File:  [NetBSD Developer Wiki] / wikisrc / pkgsrc / hardening.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Thu Mar 17 03:05:59 2016 UTC (6 years, 2 months ago) by khorben
Branches: MAIN
CVS tags: HEAD
Document some known issues with PKGSRC_MKPIE

[[!meta title="Hardening pkgsrc"]]

[pkgsrc](http://www.pkgsrc.org/) supports a number of mechanisms that are meant
to improve the security of compiled binaries. They can be individually enabled
in `mk.conf`, and consist of:

* `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
  Executables) when supported on the current platform. This option is necessary
  to fully leverage ASLR as a mitigation for security vulnerabilities.
* `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
  functions that do not bounds checking regularly - but could in some cases.
* `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
  vulnerabilities more difficult in some cases.
* `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
  platforms)

# Caveats

## Problems with `PKGSRC_MKPIE`

### No support for cwrappers

As of the time of this article `PKGSRC_MKPIE` is not supported by
`pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).

### Packages failing to build

A number of packages may fail to build with this option enabled. The failures
are often related to the absence of the "-fPIC" compilation flag when building
libraries or executables (or ideally "-fPIE" in the latter case). This flag is
added to the `CFLAGS` already, but requires the package to actually support it.

#### How to fix

These instructions are meant as a reference only; they likely need to be adapted
for many packages individually.

For packages using `Makefiles`:

    MAKE_FLAGS+=	CFLAGS=${CFLAGS:Q}
    MAKE_FLAGS+=	LDFLAGS=${LDFLAGS:Q}

For packages using `Imakefiles`:

    MAKE_FLAGS+=	CCOPTIONS=${CFLAGS:Q}
    MAKE_FLAGS+=	LOCAL_LDFLAGS=${LDFLAGS:Q}

### Run-time crashes

Some programs may fail to run, or crash at random times once built as PIE. Two
scenarios are essentially possible:

* actual bug in the program crashing, exposed thanks to ASLR/mprotect;
* bug in the implementation of ASLR/mprotect in the Operating System.


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb