build: hardening, doc, cleanup build rules

config.mk

@@ -13,10 +13,12 @@ ETCDIR := $(PREFIX)/etc/kresd
 
 # Tools
 CC	?= cc
-BUILD_LDFLAGS += $(LDFLAGS)
-BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -fPIC -Wtype-limits -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib)
-BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(MAJOR).$(MINOR).$(PATCH)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\"" -DETCDIR="\"$(ETCDIR)\""
 RM	:= rm -f
 LN      := ln -s
 XXD     := ./scripts/embed.sh
 INSTALL := install
+
+# Flags
+BUILD_LDFLAGS += $(LDFLAGS)
+BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -Wno-unused -Wtype-limits -Wformat -Wformat-security -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib)
+BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(MAJOR).$(MINOR).$(PATCH)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\"" -DETCDIR="\"$(ETCDIR)\""

daemon/daemon.mk

@@ -24,6 +24,7 @@ endif
 bindings-install: $(kresd_DIST) $(DESTDIR)$(MODULEDIR)
 	$(INSTALL) -m 0644 $(kresd_DIST) $(DESTDIR)$(MODULEDIR)
 
+kresd_CFLAGS := -fPIE
 kresd_DEPEND := $(libkres)
 kresd_LIBS := $(libkres_TARGET) $(libknot_LIBS) $(libdnssec_LIBS) $(libuv_LIBS) $(lua_LIBS)
 

doc/build.rst

@@ -123,6 +123,24 @@ Alternatively you can build only specific parts of the project, i.e. ``library``
 
 .. note:: Documentation is not built by default, run ``make doc`` to build it.
 
+Building with security compiler flags
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Knot DNS Resolver enables certain `security compile-time flags <https://wiki.debian.org/Hardening#Notes_on_Memory_Corruption_Mitigation_Methods>`_ that do not affect performance.
+You can add more flags to the build by appending them to `CFLAGS` variable, e.g. ``make CFLAGS="-fstack-protector"``.
+
+  .. csv-table::
+   :header: "Method", "Status", "Notes"
+
+   "-fstack-protector", "*disabled*", "(must be specifically enabled in CFLAGS)"
+   "-D_FORTIFY_SOURCE=2", "**enabled**", ""
+   "-pie", "**enabled**", "enables ASLR for kresd (disable with ``make HARDENING=no``)"
+   "RELRO", "**enabled**", "full [#]_"
+
+You can also disable ELF hardening when it's unsupported with ``make HARDENING=no``.
+
+.. [#] See `checksec.sh <http://www.trapkit.de/tools/checksec.html>`_
+
 Building for packages
 ~~~~~~~~~~~~~~~~~~~~~
 

lib/lib.mk

@@ -48,7 +48,7 @@ libkres_HEADERS := \
 
 # Dependencies
 libkres_DEPEND := 
-libkres_CFLAGS := -fvisibility=hidden
+libkres_CFLAGS := -fvisibility=hidden -fPIC
 libkres_LIBS := $(libknot_LIBS) $(libdnssec_LIBS)
 libkres_TARGET := -L$(abspath lib) -lkres
 

modules/cachectl/cachectl.mk

-cachectl_CFLAGS := -fvisibility=hidden
+cachectl_CFLAGS := -fvisibility=hidden -fPIC
 cachectl_SOURCES := modules/cachectl/cachectl.c
 cachectl_DEPEND := $(libkres)
 cachectl_LIBS := $(libkres_TARGET) $(libkres_LIBS)

modules/hints/hints.mk

-hints_CFLAGS := -fvisibility=hidden
+hints_CFLAGS := -fvisibility=hidden -fPIC
 hints_SOURCES := modules/hints/hints.c
 hints_DEPEND := $(libkres)
 hints_LIBS := $(libkres_TARGET) $(libkres_LIBS)

modules/stats/stats.mk

-stats_CFLAGS := -fvisibility=hidden
+stats_CFLAGS := -fvisibility=hidden -fPIC
 stats_SOURCES := modules/stats/stats.c
 stats_DEPEND := $(libkres)
 stats_LIBS := $(libkres_TARGET) $(libkres_LIBS)

platform.mk

@@ -2,6 +2,7 @@
 # Don't touch this unless you're changing the way targets are compiled
 # You have been warned
 
+# Platform-dependent stuff checks
 CCLD := $(CC)
 CGO := go tool cgo
 GO := go
@@ -27,9 +28,18 @@ else
         PLATFORM := Darwin
         LIBEXT := .dylib
         MODTYPE := dynamiclib
+        # OS X specific hardening since -pie doesn't work
+        ifneq ($(HARDENING),no)
+            BINFLAGS += -Wl,-pie
+        endif
     else
         PLATFORM := POSIX
         LDFLAGS += -pthread -lm -Wl,-E
+        # ELF hardening options
+        ifneq ($(HARDENING),no)
+            BINFLAGS += -pie
+            LDFLAGS += -Wl,-z,relro,-z,now
+        endif
         ifeq (,$(findstring BSD,$(UNAME)))
             LDFLAGS += -ldl
         endif
@@ -41,16 +51,12 @@ ifeq ($(V),1)
 	quiet = $($1)
 else
 	quiet = @echo "  $1	$2"; $($1)
-endif	
-
-%.o: %.c
-	$(call quiet,CC,$<) $(BUILD_CFLAGS) -MMD -MP -c $< -o $@
+endif
 
 # Make objects and depends (name)
 define make_objs
 $(1)_OBJ := $$($(1)_SOURCES:.c=.o)
 $(1)_DEP := $$($(1)_SOURCES:.c=.d)
-
 -include $$($(1)_DEP)
 endef
 
@@ -67,13 +73,17 @@ endif
 else
 $$(eval $$(call make_objs,$(1)))
 endif
+# Rules to generate objects with custom CFLAGS and binary/library
+$$($(1)_OBJ): $$($(1)_SOURCES)
+	$(call quiet,CC,$$(@:%.o=%.c)) $(BUILD_CFLAGS) $$($(1)_CFLAGS) -MMD -MP -c $$(@:%.o=%.c) -o $$@
 $(1) := $(2)/$(1)$(3)
 $(2)/$(1)$(3): $$($(1)_OBJ) $$($(1)_DEPEND)
 ifeq ($(4),-$(ARTYPE))
 	$(call quiet,AR,$$@) rcs $$@ $$($(1)_OBJ)
 else
-	$(call quiet,CCLD,$$@) $(BUILD_CFLAGS) $$($(1)_CFLAGS) $$($(1)_OBJ) -o $$@ $(4) $$($(1)_LIBS) $(BUILD_LDFLAGS)
+	$(call quiet,CCLD,$$@) $$($(1)_CFLAGS) $(BUILD_CFLAGS) $$($(1)_OBJ) -o $$@ $(4) $$($(1)_LDFLAGS) $$($(1)_LIBS) $(BUILD_LDFLAGS)
 endif
+# Additional rules
 $(1)-clean:
 	$(RM) $$($(1)_OBJ) $$($(1)_DEP) $(2)/$(1)$(3)
 ifeq ($(6), yes)

tests/unit.mk

@@ -14,6 +14,7 @@ tests_BIN := \
 	test_zonecut \
 	test_rplan
 
+mock_cmodule_CFLAGS := -fPIC
 mock_cmodule_SOURCES := tests/mock_cmodule.c
 $(eval $(call make_lib,mock_cmodule,tests))
 
@@ -23,6 +24,7 @@ tests_LIBS :=  $(libkres_TARGET) $(libkres_LIBS) $(cmocka_LIBS)
 
 # Make test binaries
 define make_test
+$(1)_CFLAGS := -fPIE
 $(1)_SOURCES := tests/$(1).c
 $(1)_LIBS := $(tests_LIBS)
 $(1)_DEPEND := $(tests_DEPEND)