Add hardening flags to linux targets#1166
Open
jjhelmus wants to merge 3 commits into
Open
Conversation
Enable stack protection and immediate binding for all Linux builds. Enable source fortification for optimized glibc targets. closes #837
Enable stack-clash protection on aarch64 and x86-64 linux targets. Other architectures are cross-compiled and the toolchains may lack support for this functionality.
Extend validate-distribution to reject
* non-PIE executables
* writable and executable load segments
* missing RELRO
* lazy symbol binding
* text relocations.
Preserve the existing executable-stack validation and skip dynamic
binding checks when validating static binaries.
Contributor
Author
|
This improves the hardening check results: PBS 20260623 on aarch64 Linux With these changes: Stack clash protection is enabled but the binary lacks allocation that would exercise this protection so in cannot be detected. |
Contributor
Author
|
Validation is failing with: This is likely a false positive as the binary is PIE rather than PIC. |
Contributor
Author
|
Before merging this I was to examine the performance difference these flags introduce. I will not be able to get to this until next week at the earliest. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
validate-distributioncommand.Control-flow and branch protection flags are not included.
On x86-64
-fcf-protectionrequires modern kernels, glibc and hardware (CET). Additionally, native extensions can fail to load when they are built without CET (which most are not) if the interpreter includes these protections.On aarch64,
-mbranch-protectionis of limited use unless all objects include the necessary markers. This includes the CRT and compiler runtimes which come from the base image which pre-dates these features.closes #837