search

eafer / rdrview

Firefox Reader View as a command line tool
Apache License 2.0
836 stars 35 forks source link

Add LDFLAGS to Makefile for full relro and fortify #4

Closed jelly closed 3 years ago

jelly commented 3 years ago

The Makefile currently does not produce fully hardened binaries as it does not take the system's LDFLAGS or CPPFLAGS or CFLAGS. Which means the binaries aren't fully hardened

[jelle@natrium][/tmp/rdrview-git/src/rdrview]%checksec --file=/usr/bin/rdrview
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH  Symbols     FORTIFY Fortified   Fortifiable FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols    No    0       9       /usr/bin/rdrview

With a simple patch:

diff --git a/Makefile b/Makefile
index 18a0e8f..b018a9c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,8 @@
 SYSTEM = $(shell uname)
 CC = gcc

+LDFLAGS ?=
+CPPFLAGS ?=
 CFLAGS = -DNDEBUG -O2 -Wall -Wextra -fno-strict-aliasing
 override CFLAGS += $(shell curl-config --cflags) $(shell xml2-config --cflags)

@@ -21,10 +23,10 @@ SRCS = $(wildcard src/*.c)
 OBJS = $(SRCS:.c=.o)

 rdrview: $(OBJS)
-       $(CC) $(CFLAGS) -o rdrview $(OBJS) $(LDLIBS)
+       $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o rdrview $(OBJS) $(LDLIBS)

 %.o: %.c src/rdrview.h
-       $(CC) $(CFLAGS) -o $@ -c $<
+       $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ -c $<

 clean:
        rm -f $(OBJS) rdrview
[jelle@natrium][/tmp/rdrview-git/src/rdrview]%checksec --file=rdrview
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH  Symbols     FORTIFY Fortified   Fortifiable FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   360) Symbols      Yes   3       9       rdrview

https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

eafer commented 3 years ago 
[jelle@natrium][/tmp/rdrview-git/src/rdrview]%checksec --file=rdrview
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH    Symbols     FORTIFY Fortified   Fortifiable FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   360) Symbols    Yes   3       9       rdrview

I get this same output with my regular build. What version of gcc are you using? Maybe the defaults have changed.

jelly commented 3 years ago

***@***.***[/tmp/rdrview-git/src/rdrview]%checksec --file=rdrview RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 360) Symbols Yes 3 9 rdrview I get this same output with my regular build. What version of gcc are you using? Maybe the defaults have changed.

Interesting, I have GCC 10, but some defaults such as -fstack-protector can be enabled by default in GCC.

eafer commented 3 years ago

I just pushed a patch for this issue. It's not the exact same as your patch, so please let me know if I got something wrong and it doesn't solve your problem. Thanks for the report.

jelly commented 3 years ago

Just tested and it works fine! Thanks!