Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Solaris 10 platform and enable some hardening flags on Linux/Mac/FreeBSD #915

Merged
merged 3 commits into from
Nov 14, 2019
Merged

Remove Solaris 10 platform and enable some hardening flags on Linux/Mac/FreeBSD #915

merged 3 commits into from
Nov 14, 2019

Conversation

lamont-granquist
Copy link
Contributor

We don't build or support Solaris 10 any more since it is EOL

This adds -D_FORTIFY_SOURCE=2 -fstack-protector to Linux/Mac/BSD. Tried to add it to Solaris and it failed. AIX is not gcc so its not applicable, and Windows mostly terrifies me.

This is likely a NOP since most distros have added this anyway, but it establishes a baseline.

This passed tests here:

https://buildkite.com/chef/chef-chef-master-omnibus-adhoc/builds/133

On 15.5.2 on Ubuntu we already have these settings:

# hardening-check /opt/chef/embedded/bin/openssl
/opt/chef/embedded/bin/openssl:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

This might do something useful like enable hardening on RHEL6 but I didn't exhaustively check.

@lamont-granquist
enable some compiler hardening by default (mac/linux/solaris/freebsd)
fc28372 
this adds -D_FORTIFY_SOURCE=2 -fstack-protector by default.

since most linux distros have this enabled by default this should be
safe to do.

dunno about windows.

our AIX builds don't use gcc.

Signed-off-by: Lamont Granquist <[email protected]>
@lamont-granquist
yep, doesn't work on solaris
96d2dc4 
Signed-off-by: Lamont Granquist <[email protected]>
@lamont-granquist lamont-granquist requested review from a team as code owners November 14, 2019 06:14
@marcparadise
Copy link
Member

https://idea.popcount.org/2013-08-15-fortify_source/ was a helpful reference, I wasn't familiar with the effects of those flags .

@lamont-granquist
fix specs
ac913fe 
Signed-off-by: Lamont Granquist <[email protected]>
@tas50 tas50 merged commit d1e84cc into master Nov 14, 2019
@chef-expeditor chef-expeditor bot deleted the lcg/enable-hardening branch November 14, 2019 21:26
@lamont-granquist
Copy link
Contributor Author

dang you're fast

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcparadise marcparadise marcparadise approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lamont-granquist @marcparadise @tas50