From 51470b8c4b064e9a3e3589881bf4536005e89ae6 Mon Sep 17 00:00:00 2001 From: Jan Vorlicek Date: Tue, 10 Dec 2019 23:48:07 +0100 Subject: [PATCH] Fix relro, now and PIE for host and libraries (#685) * Fix relro, now and PIE for host and libraries The former core-setup and corefx native code build was missing the -z,relro and -z,now options and also the position independent related settings. * Reflect PR feedback --- src/installer/corehost/cli/common.cmake | 1 - src/installer/corehost/cli/exe.cmake | 3 +++ .../corehost/cli/test_fx_ver/CMakeLists.txt | 1 - src/installer/settings.cmake | 19 +++++++++++----- src/libraries/Native/Unix/CMakeLists.txt | 26 ++++++++++++++++------ 5 files changed, 36 insertions(+), 14 deletions(-) diff --git a/src/installer/corehost/cli/common.cmake b/src/installer/corehost/cli/common.cmake index 7469fd1..63e7306 100644 --- a/src/installer/corehost/cli/common.cmake +++ b/src/installer/corehost/cli/common.cmake @@ -9,7 +9,6 @@ if(WIN32) add_compile_options($<$:/MT>) add_compile_options($<$:/MTd>) else() - add_compile_options(-fPIC) add_compile_options(-fvisibility=hidden) endif() diff --git a/src/installer/corehost/cli/exe.cmake b/src/installer/corehost/cli/exe.cmake index 3ade02a..be39daa 100644 --- a/src/installer/corehost/cli/exe.cmake +++ b/src/installer/corehost/cli/exe.cmake @@ -4,6 +4,9 @@ project (${DOTNET_PROJECT_NAME}) +cmake_policy(SET CMP0011 NEW) +cmake_policy(SET CMP0083 NEW) + include(${CMAKE_CURRENT_LIST_DIR}/common.cmake) # Include directories diff --git a/src/installer/corehost/cli/test_fx_ver/CMakeLists.txt b/src/installer/corehost/cli/test_fx_ver/CMakeLists.txt index 15d2577..d7812c5 100644 --- a/src/installer/corehost/cli/test_fx_ver/CMakeLists.txt +++ b/src/installer/corehost/cli/test_fx_ver/CMakeLists.txt @@ -29,7 +29,6 @@ if(WIN32) add_compile_options($<$:/MT>) add_compile_options($<$:/MTd>) else() - add_compile_options(-fPIE) add_compile_options(-fvisibility=hidden) endif() diff --git a/src/installer/settings.cmake b/src/installer/settings.cmake index 29d57b4..efec063 100644 --- a/src/installer/settings.cmake +++ b/src/installer/settings.cmake @@ -4,6 +4,17 @@ set (CMAKE_CXX_STANDARD 11) +include(CheckPIESupported) + +# All code we build should be compiled as position independent +check_pie_supported(OUTPUT_VARIABLE PIE_SUPPORT_OUTPUT LANGUAGES CXX) +if(NOT MSVC AND NOT CMAKE_CXX_LINK_PIE_SUPPORTED) + message(WARNING "PIE is not supported at link time: ${PIE_SUPPORT_OUTPUT}.\n" + "PIE link options will not be passed to linker.") +endif() + +set(CMAKE_POSITION_INDEPENDENT_CODE ON) + if(CMAKE_SYSTEM_NAME STREQUAL Linux) set(CLR_CMAKE_PLATFORM_UNIX 1) message("System name Linux") @@ -174,7 +185,7 @@ if(WIN32) set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /GUARD:CF") # Debug build specific flags - set(CMAKE_SHARED_LINKER_FLAGS_DEBUG "/NOVCFEATURE") + set(CMAKE_SHARED_LINKER_FLAGS_DEBUG "${CMAKE_SHARED_LINKER_FLAGS_DEBUG} /NOVCFEATURE") # Release build specific flags set(CMAKE_SHARED_LINKER_FLAGS_RELEASE "${CMAKE_SHARED_LINKER_FLAGS_RELEASE} /DEBUG /OPT:REF /OPT:ICF") @@ -216,14 +227,12 @@ endif() # containing the reference instead of using definitions from other modules. if(${CMAKE_SYSTEM_NAME} MATCHES "Linux") set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Xlinker -Bsymbolic -Bsymbolic-functions") - set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--build-id=sha1") - set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--build-id=sha1") + add_link_options(-Wl,--build-id=sha1 -Wl,-z,relro,-z,now) add_compile_options(-fstack-protector-strong) elseif(${CMAKE_SYSTEM_NAME} MATCHES "Darwin") add_compile_options(-fstack-protector) elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD") - set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fuse-ld=lld -Xlinker --build-id=sha1") - set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fuse-ld=lld -Xlinker --build-id=sha1") + add_link_options(-fuse-ld=lld -Wl,--build-id=sha1 -Wl,-z,relro,-z,now) add_compile_options(-fstack-protector) endif() diff --git a/src/libraries/Native/Unix/CMakeLists.txt b/src/libraries/Native/Unix/CMakeLists.txt index c19f10c..e2b2063 100644 --- a/src/libraries/Native/Unix/CMakeLists.txt +++ b/src/libraries/Native/Unix/CMakeLists.txt @@ -1,6 +1,18 @@ cmake_minimum_required(VERSION 2.8.12) project(CoreFX C) +cmake_policy(SET CMP0083 NEW) + +include(CheckPIESupported) + +# All code we build should be compiled as position independent +check_pie_supported(OUTPUT_VARIABLE PIE_SUPPORT_OUTPUT LANGUAGES C) +if(NOT MSVC AND NOT CMAKE_C_LINK_PIE_SUPPORTED) + message(WARNING "PIE is not supported at link time: ${PIE_SUPPORT_OUTPUT}.\n" + "PIE link options will not be passed to linker.") +endif() +set(CMAKE_POSITION_INDEPENDENT_CODE ON) + set(CMAKE_MACOSX_RPATH ON) set(CMAKE_INSTALL_PREFIX $ENV{__CMakeBinDir}) set(CMAKE_INCLUDE_CURRENT_DIR ON) @@ -28,7 +40,6 @@ endif() add_compile_options(-Werror) if(CMAKE_SYSTEM_NAME STREQUAL Emscripten) - # Build a static library so no -fPIC set(CLR_CMAKE_PLATFORM_WASM 1) add_definitions(-D_WASM_) # The emscripten build has additional warnings so -Werror breaks @@ -37,7 +48,6 @@ if(CMAKE_SYSTEM_NAME STREQUAL Emscripten) add_compile_options(-Wno-alloca) add_compile_options(-Wno-implicit-int-float-conversion) else() - add_compile_options(-fPIC) set(GEN_SHARED_LIB 1) endif(CMAKE_SYSTEM_NAME STREQUAL Emscripten) @@ -125,9 +135,6 @@ endif () if (CMAKE_SYSTEM_NAME STREQUAL Linux) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_GNU_SOURCE") - set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack") - set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--build-id=sha1") - set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--build-id=sha1") endif () if(CMAKE_SYSTEM_NAME STREQUAL Linux) @@ -141,8 +148,7 @@ endif(CMAKE_SYSTEM_NAME STREQUAL Darwin) if(CMAKE_SYSTEM_NAME STREQUAL FreeBSD) set(CLR_CMAKE_PLATFORM_UNIX 1) add_definitions(-D_BSD_SOURCE) # required for getline - set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fuse-ld=lld -Xlinker --build-id=sha1") - set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fuse-ld=lld -Xlinker --build-id=sha1") + add_link_options(-fuse-ld=lld) endif(CMAKE_SYSTEM_NAME STREQUAL FreeBSD) if(CMAKE_SYSTEM_NAME STREQUAL OpenBSD) @@ -164,6 +170,12 @@ endif(CMAKE_SYSTEM_NAME STREQUAL SunOS) # ./build-native.sh cmakeargs -DCLR_ADDITIONAL_COMPILER_OPTIONS=<...> cmakeargs -DCLR_ADDITIONAL_LINKER_FLAGS=<...> # if(CLR_CMAKE_PLATFORM_UNIX) + if (CMAKE_SYSTEM_NAME STREQUAL Darwin) + add_link_options(-Wl,-bind_at_load) + else (CMAKE_SYSTEM_NAME STREQUAL Darwin) + add_compile_options($<$:-Wa,--noexecstack>) + add_link_options(-Wl,--build-id=sha1 -Wl,-z,relro,-z,now) + endif(CMAKE_SYSTEM_NAME STREQUAL Darwin) set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${CLR_ADDITIONAL_LINKER_FLAGS}") set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${CLR_ADDITIONAL_LINKER_FLAGS}" ) add_compile_options(${CLR_ADDITIONAL_COMPILER_OPTIONS}) -- 2.7.4