New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmake: add extra security compiler options #7587
cmake: add extra security compiler options #7587
Conversation
e42fe44
to
5acbfce
Compare
@@ -37,7 +37,6 @@ DEB_DH_SYSTEMD_START_ARGS_tarantool-common := --no-restart-on-upgrade tarantool | |||
|
|||
# Needed for proper backtraces in fiber.info() | |||
DEB_DH_STRIP_ARGS := -X/usr/bin/tarantool | |||
export DEB_BUILD_MAINT_OPTIONS = hardening=-stackprotector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here hardening=-stackprotector
means disabling stackprotector, not enabling.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't forget to patch tarantool-ee when this one is merged.
5acbfce
to
37ee9d5
Compare
7718f29
to
6602b37
Compare
1f542b4
to
3d68417
Compare
3d68417
to
bf491a5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the painstaking work!
The overall approach is okay for me. I made several manual tests and some of them are failed (see the comments above). I don't know how important those fails are and I don't know details about building platform/infrastructure of Tarantool Enterprise Edition. Depending of that the fails may be negligible or very important.
I'll approve the general approach and will lean on you regarding reproducing/fixing/postponing/discarding the remaining problems.
(TBH, I'm going to a vacation and just can't participate in a next review iteration.)
bf491a5
to
f8d128b
Compare
f8d128b
to
0cc4278
Compare
0cc4278
to
9a52a35
Compare
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds, excluding AArch64 and FreeBSD. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
9a52a35
to
4b02131
Compare
Cherry-picked to 2.10. |
# Fuzzers are compiled without PIC support, | ||
# LuaJIT in FreeBSD doesn't work with PIC (gh-7640), | ||
# ligomp.a for AArch64 CentOS is compiled without PIC support. | ||
if (ENABLE_FUZZER OR TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why hardening is disabled on arm64?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some arm64 Linux distros (e.g. CentOS) include system libraries that do not allow to compile Tarantool as position-independent binary, that's why I disabled hardening by default for arm64. There is a task about removing dependency on libgomp: #7689
May I ask, why hardening is disabled for ARM64 builds by default? |
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for
regular and static builds. It passess compiler flags that harden Tarantool
(including the bundled libraries) against memory corruption attacks.
The following flags are passed:
-Wformat
- Check calls to printf and scanf, etc., to make sure thatthe arguments supplied have types appropriate to the format string
specified.
-Wformat-security -Werror=format-security
- Warn about uses of formatfunctions that represent possible security problems. And make the
warning into an error.
-fstack-protector-strong
- Emit extra code to check for bufferoverflows, such as stack smashing attacks.
-fPIC
- Generate position-independent code (PIC). It allows to takeadvantage of Address Space Layout Randomization (ASLR).
-z relro -z now
- Resolve all dynamically linked functions at thebeginning of the execution, and then make the GOT read-only.
Also do not disable hardening for Debian and RPM-based Linux distros.
Closes #5372
Closes #7536