Feature #1527
closedAdd ability to compile as a Position-Independent Executable (PIE)
Description
In order to apply ASLR fully to Suricata, Suricata needs to be able to compile as a Position-Independent Executable (PIE). It seems that simply adding -fPIE to CFLAGS/CXXFLAGS and -pie to LDFLAGS doesn't work as that will cause a linking failure with util-time. I would suggest adding an --enable-pie flag to autoconf that will add those CFLAGS/CXXFLAGS/LDFLAGS to the right spots.
I've tried to use those flags myself. I'm running HardenedBSD 11-CURRENT/amd64. Here's a log of the build of my build attempt with the custom flags: http://ix.io/keX
Files
Updated by Victor Julien over 9 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 3.0RC1
Strange error. It works for me on Ubuntu 14.04. Any chance you can find out what that error is?
On the --enable-pie option, I think it's a good idea.
Updated by Alexander Gozman about 9 years ago
Something's wrong with CFLAGS, -fPIC should solve the problem: https://github.com/inliniac/suricata/pull/1664
Updated by Shawn Webb about 9 years ago
Alexander Gozman wrote:
Something's wrong with CFLAGS, -fPIC should solve the problem: https://github.com/inliniac/suricata/pull/1664
You'll likely also need to add -fPIE to CFLAGS.
Updated by Alexander Gozman about 9 years ago
Shawn Webb wrote:
Alexander Gozman wrote:
Something's wrong with CFLAGS, -fPIC should solve the problem: https://github.com/inliniac/suricata/pull/1664
You'll likely also need to add -fPIE to CFLAGS.
Sure, but it's better to add -pie to LDFLAGS. I've mentioned -fPIC 'cause in the error log you've attached a compiler gave a hint about it.
Updated by Alexander Gozman about 9 years ago
Alexander Gozman wrote:
Shawn Webb wrote:
Alexander Gozman wrote:
Something's wrong with CFLAGS, -fPIC should solve the problem: https://github.com/inliniac/suricata/pull/1664
You'll likely also need to add -fPIE to CFLAGS.
Sure, but it's better to add -pie just to LDFLAGS (adding it to CFLAGS makes no sense). I've mentioned -fPIC 'cause in the error log you've attached a compiler gave a hint about it.
Updated by Alexander Gozman about 9 years ago
- Due date set to 10/08/2015
- Assignee changed from Victor Julien to Alexander Gozman
- % Done changed from 0 to 100
Updated by Shawn Webb almost 9 years ago
After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.
Updated by Alexander Gozman almost 9 years ago
- File suricata-3.0.r3.log suricata-3.0.r3.log added
Shawn Webb wrote:
After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.
I can not reproduce the issue :( I've installed HardenedBSD-CURRENT and built suricata from ports and with poudriere, with and without --enable-pie. Everything went good without any errors. I've attached the build log from poudriere, maybe it'll make things a bit more clear.
Updated by Shawn Webb almost 9 years ago
Alexander Gozman wrote:
Shawn Webb wrote:
After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.
I can not reproduce the issue :( I've installed HardenedBSD-CURRENT and built suricata from ports and with poudriere, with and without --enable-pie. Everything went good without any errors. I've attached the build log from poudriere, maybe it'll make things a bit more clear.
It appears I was being too aggressive with CFLAGS. Simply using --enable-pie with configure made it work. I had forced CFLAGS=-fPIE and LDFLAGS=-pie before, which is simply too aggressive. On the bright side, I also enabled RELRO and suricata works. So on HardenedBSD, we now have suricata compiled as a PIE with RELRO+BIND_NOW.
Thanks for the hard work! I really appreciate it.