Security-harden macOS and Linux binaries#4770
Conversation
Need to work out why BA3011 warnings have gone away though. |
I can't get this one to work for unknown reasons, even locally in Ubuntu 24.04 under WSL. I'm no expert in this area so I don't think it's worth sinking any further time into. BinSkim has picked up at least one improvement here, but I don't think it checks all the flags that Copilot suggested were enabled. Thoughts on next steps? |
|
@eftiquar, could you please advice here? |
|
|
What would you like me to do about SafeStack?
C/C++ is outside my area of expertise, so I won't be going down the path of trying to do anything about the static linking. |
Messing with linking will need thorough testing, I suggest we omit the flags, but leave a comment saying SafeStack is incompatible with static linking and this will be undertaken in future when we upgrade to dynamic linking. |
Apply compiler flags/options for macOS and Linux builds to harden the security of the native libraries.
Attempt to fix compilation errors by adding additional guards before enabling FCF.
Require glibc 2.27+ for `_FORTIFY_SOURCE=2`.
- Remove unsupported options. - Disable executable heap for Linux.
- Remove `-pie` as only relevant for executables. - Remove ignored `noexecheap` option.
Enable SafeStack to resolve BinSkim BA3031 error.
Try removing the version guard as it seems most of the Linux agents have too old a version. Signed-off-by: martincostello <martin@martincostello.com>
Already enabled on line 124.
Add entry for these changes.
martincostello
force-pushed
the
harden-native-for-macos-linux
branch
from
4da5e44 to
dead2f5
Compare
There was a problem hiding this comment.
Pull request overview
This PR applies security hardening compiler flags to macOS and Linux native library builds, following similar work done for Windows in PR #4768. The changes enhance the security posture of the native profiler libraries through various compiler and linker protections.
Changes:
- Added stack protection flags for buffer overflow detection
- Enabled Control Flow Integrity protections (CFI, BTI for ARM64)
- Applied Linux-specific hardening (_FORTIFY_SOURCE, RELRO, non-executable stack)
- Applied macOS-specific hardening (stack checking)
- Enabled position-independent code for static and shared libraries
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/OpenTelemetry.AutoInstrumentation.Native/CMakeLists.txt | Added compiler flags for stack protection, control flow integrity, and platform-specific security hardening; added linker options for ASLR and RELRO on Linux; enabled POSITION_INDEPENDENT_CODE properties |
| CHANGELOG.md | Added entry documenting the security hardening for macOS and Linux native libraries |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
We can conclude this PR with above mentioned note, this is about as much has we can fortify the binaries. |
It's already been added - see lines 118-119 in the CMakeLists.txt file in the diff. |
3 participants
Why
Harden native C/C++ DLLs for macOS and Linux similar to work for Windows in #4768.
See #4768 (review).
Fixes #4769.
What
Apply compiler flags/options for macOS and Linux builds to harden the security of the native libraries.
Tests
Existing tests should pass.
Checklist
CHANGELOG.mdis updated.Documentation is updated.New features are covered by tests.