[libvirt] [PATCH dbus 5/5] Build all binaries with PIE

Daniel P. Berrange berrange at redhat.com
Fri Oct 27 13:31:43 UTC 2017 

PIE (position independent executable) adds security to executables
by composing them entirely of position-independent code (PIC. The
.so libraries already build with -fPIC. This adds -fPIE which is
the equivalent to -fPIC, but for executables. This for allows Exec
Shield to use address space layout randomization to prevent attackers
from knowing where existing executable code is during a security
attack using exploits that rely on knowing the offset of the
executable code in the binary, such as return-to-libc attacks.

Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
 configure.ac           |  1 +
 m4/virt-compile-pie.m4 | 35 +++++++++++++++++++++++++++++++++++
 src/Makefile.am        |  2 ++
 3 files changed, 38 insertions(+)
 create mode 100644 m4/virt-compile-pie.m4

diff --git a/configure.ac b/configure.ac
index b9ccf93..228ea11 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,6 +38,7 @@ PKG_CHECK_MODULES(SYSTEMD, libsystemd >= $SYSTEMD_REQUIRED)
 
 LIBVIRT_COMPILE_WARNINGS
 LIBVIRT_LINKER_RELRO
+LIBVIRT_COMPILE_PIE
 
 AC_ARG_WITH(dbus-services,
 		  [AC_HELP_STRING([--with-dbus-services=<dir>],
diff --git a/m4/virt-compile-pie.m4 b/m4/virt-compile-pie.m4
new file mode 100644
index 0000000..a2df38e
--- /dev/null
+++ b/m4/virt-compile-pie.m4
@@ -0,0 +1,35 @@
+dnl
+dnl Check for support for position independent executables
+dnl
+dnl Copyright (C) 2013 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library.  If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([LIBVIRT_COMPILE_PIE],[
+    PIE_CFLAGS=
+    PIE_LDFLAGS=
+    case "$host" in
+      *-*-mingw* | *-*-msvc* | *-*-cygwin* )
+         ;; dnl All code is position independent on Win32 target
+      *)
+      gl_COMPILER_OPTION_IF([-fPIE -DPIE -pie], [
+        PIE_CFLAGS="-fPIE -DPIE"
+        PIE_LDFLAGS="-pie"
+      ])
+    esac
+    AC_SUBST([PIE_CFLAGS])
+    AC_SUBST([PIE_LDFLAGS])
+])
diff --git a/src/Makefile.am b/src/Makefile.am
index 8dd8ecd..5d4cb04 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -20,12 +20,14 @@ libvirt_dbus_CFLAGS = \
 	$(SYSTEMD_CFLAGS) \
 	$(LIBVIRT_CFLAGS) \
 	$(WARN_CFLAGS) \
+	$(PIE_CFLAGS) \
 	$(NULL)
 
 libvirt_dbus_LDFLAGS = \
 	$(SYSTEMD_LDFLAGS) \
 	$(LIBVIRT_LDFLAGS) \
 	$(RELRO_LDFLAGS) \
+	$(PID_LDFLAGS) \
 	$(NULL)
 
 libvirt_dbus_LDADD = \
-- 
2.13.6

More information about the libvir-list mailing list