/hardening/master

To get this branch, use:
bzr branch https://alioth.debian.org/scm/loggerhead/hardening/master
132 by Kees Cook
Makefile, debian/*: convert to dh(1).
1
#!/usr/bin/make -f
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
2
#
154 by Kees Cook
* Acknowledge NMU, thanks Aurelien Jarno!
3
# Copyright (C) 2009-2014 Kees Cook <kees@debian.org>
97 by kees
add missed copyright to hardening.make file
4
# License: GPLv2 or newer
5
#
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
6
# This file is intended to be included in a Debian rules file so that the
7
# the calculated HARDENING_CFLAGS and HARDENING_LDFLAGS from this makefile
98 by kees
* hardening.make:
8
# can by used in the package's CFLAGS (and/or CXXFLAGS) and LDFLAGS to
106 by kees
* debian/README.Debian: update for gcc versions, include minimal
9
# harden the security of a package's resulting binaries. For example:
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
10
#
11
#   include /usr/share/hardening-includes/hardening.make
12
#   CFLAGS += $(HARDENING_CFLAGS)
13
#   LDFLAGS += $(HARDENING_LDFLAGS)
14
#
98 by kees
* hardening.make:
15
# and if you need it for C++ compilations:
16
#
17
#   CXXFLAGS += $(HARDENING_CFLAGS)
18
#
19
#
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
20
# By default, all hardening options that are valid for a given architecture
106 by kees
* debian/README.Debian: update for gcc versions, include minimal
21
# are enabled. The following can be set before or after including this
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
22
# makefile:
23
#   To disable all hardening:        DEB_BUILD_HARDENING:=0
24
#   To disable PIE:                  DEB_BUILD_HARDENING_PIE:=0
25
#   To disable stack protector:      DEB_BUILD_HARDENING_STACKPROTECTOR:=0
26
#   To disable Fortify Source:       DEB_BUILD_HARDENING_FORTIFY:=0
27
#   To disable format string checks: DEB_BUILD_HARDENING_FORMAT:=0
64 by kees
thanks and typo fix
28
#   To disable readonly relocations: DEB_BUILD_HARDENING_RELRO:=0
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
29
#   To disable BIND_NOW:             DEB_BUILD_HARDENING_BINDNOW:=0
30
#
31
# For more details, see https://wiki.debian.org/Hardening
63 by kees
debian/rules: fix up arch/arch-indep rules to avoid rebuilding
32
#
64 by kees
thanks and typo fix
33
# Thanks to Ryan Niebur for help with the Makefile magicks.
34
#
63 by kees
debian/rules: fix up arch/arch-indep rules to avoid rebuilding
35
# -- Kees Cook <kees@debian.org>
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
36
123 by Kees Cook
hardened-{cc,ld}, hardening.make, debian/rules: use DEB_HOST_ARCH instead
37
DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH 2>/dev/null)
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
38
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null)
39
40
DEB_BUILD_HARDENING ?= 1
41
100 by kees
hardening.make: enable PIE on hurd (Closes: 586215), thanks to
42
ifneq (,$(filter $(DEB_HOST_ARCH_OS), linux knetbsd hurd ))
43
  # PIE enabled only on linux, knetbsd, and hurd (bugs 430455 and 586215)
156 by Kees Cook
hardening.make: drop mips restriction on building PIE.
44
  ifeq (,$(filter $(DEB_HOST_ARCH), hppa m68k avr32 ))
93 by kees
hardening.make: disable PIE on avr32 (Closes: 574716).
45
    # disabled on hppa (bug number needed)
46
    # disabled on m68k (bug 451192)
47
    # disabled on avr32 (bug 574716)
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
48
    DEB_BUILD_HARDENING_PIE ?= 1
49
  endif
50
endif
51
DEB_BUILD_HARDENING_PIE ?= 0
52
154 by Kees Cook
* Acknowledge NMU, thanks Aurelien Jarno!
53
ifneq (,$(filter $(DEB_HOST_ARCH), ia64 alpha hppa arm))
54
  # Stack protector disabled on ia64, alpha, hppa.
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
55
  #   "warning: -fstack-protector not supported for this target"
154 by Kees Cook
* Acknowledge NMU, thanks Aurelien Jarno!
56
  # Stack protector disabled on arm (ok on armel, armhf).
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
57
  #   compiler supports it incorrectly (leads to SEGV)
58
  DEB_BUILD_HARDENING_STACKPROTECTOR ?= 0
59
endif
60
DEB_BUILD_HARDENING_STACKPROTECTOR ?= 1
61
123 by Kees Cook
hardened-{cc,ld}, hardening.make, debian/rules: use DEB_HOST_ARCH instead
62
ifneq (,$(filter $(DEB_HOST_ARCH), ia64 hppa avr32 ))
84 by kees
tests/Makefile.{common,includes}: add HARDENING_DISABLE_* flags tests.
63
  DEB_BUILD_HARDENING_RELRO ?= 0
64
endif
65
DEB_BUILD_HARDENING_RELRO ?= 1
66
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
67
DEB_BUILD_HARDENING_FORTIFY ?= 1
68
DEB_BUILD_HARDENING_FORMAT ?= 1
69
DEB_BUILD_HARDENING_BINDNOW ?= 1
70
71
_HARDENED_PIE_CFLAGS  := -fPIE
72
_HARDENED_PIE_LDFLAGS := -fPIE -pie
73
154 by Kees Cook
* Acknowledge NMU, thanks Aurelien Jarno!
74
_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector-strong
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
75
122 by Kees Cook
* debian/control: update VCS tags for bzr.
76
# Fortify Source requires that -O1 or higher is used, but that should be
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
77
# handled outside of this include file.
78
_HARDENED_FORTIFY_CFLAGS  := -D_FORTIFY_SOURCE=2
79
112 by kees
* debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}:
80
_HARDENED_FORMAT_CFLAGS   := -Wformat -Wformat-security -Werror=format-security
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
81
82
_HARDENED_RELRO_LDFLAGS   := -Wl,-z,relro
83
84
_HARDENED_BINDNOW_LDFLAGS := -Wl,-z,now
85
86
_hardening_enabled = $(if $(filter $(DEB_BUILD_HARDENING), yes 1 on true),\
87
$(if $(filter $(1), yes 1 on true),$(2),),)
88
89
HARDENING_CFLAGS ?= \
90
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_CFLAGS)) \
91
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_STACKPROTECTOR),$(_HARDENED_STACKPROTECTOR_CFLAGS)) \
92
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORTIFY),$(_HARDENED_FORTIFY_CFLAGS)) \
93
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORMAT),$(_HARDENED_FORMAT_CFLAGS)) \
94
95
HARDENING_LDFLAGS ?= \
96
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_LDFLAGS)) \
97
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_RELRO),$(_HARDENED_RELRO_LDFLAGS)) \
98
$(call _hardening_enabled,$(DEB_BUILD_HARDENING_BINDNOW),$(_HARDENED_BINDNOW_LDFLAGS)) \
99
100
# Utility macros designed to allow package maintainer to force a given
101
# hardening feature off in certain areas of a build without disabling
106 by kees
* debian/README.Debian: update for gcc versions, include minimal
102
# the option for the entire build. For example:
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
103
#   CFLAGS += $(HARDENING_CFLAGS)
104
#   monkey.o: monkey.c
83 by kees
* hardening.make: correctly document how to disable PIE on a per-target
105
#       $(CC) $(CFLAGS) $(HARDENING_DISABLE_STACKPROTECTOR_CFLAGS) $< -o $@
106
HARDENING_DISABLE_STACKPROTECTOR_CFLAGS:=-fno-stack-protector
59 by kees
* debian/{control,rules}: add "hardening-includes" for use in other
107
HARDENING_DISABLE_FORTIFY_CFLAGS:=-U_FORTIFY_SOURCE
108
HARDENING_DISABLE_FORMAT_CFLAGS:=-Wno-format-security
109
HARDENING_DISABLE_RELRO_LDFLAGS:=-Wl,-z,norelro
110
HARDENING_DISABLE_BINDNOW_LDFLAGS:=-Wl,-z,lazy
116 by kees
hardening.make: provide examples for working around build-time
111
# Note: GCC does not have a way to just turn off pie (there is no "-nopie")
83 by kees
* hardening.make: correctly document how to disable PIE on a per-target
112
# so if PIE needs to be disabled for a specific target, the CFLAGS and LDFLAGS
106 by kees
* debian/README.Debian: update for gcc versions, include minimal
113
# need to be filtered. For example:
83 by kees
* hardening.make: correctly document how to disable PIE on a per-target
114
#   monkey: monkey.c
115
#       $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \
116
#             $(filter-out $(HARDENING_DISABLE_PIE_LDFLAGS_FILTER),$(LDFLAGS)) \
117
#             $< -o $@
116 by kees
hardening.make: provide examples for working around build-time
118
#
119
# Note: when building shared libraries, or with some build frameworks (e.g.
120
# cmake) that pass "-fPIC" to everything, the "-fPIE" option must be filtered
121
# out to avoid building shared objects that need PIC but end up only with PIE.
122
# This is usually indicated by errors at link time that look like this:
123
#  relocation R_X86_64_PC32 against symbol `foo' can not be used when making a shared object; recompile with -fPIC
124
# In these cases, the CFLAGS can be filtered to exclude "-fPIE" until this
125
# is fixed in gcc correctly. For example, on one target:
126
#   monkey.o: monkey.c
127
#       $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \
128
#             $< -c -o $@
129
# In cases where mixed shared objects and executable objects are being built,
130
# "-fPIC" needs to actually replace "-fPIE", since gcc won't distinguish
131
# between them yet. For example:
132
#   export CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
133
#   CFLAGS += $(HARDENING_CFLAGS_PIC) \
134
#             $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(HARDENING_CFLAGS))
135
#
83 by kees
* hardening.make: correctly document how to disable PIE on a per-target
136
HARDENING_DISABLE_PIE_CFLAGS_FILTER:=$(_HARDENED_PIE_CFLAGS)
137
HARDENING_DISABLE_PIE_LDFLAGS_FILTER:=$(_HARDENED_PIE_LDFLAGS)
116 by kees
hardening.make: provide examples for working around build-time
138
HARDENING_CFLAGS_PIC:=-fPIC