security_flags: link position independent executables

Link non-shared objects with the -pie option to enable the kernel
to make use of Address Space Layout Randomisation (ASLR) and harden
against Return Oriented Programming (ROP) attacks.

As this linker option  isn't compatible with the -fPIC option used
to build shared libraries any recipe which produces shared objects
should have an override setting SHARED_OBJECTS to 1 to disable
the addition of -pie to the linker flags.

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>

1 files changed, 311 insertions, 3 deletions

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 691cea1156..698f4c25ad 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -9,14 +9,19 @@
 # -O0 which then results in a compiler warning.
 lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
 
+# shared libraries are already position independent and shouldn't be linked with
+# the -pie option. Override SHARED_OBJECTS (which defaults to 0) to 1 to prevent
+# linking with -pie
+pie_ld = "${@base_conditional('SHARED_OBJECTS','1','',',-pie',d)}"
+
 # Error on use of format strings that represent possible security problems
 SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
 
 SECURITY_CFLAGS ?= "-fstack-protector-strong --param ssp-buffer-size=4 -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
 SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong --param ssp-buffer-size=4 ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
 
-SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
-SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
+SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now${pie_ld}"
+SECURITY_X_LDFLAGS ?= "-Wl,-z,relro${pie_ld}"
 
 # powerpc does not get on with pie for reasons not looked into as yet
 SECURITY_CFLAGS_powerpc = "-fstack-protector-strong ${lcl_maybe_fortify}"
@@ -65,10 +70,14 @@ SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libpcap = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libpcre = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libproxy = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-lttng-ust = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-libusb1 = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-libusb-compat = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-mesa = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-openssl = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-opensp = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-ppp = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-ptest-runner = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-python = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-python-pycurl = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-python-smartpm = "${SECURITY_NO_PIE_CFLAGS}"
@@ -78,8 +87,8 @@ SECURITY_CFLAGS_pn-python3-pycairo = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-python3 = "${SECURITY_NO_PIE_CFLAGS}"
 # Revert RPM to using internally supported values
 SECURITY_CFLAGS_pn-rpm = "${lcl_maybe_fortify} -fstack-protector"
-SECURITY_CFLAGS_pn-syslinux = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-slang = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-syslinux = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-tcl = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-tiff = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-uclibc = ""
@@ -100,6 +109,305 @@ SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
 TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
 
+SHARED_OBJECTS ?= "0"
+SHARED_OBJECTS_pn-acl = "1"
+SHARED_OBJECTS_pn-alsa-lib = "1"
+SHARED_OBJECTS_pn-alsa-tools = "1"
+SHARED_OBJECTS_pn-apmd = "1"
+SHARED_OBJECTS_pn-apr = "1"
+SHARED_OBJECTS_pn-apr-util = "1"
+SHARED_OBJECTS_pn-apt = "1"
+SHARED_OBJECTS_pn-aspell = "1"
+SHARED_OBJECTS_pn-at = "1"
+SHARED_OBJECTS_pn-at-spi2-core = "1"
+SHARED_OBJECTS_pn-atk = "1"
+SHARED_OBJECTS_pn-attr = "1"
+SHARED_OBJECTS_pn-avahi = "1"
+SHARED_OBJECTS_pn-avahi-ui = "1"
+SHARED_OBJECTS_pn-lttng-tools_arm = "1"
+SHARED_OBJECTS_pn-base-passwd = "1"
+SHARED_OBJECTS_pb-bdwgc = "1"
+SHARED_OBJECTS_pn-beecrypt = "1"
+SHARED_OBJECTS_pn-binutils = "1"
+SHARED_OBJECTS_pn-blktrace = "1"
+SHARED_OBJECTS_pn-bzip2 = "1"
+SHARED_OBJECTS_pn-cairo = "1"
+SHARED_OBJECTS_pn-chkconfig = "1"
+SHARED_OBJECTS_pn-clutter-1.0 = "1"
+SHARED_OBJECTS_pn-clutter-gtk-1.0 = "1"
+SHARED_OBJECTS_pn-clutter-gst-3.0 = "1"
+SHARED_OBJECTS_pn-cogl-1.0 = "1"
+SHARED_OBJECTS_pn-consolekit = "1"
+SHARED_OBJECTS_pn-coreutils = "1"
+SHARED_OBJECTS_pn-cracklib = "1"
+SHARED_OBJECTS_pn-cups = "1"
+SHARED_OBJECTS_pn-curl = "1"
+SHARED_OBJECTS_pn-db = "1"
+SHARED_OBJECTS_pn-dbus = "1"
+SHARED_OBJECTS_pn-dbus-glib = "1"
+SHARED_OBJECTS_pn-dbus-test = "1"
+SHARED_OBJECTS_pn-diffstat = "1"
+SHARED_OBJECTS_pn-directfb = "1"
+SHARED_OBJECTS_pn-dropbear = "1"
+SHARED_OBJECTS_pn-e2fsprogs = "1"
+SHARED_OBJECTS_pn-ed = "1"
+SHARED_OBJECTS_pn-eglinfo-fb = "1"
+SHARED_OBJECTS_pn-eglinfo-x11 = "1"
+SHARED_OBJECTS_pn-elfutils = "1"
+SHARED_OBJECTS_pn-enchant = "1"
+SHARED_OBJECTS_pn-expat = "1"
+SHARED_OBJECTS_pn-expect = "1"
+SHARED_OBJECTS_pn-file = "1"
+SHARED_OBJECTS_pn-flac = "1"
+SHARED_OBJECTS_pn-flex = "1"
+SHARED_OBJECTS_pn-fontconfig = "1"
+SHARED_OBJECTS_pn-freetype = "1"
+SHARED_OBJECTS_pn-gcc = "1"
+SHARED_OBJECTS_pn-gcc-runtime = "1"
+SHARED_OBJECTS_pn-gcc-sanitizers = "1"
+SHARED_OBJECTS_pn-gconf = "1"
+SHARED_OBJECTS_pn-gcr = "1"
+SHARED_OBJECTS_pn-gdb = "1"
+SHARED_OBJECTS_pn-gdbm = "1"
+SHARED_OBJECTS_pn-gdk-pixbuf = "1"
+SHARED_OBJECTS_pn-gettext = "1"
+SHARED_OBJECTS_pn-ghostscript = "1"
+SHARED_OBJECTS_pn-glew = "1"
+SHARED_OBJECTS_pn-glib-2.0 = "1"
+SHARED_OBJECTS_pn-glibc = "1"
+SHARED_OBJECTS_pn-glibc-initial = "1"
+SHARED_OBJECTS_pn-gmp = "1"
+SHARED_OBJECTS_pn-gnome-desktop3 = "1"
+SHARED_OBJECTS_pn-gnome-desktop-testing = "1"
+SHARED_OBJECTS_pn-gpgme = "1"
+SHARED_OBJECTS_pn-gnutls = "1"
+SHARED_OBJECTS_pn-gst-plugins-bad = "1"
+SHARED_OBJECTS_pn-gst-plugins-gl = "1"
+SHARED_OBJECTS_pn-gstreamer1.0 = "1"
+SHARED_OBJECTS_pn-gstreamer1.0-plugins-bad = "1"
+SHARED_OBJECTS_pn-gstreamer1.0-plugins-base = "1"
+SHARED_OBJECTS_pn-gstreamer1.0-plugins-good = "1"
+SHARED_OBJECTS_pn-gstreamer1.0-rtsp-server = "1"
+SHARED_OBJECTS_pn-gtk+ = "1"
+SHARED_OBJECTS_pn-gtk+3 = "1"
+SHARED_OBJECTS_pn-harfbuzz = "1"
+SHARED_OBJECTS_pn-hdparm = "1"
+SHARED_OBJECTS_pn-iproute2 = "1"
+SHARED_OBJECTS_pn-iputils = "1"
+SHARED_OBJECTS_pn-iw = "1"
+SHARED_OBJECTS_pn-json-glib = "1"
+SHARED_OBJECTS_pn-kernelshark = "1"
+SHARED_OBJECTS_pn-kexec-tools = "1"
+SHARED_OBJECTS_pn-kmod = "1"
+SHARED_OBJECTS_pn-icu = "1"
+SHARED_OBJECTS_pn-iptables = "1"
+SHARED_OBJECTS_pn-jpeg = "1"
+SHARED_OBJECTS_pn-json-c = "1"
+SHARED_OBJECTS_pn-less = "1"
+SHARED_OBJECTS_pn-liba52 = "1"
+SHARED_OBJECTS_pn-libacpi = "1"
+SHARED_OBJECTS_pn-libaio = "1"
+SHARED_OBJECTS_pn-libarchive = "1"
+SHARED_OBJECTS_pn-libart-lgpl = "1"
+SHARED_OBJECTS_pn-libassuan = "1"
+SHARED_OBJECTS_pn-libcap = "1"
+SHARED_OBJECTS_pn-libcap-ng = "1"
+SHARED_OBJECTS_pn-libcgroup = "1"
+SHARED_OBJECTS_pn-libcheck = "1"
+SHARED_OBJECTS_pn-libcroco = "1"
+SHARED_OBJECTS_pn-libdaemon = "1"
+SHARED_OBJECTS_pn-libdmx = "1"
+SHARED_OBJECTS_pn-libdrm = "1"
+SHARED_OBJECTS_pn-libepoxy = "1"
+SHARED_OBJECTS_pn-libevdev = "1"
+SHARED_OBJECTS_pn-libevent = "1"
+SHARED_OBJECTS_pn-libexif = "1"
+SHARED_OBJECTS_pn-libfakekey = "1"
+SHARED_OBJECTS_pn-libffi = "1"
+SHARED_OBJECTS_pn-libfm = "1"
+SHARED_OBJECTS_pn-libfm-extra = "1"
+SHARED_OBJECTS_pn-libfontenc = "1"
+SHARED_OBJECTS_pn-libgcc = "1"
+SHARED_OBJECTS_pn-libgcrypt = "1"
+SHARED_OBJECTS_pn-libgpg-error= "1"
+SHARED_OBJECTS_pn-libglade = "1"
+SHARED_OBJECTS_pn-libglu = "1"
+SHARED_OBJECTS_pn-libgudev = "1"
+SHARED_OBJECTS_pn-libical = "1"
+SHARED_OBJECTS_pn-libice = "1"
+SHARED_OBJECTS_pn-libiconv = "1"
+SHARED_OBJECTS_pn-libid3tag = "1"
+SHARED_OBJECTS_pn-libidn = "1"
+SHARED_OBJECTS_pn-libinput = "1"
+SHARED_OBJECTS_pn-libjpeg-turbo = "1"
+SHARED_OBJECTS_pn-libksba = "1"
+SHARED_OBJECTS_pn-libmatchbox = "1"
+SHARED_OBJECTS_pn-libmc = "1"
+SHARED_OBJECTS_pn-libmpc = "1"
+SHARED_OBJECTS_pn-libnewt = "1"
+SHARED_OBJECTS_pn-libnewt-python = "1"
+SHARED_OBJECTS_pn-libnfsidmap = "1"
+SHARED_OBJECTS_pn-libnotify = "1"
+SHARED_OBJECTS_pn-libnl = "1"
+SHARED_OBJECTS_pn-libogg = "1"
+SHARED_OBJECTS_pn-libpam = "1"
+SHARED_OBJECTS_pn-libpcap = "1"
+SHARED_OBJECTS_pn-libpciaccess = "1"
+SHARED_OBJECTS_pn-libpcre = "1"
+SHARED_OBJECTS_pn-libpng = "1"
+SHARED_OBJECTS_pn-libproxy = "1"
+SHARED_OBJECTS_pn-librsvg = "1"
+SHARED_OBJECTS_pn-libsamplerate0 = "1"
+SHARED_OBJECTS_pn-libsecret = "1"
+SHARED_OBJECTS_pn-libsm = "1"
+SHARED_OBJECTS_pn-libsndfile1 = "1"
+SHARED_OBJECTS_pn-libsolv = "1"
+SHARED_OBJECTS_pn-libsoup-2.4 = "1"
+SHARED_OBJECTS_pn-libtasn1 = "1"
+SHARED_OBJECTS_pn-libtirpc = "1"
+SHARED_OBJECTS_pn-libtool = "1"
+SHARED_OBJECTS_pn-libunistring = "1"
+SHARED_OBJECTS_pn-libunwind = "1"
+SHARED_OBJECTS_pn-liburcu = "1"
+SHARED_OBJECTS_pn-libusb1 = "1"
+SHARED_OBJECTS_pn-libusb-compat = "1"
+SHARED_OBJECTS_pn-libuser = "1"
+SHARED_OBJECTS_pn-libvorbis = "1"
+SHARED_OBJECTS_pn-libwebp = "1"
+SHARED_OBJECTS_pn-libwnck3 = "1"
+SHARED_OBJECTS_pn-libx11 = "1"
+SHARED_OBJECTS_pn-libx11-diet = "1"
+SHARED_OBJECTS_pn-libxau = "1"
+SHARED_OBJECTS_pn-libxcalibrate = "1"
+SHARED_OBJECTS_pn-libxcb = "1"
+SHARED_OBJECTS_pn-libxcomposite = "1"
+SHARED_OBJECTS_pn-libxcursor = "1"
+SHARED_OBJECTS_pn-libxdamage = "1"
+SHARED_OBJECTS_pn-libxdmcp = "1"
+SHARED_OBJECTS_pn-libxext = "1"
+SHARED_OBJECTS_pn-libxfixes = "1"
+SHARED_OBJECTS_pn-libxfont = "1"
+SHARED_OBJECTS_pn-libxft = "1"
+SHARED_OBJECTS_pn-libxi = "1"
+SHARED_OBJECTS_pn-libxinerama = "1"
+SHARED_OBJECTS_pn-libxkbcommon = "1"
+SHARED_OBJECTS_pn-libxkbfile = "1"
+SHARED_OBJECTS_pn-libxml2 = "1"
+SHARED_OBJECTS_pn-libxmu = "1"
+SHARED_OBJECTS_pn-libxpm = "1"
+SHARED_OBJECTS_pn-libxrandr = "1"
+SHARED_OBJECTS_pn-libxrender = "1"
+SHARED_OBJECTS_pn-libxres = "1"
+SHARED_OBJECTS_pn-libxscrnsaver = "1"
+SHARED_OBJECTS_pn-libxshmfence = "1"
+SHARED_OBJECTS_pn-libxslt = "1"
+SHARED_OBJECTS_pn-libxt = "1"
+SHARED_OBJECTS_pn-libxtst = "1"
+SHARED_OBJECTS_pn-libxv = "1"
+SHARED_OBJECTS_pn-libxvmc = "1"
+SHARED_OBJECTS_pn-libxxf86dga = "1"
+SHARED_OBJECTS_pn-libxxf86misc = "1"
+SHARED_OBJECTS_pn-libxxf86vm = "1"
+SHARED_OBJECTS_pn-libyaml = "1"
+SHARED_OBJECTS_pn-lighttpd = "1"
+SHARED_OBJECTS_pn-logrotate = "1"
+SHARED_OBJECTS_pn-lsof = "1"
+SHARED_OBJECTS_pn-lttng-tools = "1"
+SHARED_OBJECTS_pn-lttng-ust = "1"
+SHARED_OBJECTS_pn-ltp = "1"
+SHARED_OBJECTS_pn-lzo = "1"
+SHARED_OBJECTS_pn-mailx = "1"
+SHARED_OBJECTS_pn-man = "1"
+SHARED_OBJECTS_pn-matchbox-panel-2 = "1"
+SHARED_OBJECTS_pn-menu-cache = "1"
+SHARED_OBJECTS_pn-mesa = "1"
+SHARED_OBJECTS_pn-mesa-gl = "1"
+SHARED_OBJECTS_pn-mpfr = "1"
+SHARED_OBJECTS_pn-mktemp = "1"
+SHARED_OBJECTS_pn-mtdev = "1"
+SHARED_OBJECTS_pn-musl = "1"
+SHARED_OBJECTS_pn-mx-1.0 = "1"
+SHARED_OBJECTS_pn-ncurses = "1"
+SHARED_OBJECTS_pn-neon = "1"
+SHARED_OBJECTS_pn-net-tools = "1"
+SHARED_OBJECTS_pn-nettle = "1"
+SHARED_OBJECTS_pn-npth = "1"
+SHARED_OBJECTS_pn-nspr = "1"
+SHARED_OBJECTS_pn-nss = "1"
+SHARED_OBJECTS_pn-openssl = "1"
+SHARED_OBJECTS_pn-opensp = "1"
+SHARED_OBJECTS_pn-opkg = "1"
+SHARED_OBJECTS_pn-orc = "1"
+SHARED_OBJECTS_pn-ossp-uuid = "1"
+SHARED_OBJECTS_pn-p11-kit = "1"
+SHARED_OBJECTS_pn-pango = "1"
+SHARED_OBJECTS_pn-parted = "1"
+SHARED_OBJECTS_pn-pciutils = "1"
+SHARED_OBJECTS_pn-perl = "1"
+SHARED_OBJECTS_pn-pixman = "1"
+SHARED_OBJECTS_pn-piglit = "1"
+SHARED_OBJECTS_pn-pigz = "1"
+SHARED_OBJECTS_pn-popt = "1"
+SHARED_OBJECTS_pn-ppp = "1"
+SHARED_OBJECTS_pn-procps = "1"
+SHARED_OBJECTS_pn-ptest-runner = "1"
+SHARED_OBJECTS_pn-pulseaudio = "1"
+SHARED_OBJECTS_pn-python = "1"
+SHARED_OBJECTS_pn-python-pycurl = "1"
+SHARED_OBJECTS_pn-python-smartpm = "1"
+SHARED_OBJECTS_pn-python-numpy = "1"
+SHARED_OBJECTS_pn-python3-numpy = "1"
+SHARED_OBJECTS_pn-python3-pycairo = "1"
+SHARED_OBJECTS_pn-python3 = "1"
+SHARED_OBJECTS_pn-readline = "1"
+SHARED_OBJECTS_pn-rpm = "1"
+SHARED_OBJECTS_pn-sbc = "1"
+SHARED_OBJECTS_pn-screen = "1"
+SHARED_OBJECTS_pn-serf = "1"
+SHARED_OBJECTS_pn-slang = "1"
+SHARED_OBJECTS_pn-speex = "1"
+SHARED_OBJECTS_pn-speexdsp = "1"
+SHARED_OBJECTS_pn-sqlite3 = "1"
+SHARED_OBJECTS_pn-startup-notification = "1"
+SHARED_OBJECTS_pn-subversion = "1"
+SHARED_OBJECTS_pn-sudo = "1"
+SHARED_OBJECTS_pn-sysfsutils = "1"
+SHARED_OBJECTS_pn-sysklogd = "1"
+SHARED_OBJECTS_pn-syslinux = "1"
+SHARED_OBJECTS_pn-sysprof = "1"
+SHARED_OBJECTS_pn-systemd = "1"
+SHARED_OBJECTS_pn-tcl = "1"
+SHARED_OBJECTS_pn-tcp-wrappers = "1"
+SHARED_OBJECTS_pn-tiff = "1"
+SHARED_OBJECTS_pn-trace-cmd = "1"
+SHARED_OBJECTS_pn-tslib = "1"
+SHARED_OBJECTS_pn-uclibc = "1"
+SHARED_OBJECTS_pn-uclibc-initial = "1"
+SHARED_OBJECTS_pn-unzip = "1"
+SHARED_OBJECTS_pn-util-linux = "1"
+SHARED_OBJECTS_pn-v86d = "1"
+SHARED_OBJECTS_pn-vala = "1"
+SHARED_OBJECTS_pn-vte = "1"
+SHARED_OBJECTS_pn-waffle = "1"
+SHARED_OBJECTS_pn-wayland = "1"
+SHARED_OBJECTS_pn-webkitgtk = "1"
+SHARED_OBJECTS_pn-wpa-supplicant = "1"
+SHARED_OBJECTS_pn-xcb-util = "1"
+SHARED_OBJECTS_pn-xcb-util-image = "1"
+SHARED_OBJECTS_pn-xcb-util-keysyms = "1"
+SHARED_OBJECTS_pn-xcb-util-renderutil = "1"
+SHARED_OBJECTS_pn-xcb-util-wm= "1"
+SHARED_OBJECTS_pn-xz = "1"
+SHARED_OBJECTS_pn-zip = "1"
+SHARED_OBJECTS_pn-zlib = "1"
+
+SECURITY_LDFLAGS_pn-grub = ""
+SECURITY_LDFLAGS_pn-grub-efi = ""
+SECURITY_LDFLAGS_pn-grub-efi-native = ""
+SECURITY_LDFLAGS_pn-grub-efi-x86-native = ""
+SECURITY_LDFLAGS_pn-grub-efi-i586-native = ""
+SECURITY_LDFLAGS_pn-grub-efi-x86-64-native = ""
+SECURITY_LDFLAGS_pn-valgrind = ""
 SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}"
 SECURITY_LDFLAGS_pn-xf86-video-intel = "${SECURITY_X_LDFLAGS}"
 SECURITY_LDFLAGS_pn-xf86-video-omapfb = "${SECURITY_X_LDFLAGS}"