[armoring feature] apply the system hardening options.

Change-Id: I63ab68c57a304e686b6468cedc0d2b6be0978ef2
Signed-off-by: Niraj Kumar Goit <niraj.g@samsung.com>

diff --git a/Makefile b/Makefile
index 680a5c8..557e973 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -36,8 +36,8 @@ WFLAGS += -Wmissing-declarations -Wold-style-definition
 CFLAGS = $(WFLAGS) $(CCOPTS) -I../include $(DEFINES)
 YACCFLAGS = -d -t -v
 
-CFLAGS += -fPIE
-LDFLAGS += -pie
+CFLAGS += -fstack-protector-strong -Wl,-z,relro -D_FORTIFY_SOURCE=2 -fPIE -pie
+LDFLAGS += -pie -Wl,-z,relro,-z,now
 
 SUBDIRS=lib ip tc bridge misc netem genl man
 

diff --git a/misc/ifstat.c b/misc/ifstat.c
index 6d0ad8c..94db58b 100644 (file)
--- a/misc/ifstat.c
+++ b/misc/ifstat.c
@@ -718,7 +718,10 @@ int main(int argc, char *argv[])
                        }
                        if (uptime >= 0 && time(NULL) >= stb.st_mtime+uptime) {
                                fprintf(stderr, "ifstat: history is aged out, resetting\n");
-                               ftruncate(fileno(hist_fp), 0);
+                               if (ftruncate(fileno(hist_fp), 0) != 0) {
+                                       perror("ifstat: ftruncate history file");
+                                       exit(-1);
+                               }
                        }
                }
 
@@ -760,7 +763,10 @@ int main(int argc, char *argv[])
                        dump_incr_db(stdout);
        }
        if (!no_update) {
-               ftruncate(fileno(hist_fp), 0);
+               if (ftruncate(fileno(hist_fp), 0) != 0) {
+                       perror("ifstat: ftruncate history file");
+                       exit(-1);
+               }
                rewind(hist_fp);
                dump_raw_db(hist_fp, 1);
                fflush(hist_fp);

diff --git a/misc/lnstat_util.c b/misc/lnstat_util.c
index 9492baf..96c96bc 100644 (file)
--- a/misc/lnstat_util.c
+++ b/misc/lnstat_util.c
@@ -49,7 +49,8 @@ static int scan_lines(struct lnstat_file *lf, int i)
 
                num_lines++;
 
-               fgets(buf, sizeof(buf)-1, lf->fp);
+               if (fgets(buf, sizeof(buf)-1, lf->fp) == NULL)
+                       fprintf(stderr, "Error: failed to read from input file stream.\n");
                gettimeofday(&lf->last_read, NULL);
 
                for (j = 0; j < lf->num_fields; j++) {
@@ -94,21 +95,23 @@ int lnstat_update(struct lnstat_file *lnstat_files)
                        rewind(lf->fp);
                        if (!lf->compat) {
                                /* skip first line */
-                               fgets(buf, sizeof(buf)-1, lf->fp);
+                               if (fgets(buf, sizeof(buf)-1, lf->fp) == NULL)
+                                       fprintf(stderr, "Error: failed to read from input file stream.\n");
                        }
                        scan_lines(lf, 1);
 
                        for (i = 0, lfi = &lf->fields[i];
-                            i < lf->num_fields; i++, lfi = &lf->fields[i]) {
+                                       i < lf->num_fields; i++, lfi = &lf->fields[i]) {
                                if (i == 0)
                                        lfi->result = lfi->values[1];
                                else
                                        lfi->result = (lfi->values[1]-lfi->values[0])
-                                                       / lf->interval.tv_sec;
+                                               / lf->interval.tv_sec;
                        }
 
                        rewind(lf->fp);
-                       fgets(buf, sizeof(buf)-1, lf->fp);
+                       if (fgets(buf, sizeof(buf)-1, lf->fp) == NULL)
+                               fprintf(stderr, "Error: failed to read from input file stream.\n");
                        scan_lines(lf, 0);
                }
        }
@@ -142,7 +145,8 @@ static int lnstat_scan_fields(struct lnstat_file *lf)
        char buf[FGETS_BUF_SIZE];
 
        rewind(lf->fp);
-       fgets(buf, sizeof(buf)-1, lf->fp);
+       if (fgets(buf, sizeof(buf)-1, lf->fp) == NULL)
+               fprintf(stderr, "Error: failed to read from input file stream.\n");
 
        return __lnstat_scan_fields(lf, buf);
 }

diff --git a/misc/nstat.c b/misc/nstat.c
index b685978..0c2f4c3 100644 (file)
--- a/misc/nstat.c
+++ b/misc/nstat.c
@@ -568,7 +568,10 @@ int main(int argc, char *argv[])
                        }
                        if (uptime >= 0 && time(NULL) >= stb.st_mtime+uptime) {
                                fprintf(stderr, "nstat: history is aged out, resetting\n");
-                               ftruncate(fileno(hist_fp), 0);
+                               if (ftruncate(fileno(hist_fp), 0) != 0) {
+                                       perror("nstat: ftruncate history file");
+                                       exit(-1);
+                               }
                        }
                }
 
@@ -612,7 +615,10 @@ int main(int argc, char *argv[])
                        dump_incr_db(stdout);
        }
        if (!no_update) {
-               ftruncate(fileno(hist_fp), 0);
+               if (ftruncate(fileno(hist_fp), 0) != 0) {
+                       perror("nstat: ftruncate history file");
+                       exit(-1);
+               }
                rewind(hist_fp);
                dump_kern_db(hist_fp, 1);
                fflush(hist_fp);

diff --git a/misc/ss.c b/misc/ss.c
index da9d32c..984bb27 100644 (file)
--- a/misc/ss.c
+++ b/misc/ss.c
@@ -297,7 +297,9 @@ static void user_ent_hash_build(void)
 
                                snprintf(tmp, sizeof(tmp), "%s/%d/stat", root, pid);
                                if ((fp = fopen(tmp, "r")) != NULL) {
-                                       fscanf(fp, "%*d (%[^)])", process);
+                                       int ret = fscanf(fp, "%*d (%[^)])", process);
+                                       if (ret < 0)
+                                               fprintf(stderr, "Error: failed to read from input file stream.\n");
                                        fclose(fp);
                                }
                        }
@@ -379,7 +381,8 @@ static int get_slabstat(struct slabstat *s)
 
        cnt = sizeof(*s)/sizeof(int);
 
-       fgets(buf, sizeof(buf), fp);
+       if (fgets(buf, sizeof(buf), fp) == NULL)
+               goto out;
        while(fgets(buf, sizeof(buf), fp) != NULL) {
                int i;
                for (i=0; i<sizeof(slabstat_ids)/sizeof(slabstat_ids[0]); i++) {
@@ -393,6 +396,7 @@ static int get_slabstat(struct slabstat *s)
                        break;
        }
 
+out:
        fclose(fp);
        return 0;
 }
@@ -503,7 +507,8 @@ static void init_service_resolver(void)
        char buf[128];
        FILE *fp = popen("/usr/sbin/rpcinfo -p 2>/dev/null", "r");
        if (fp) {
-               fgets(buf, sizeof(buf), fp);
+               if (fgets(buf, sizeof(buf), fp) == NULL)
+                       fprintf(stderr, "Error: failed to read from input file stream.\n");
                while (fgets(buf, sizeof(buf), fp) != NULL) {
                        unsigned int progn, port;
                        char proto[128], prog[128];
@@ -542,8 +547,10 @@ static int is_ephemeral(int port)
        if (!ip_local_port_min) {
                FILE *f = ephemeral_ports_open();
                if (f) {
-                       fscanf(f, "%d %d",
-                              &ip_local_port_min, &ip_local_port_max);
+                       int ret = fscanf(f, "%d %d",
+                                       &ip_local_port_min, &ip_local_port_max);
+                       if (ret < 0)
+                               fprintf(stderr, "Error: failed to read from input file stream.\n");
                        fclose(f);
                } else {
                        ip_local_port_min = 1024;
@@ -720,7 +727,9 @@ static int run_ssfilter(struct ssfilter *f, struct tcpstat *s)
                 if (!low) {
                        FILE *fp = ephemeral_ports_open();
                        if (fp) {
-                               fscanf(fp, "%d%d", &low, &high);
+                               int ret = fscanf(fp, "%d%d", &low, &high);
+                               if (ret < 0)
+                                       fprintf(stderr, "Error: failed to read from input file stream.\n");
                                fclose(fp);
                        }
                }
@@ -2318,7 +2327,8 @@ static int unix_show(struct filter *f)
 
        if ((fp = net_unix_open()) == NULL)
                return -1;
-       fgets(buf, sizeof(buf)-1, fp);
+       if (fgets(buf, sizeof(buf)-1, fp) == NULL)
+               return -1;
 
        if (memcmp(buf, "Peer", 4) == 0)
                newformat = 1;
@@ -2406,7 +2416,8 @@ static int packet_show(struct filter *f)
 
        if ((fp = net_packet_open()) == NULL)
                return -1;
-       fgets(buf, sizeof(buf)-1, fp);
+       if (fgets(buf, sizeof(buf)-1, fp) == NULL)
+               fprintf(stderr, "Error: failed to read from input file stream.\n");
 
        while (fgets(buf, sizeof(buf)-1, fp)) {
                sscanf(buf, "%llx %*d %d %x %d %d %u %u %u",
@@ -2479,7 +2490,8 @@ static int netlink_show(struct filter *f)
 
        if ((fp = net_netlink_open()) == NULL)
                return -1;
-       fgets(buf, sizeof(buf)-1, fp);
+       if (fgets(buf, sizeof(buf)-1, fp) == NULL)
+               fprintf(stderr, "Error: failed to read from input file stream.\n");
 
        while (fgets(buf, sizeof(buf)-1, fp)) {
                sscanf(buf, "%llx %d %d %x %d %d %llx %d",

diff --git a/packaging/iproute2.spec b/packaging/iproute2.spec
index 7a7dfaa..9d8a9aa 100644 (file)
--- a/packaging/iproute2.spec
+++ b/packaging/iproute2.spec
@@ -52,6 +52,8 @@ table changes.
 %patch2 -p1
 
 %build
+CFLAGS="-fPIE -Wl,-z,relro,-z,now -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2"
+LDFLAGS="-pie"
 %if "%{asan}" == "1"
 %restore_fcommon
 %endif