.c config.c timer.c timer_subr.c \
control.c control_server.c
LIBADD= util
-WANTS_PIE= yes
WARNS?= 1
View
@@ -21,6 +21,5 @@ SRCS= rtsold.c rtsol.c if.c probe.c dump.c rtsock.c
WARNS?= 3
-WANTS_PIE= yes
.include <bsd.prog.mk>
@@ -10,7 +10,6 @@ MAN= syslog.conf.5 syslogd.8
SRCS= syslogd.c ttymsg.c
LIBADD= util
-WANTS_PIE= yes
WARNS?= 3
@@ -187,7 +187,6 @@ CFLAGS+= -I${DESTDIR}/usr/include/openssl
CFLAGS+= -DHAVE_LIBCRYPTO -DHAVE_OPENSSL_EVP_H
.endif
-WANTS_PIE= yes
.if ${MK_PF} != "no"
SRCS+= print-pflog.c \

0 comments on commit af54fe5

Please sign in to comment.