Solaris security extensions

To: <pkgsrc-users%netbsd.org@localhost>
Subject: Solaris security extensions
From: Clausen, Jörn <joern.clausen%uni-bielefeld.de@localhost>
Date: Tue, 26 May 2020 14:05:53 +0200

Hello all!

I just tried to build pkgsrc on Solaris 11.3/i86 with securityextensions turned on. This is a mechanism to indicate via flags inbinaries, if certain security methods should be used when executing thebinary. It's the usual stuff: Non-executable stack and heap, ASLR.Solaris 11.4 has added some more methods to tackle Spectre/Meltdown andall their offsprings. Here are two links with some more information:


https://blogs.oracle.com/solaris/new-security-extensions-in-oracle-solaris-113-v2

https://docs.oracle.com/cd/E37838_01/html/E61050/secov-2.html


I bootstrapped a new pkgsrc installation with

$ LDFLAGS='-z aslr=enable -z nxstack=enable -z nxheap=enable'./bootstrap ...

which worked fine. I am even a little bit thrilled, that the LDFLAGSwere automagically added to mk.conf :) I was able to compile some morepackages, and all the binaries are correctly marked:


$ elfdump -d bin/bmake | grep ENABLE
     [30]  SUNW_ASLR       0x2       ENABLE
     [31]  SUNW_NXHEAP     0x2       ENABLE
     [32]  SUNW_NXSTACK    0x2       ENABLE

I was able to build lang/perl5, but the first Perl packagedevel/p5-gettext failed with

LD_RUN_PATH="/opt/pkg-hrz/20200526/lib" gcc -shared -m64-L/usr/lib/amd64 -Wl,-R/usr/lib/amd64 -Wl,-R/opt/pkg-hrz/20200526/lib-L/usr/gnu/lib gettext.o -z aslr=enable -z nxstack=enable -znxheap=enable -L/opt/pkg-hrz/20200526/lib-Wl,-R/opt/pkg-hrz/20200526/lib-Wl,-R/opt/pkg-hrz/20200526/lib/perl5/5.30.0/x86_64-solaris-thread-multi-64/CORE-L/usr/lib/amd64 -Wl,-R/usr/lib/amd64 -oblib/arch/auto/Locale/gettext/gettext.so -L/opt/pkg-hrz/20200526/lib-lintlld: fatal: option '-z aslr=enable' is only available when building adynamic object with an interpretorld: fatal: option '-z nxheap=enable' is only available when building adynamic object with an interpretorld: fatal: option '-z nxstack=enable' is only available when building adynamic object with an interpretor

collect2: error: ld returned 1 exit status

A few other shared libraries were built before as prerequisite (e.g.libiconv.so), which did not have this problem. Did pkgsrc's scriptsthrow away these flags and should do the same for the Perl package? Isthere anything else that could fix this? Obviously not per package, Iguess this will be a problem for all Perl packages with shared objects.

Is it feasible or desirable, to add a mechanism to pkgsrc to turn on andoff such flags on a global level, yet allow individual overrides? Iexpect there are packages, that won't work when stack or heap executionis not allowed.


--
Jörn Clausen
https://www.uni-bielefeld.de/bits

Follow-Ups:
- Re: Solaris security extensions
  - From: Sad Clouds

Prev by Date: Re: Problem building apcupsd
Next by Date: diff from 2020-05-24 20:18 to 2020-05-26 04:31
Previous by Thread: games/flightgear build failure
Next by Thread: Re: Solaris security extensions
Indexes:

Home | Main Index | Thread Index | Old Index