Add --enable-security-hardening support. (#4)

2021-12-15 15:35:23 +08:00 · 2021-12-15 15:35:23 +08:00 · 98db8a16b7
--- a/build/Makefile.gcc3
+++ b/build/Makefile.gcc3
@ -12,6 +12,10 @@
 # Define flags. (These will be submitted to all commands that use the preprocesor)
 DEFINES=-DPF_DISTRO_$(PF_DISTRO) -DPF_MAJOR=$(PF_MAJOR) -DOS_MINOR=$(PF_MINOR) -D$(ARCH) -DPF_WIDTH=$(PF_WIDTH)

+ifeq ($(ENABLE_SCX_SECURITY_HARDENING), 1)
+	DEFINES +=  -z noexecstack -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security -pie -D_FORTIFY_SOURCE=2
+endif
+
 ifeq ($(TRAVIS_CI), 1)
 	DEFINES += -DTRAVIS
 endif
@ -88,8 +92,9 @@ else
 	DEFINES += -DNDEBUG
 endif 

-# CXX Debug flags for release builds
+#  C and CXX Debug flags for release builds
 ifeq ($(BUILD_TYPE),Release)
+	CFLAGS += -Os
 	CXXFLAGS += -Os -fno-enforce-eh-specs
 endif 

--- a/build/Makefile.kits
+++ b/build/Makefile.kits
@ -18,6 +18,12 @@ PACKAGE_FILENAME=package_filename
 STRIPPED=stripped
 IS_OPENSSL_100=$(shell openssl version | grep 1.0 | wc -l)

+ifeq ($(ENABLE_SCX_SECURITY_HARDENING),1)
+     SECURITY_FLAG=.s
+else
+     SECURITY_FLAG=
+endif
+
 ifeq ($(PF_ARCH),x64)
    IS_OPENSSL_110=$(shell openssl version | grep 1.1 | wc -l)
 endif
@ -76,7 +82,7 @@ else
    endif
  endif

-  OUTPUT_PACKAGE_PREFIX=$(SCX_PREFIX)-$(SCX_BUILDVERSION_MAJOR).$(SCX_BUILDVERSION_MINOR).$(SCX_BUILDVERSION_PATCH)-$(SCX_BUILDVERSION_BUILDNR).universal.$(PF_ARCH)
+  OUTPUT_PACKAGE_PREFIX=$(SCX_PREFIX)-$(SCX_BUILDVERSION_MAJOR).$(SCX_BUILDVERSION_MINOR).$(SCX_BUILDVERSION_PATCH)-$(SCX_BUILDVERSION_BUILDNR).universal$(SECURITY_FLAG).$(PF_ARCH)
  OUTPUT_PACKAGE_SPECIFICATION_FIRST=--OUTPUTFILE=$(OUTPUT_PACKAGE_PREFIX)
  OUTPUT_PACKAGE_SPECIFICATION_SECOND=--OUTPUTFILE=$(OUTPUT_PACKAGE_PREFIX)
 endif
@ -486,15 +492,15 @@ ifneq ($(COMBINED_PACKAGES),1)
    ifneq ($(PF_ARCH),ppc)
 	# Copy omi kit depending on openssl version
      ifeq ($(IS_OPENSSL_110),1)
-	cp `find $(OMIKITS_DIR) -name omi-*ssl_110.ulinux.$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/
+	cp `find $(OMIKITS_DIR) -name omi-*ssl_110.ulinux$(SECURITY_FLAG).$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/
      else
        ifeq ($(IS_OPENSSL_100),1)
-	  cp `find $(OMIKITS_DIR) -name omi-*ssl_100.ulinux.$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/
+	  cp `find $(OMIKITS_DIR) -name omi-*ssl_100.ulinux$(SECURITY_FLAG).$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/
        endif
      endif
    endif
  endif
-	cd $(INTERMEDIATE_DIR); echo `ls omi-*.$(PACKAGE_SUFFIX)` > omi_package_filename
+	cd $(INTERMEDIATE_DIR); echo `ls omi-*.ulinux$(SECURITY_FLAG)*.$(PACKAGE_SUFFIX)` > omi_package_filename

  # Handle Redhat on PPC
  ifeq ($(PF_ARCH),ppc)
@ -530,9 +536,9 @@ else # ifneq ($(COMBINED_PACKAGES),1)
 	# (Copying for combined packages)
        ifeq ($(DISABLE_LISTENER),0)
 	  # Grab the OMI bits
-	  cd $(INTERMEDIATE_DIR); cp $(OMIKITS_DIR)/omi-*ssl_100*$(PF_ARCH).{rpm,deb} 100
+	  cd $(INTERMEDIATE_DIR); cp $(OMIKITS_DIR)/omi-*ssl_100*$(SECURITY_FLAG).$(PF_ARCH).{rpm,deb} 100
          ifeq ($(PF_ARCH),x64)
-	     cd $(INTERMEDIATE_DIR); cp $(OMIKITS_DIR)/omi-*ssl_110*$(PF_ARCH).{rpm,deb} 110
+	     cd $(INTERMEDIATE_DIR); cp $(OMIKITS_DIR)/omi-*ssl_110*$(SECURITY_FLAG).$(PF_ARCH).{rpm,deb} 110
          endif

          # Remove ssl_098, ssl_100 and ssl_110 from omi filename
--- a/build/configure
+++ b/build/configure
@ -9,7 +9,7 @@ enable_purify_agent=""
 enable_purify_server=""
 enable_bullseye=""
 combined_packages=0
-
+enable_scx_security_hardening=0
 enable_ulinux_qual=""
 omi_configure_quals="--enable-microsoft"

@ -31,7 +31,7 @@ perform_ulinux_build()
    fi

    enable_ulinux_qual="--enable-ulinux"
-    omi_configure_quals="$omi_configure_quals $enable_ulinux_qual"
+    omi_configure_quals="$omi_configure_quals $enable_ulinux_qual $enable_security_hardening"
    combined_packages=1
 }

@ -81,6 +81,11 @@ do
      enable_purify_server="--enable-purify-server"
      ;;

+    --enable-security-hardening)
+      enable_security_hardening="--enable-security-hardening"
+      enable_scx_security_hardening=1
+      ;;
+
    --enable-system-build)
      if [ `uname -s` = "Linux" -a `uname -m` != "ppc64le" ]; then
          perform_ulinux_build
@ -122,6 +127,7 @@ OPTIONS:
    --enable-local-omi          Allow local OMI commands to be issued (not for use when building a kit)
    --enable-purify-agent       Allow agent to be run with purify (memory leak detection)
    --enable-purify-server      Allow server to be run with purify (memory leak detection)
+    --enable-security-hardening Enable security flags for compiling.
    --enable-system-build       Enable qualifiers necessary for a system build
    --enable-ulinux             Build universal RPM/DEB kits

@ -129,9 +135,9 @@ EOF
    exit 0
 fi

-(cd $scxpal_dir/build/ && chmod ug+x ./configure; ./configure $enable_debug $enable_bullseye $enable_ulinux_qual)
+(cd $scxpal_dir/build/ && chmod ug+x ./configure; ./configure $enable_debug $enable_bullseye $enable_ulinux_qual $enable_security_hardening)

-omi_configure_quals="${enable_debug} ${enable_purify_agent} ${enable_purify_server} ${omi_configure_quals}"
+omi_configure_quals="${enable_debug} ${enable_purify_agent} ${enable_purify_server} ${omi_configure_quals} ${enable_security_hardening}"

 ##==============================================================================
 ##
@ -220,7 +226,7 @@ OPENSSL100_LIBDIR=$openssl100_libdir
 OPENSSL110_CFLAGS=$openssl110_cflags
 OPENSSL110_LIBS=$openssl110_libs
 OPENSSL110_LIBDIR=$openssl110_libdir
-
+ENABLE_SCX_SECURITY_HARDENING=$enable_scx_security_hardening
 TRAVIS_CI=$travis_ci
 EOF