Feature #1527
closed
Add ability to compile as a Position-Independent Executable (PIE)
Added by Shawn Webb about 10 years ago.
Updated almost 10 years ago.
Description
In order to apply ASLR fully to Suricata, Suricata needs to be able to compile as a Position-Independent Executable (PIE). It seems that simply adding -fPIE to CFLAGS/CXXFLAGS and -pie to LDFLAGS doesn't work as that will cause a linking failure with util-time. I would suggest adding an --enable-pie flag to autoconf that will add those CFLAGS/CXXFLAGS/LDFLAGS to the right spots.
I've tried to use those flags myself. I'm running HardenedBSD 11-CURRENT/amd64. Here's a log of the build of my build attempt with the custom flags: http://ix.io/keX
Files
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 3.0RC1
Strange error. It works for me on Ubuntu 14.04. Any chance you can find out what that error is?
On the --enable-pie option, I think it's a good idea.
Shawn Webb wrote:
Alexander Gozman wrote:
Something's wrong with CFLAGS, -fPIC should solve the problem: https://github.com/inliniac/suricata/pull/1664
You'll likely also need to add -fPIE to CFLAGS.
Sure, but it's better to add -pie to LDFLAGS. I've mentioned -fPIC 'cause in the error log you've attached a compiler gave a hint about it.
Alexander Gozman wrote:
Shawn Webb wrote:
Alexander Gozman wrote:
Something's wrong with CFLAGS, -fPIC should solve the problem: https://github.com/inliniac/suricata/pull/1664
You'll likely also need to add -fPIE to CFLAGS.
Sure, but it's better to add -pie just to LDFLAGS (adding it to CFLAGS makes no sense). I've mentioned -fPIC 'cause in the error log you've attached a compiler gave a hint about it.
- Due date set to 10/08/2015
- Assignee changed from Victor Julien to Alexander Gozman
- % Done changed from 0 to 100
- Status changed from Assigned to Closed
After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.
Shawn Webb wrote:
After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.
I can not reproduce the issue :( I've installed HardenedBSD-CURRENT and built suricata from ports and with poudriere, with and without --enable-pie. Everything went good without any errors. I've attached the build log from poudriere, maybe it'll make things a bit more clear.
Alexander Gozman wrote:
Shawn Webb wrote:
After testing this on HardenedBSD, it looks like I still get a linking error, even after enabling --enable-pie. Log is attached.
I can not reproduce the issue :( I've installed HardenedBSD-CURRENT and built suricata from ports and with poudriere, with and without --enable-pie. Everything went good without any errors. I've attached the build log from poudriere, maybe it'll make things a bit more clear.
It appears I was being too aggressive with CFLAGS. Simply using --enable-pie with configure made it work. I had forced CFLAGS=-fPIE and LDFLAGS=-pie before, which is simply too aggressive. On the bright side, I also enabled RELRO and suricata works. So on HardenedBSD, we now have suricata compiled as a PIE with RELRO+BIND_NOW.
Thanks for the hard work! I really appreciate it.
Also available in: Atom
PDF