Return to hardening.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc

Also document PKGSRC_USE_SSP

    1: [[!meta title="Hardening pkgsrc"]]
    2: 
    3: [pkgsrc](http://www.pkgsrc.org/) supports a number of mechanisms that are meant
    4: to improve the security of compiled binaries. They can be individually enabled
    5: in `mk.conf`, and consist of:
    6: 
    7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
    8:   Executables) when supported on the current platform. This option is necessary
    9:   to fully leverage ASLR as a mitigation for security vulnerabilities.
   10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
   11:   functions that do not bounds checking regularly - but could in some cases.
   12: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
   13:   vulnerabilities more difficult in some cases.
   14: * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
   15:   platforms)
   16: 
   17: # Caveats
   18: 
   19: ## Problems with `PKGSRC_MKPIE`
   20: 
   21: ### No support for cwrappers
   22: 
   23: As of the time of this article `PKGSRC_MKPIE` is not supported by
   24: `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
   25: 
   26: ### Packages failing to build
   27: 
   28: A number of packages may fail to build with this option enabled. The failures
   29: are often related to the absence of the "-fPIC" compilation flag when building
   30: libraries or executables (or ideally "-fPIE" in the latter case). This flag is
   31: added to the `CFLAGS` already, but requires the package to actually support it.
   32: 
   33: #### How to fix
   34: 
   35: These instructions are meant as a reference only; they likely need to be adapted
   36: for many packages individually.
   37: 
   38: For packages using `Makefiles`:
   39: 
   40:     MAKE_FLAGS+=	CFLAGS=${CFLAGS:Q}
   41:     MAKE_FLAGS+=	LDFLAGS=${LDFLAGS:Q}
   42: 
   43: For packages using `Imakefiles`:
   44: 
   45:     MAKE_FLAGS+=	CCOPTIONS=${CFLAGS:Q}
   46:     MAKE_FLAGS+=	LOCAL_LDFLAGS=${LDFLAGS:Q}
   47: 
   48: ### Run-time crashes
   49: 
   50: Some programs may fail to run, or crash at random times once built as PIE. Two
   51: scenarios are essentially possible:
   52: 
   53: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
   54: * bug in the implementation of ASLR/mprotect in the Operating System.
   55: 
   56: ## Problems with `PKGSRC_USE_SSP`
   57: 
   58: ### Packages failing to build
   59: 
   60: The stack-smashing protection provided by this option does not work for some
   61: programs. The two most common situations in which this happens are:
   62: 
   63: * the program makes use of the `alloca(3)` library call (memory allocator on the
   64:   stack)
   65: * the program allocates variables on the stack, with the size determined at
   66:   run-time.
   67: 
   68: Both cases will require a modification to the program, or disabling this feature
   69: for part or all of the build.
   70: 
   71: ### Run-time crashes
   72: 
   73: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
   74: crash, usually indicating an actual bug in the program. The fix will typically
   75: involve patching the original program.
   76: