PR#7: Harden binaries to pass annocheck - dotnet-sig/dotnet-3-0

dotnet-sig / dotnet-3-0

#7 Harden binaries to pass annocheck

Merged 4 years ago by omajid. Opened 4 years ago by omajid.

dotnet-sig/ omajid/dotnet-3-0 master into master

Fix coreclr to build on Fedora 32

Omair Majid • 4 years ago

df27114

Harden built binaries to pass annocheck

Omair Majid • 4 years ago

b642048

core-setup-hardening-flags.patch

file added

+11

		`@@ -0,0 +1,11 @@`
		`+ diff --git a/src/settings.cmake b/src/settings.cmake`
		`+ --- a/src/settings.cmake`
		`+ +++ b/src/settings.cmake`
		`+ @@ -218,6 +218,7 @@ if(${CMAKE_SYSTEM_NAME} MATCHES "Linux")`
		`+ set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Xlinker -Bsymbolic -Bsymbolic-functions")`
		`+ set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--build-id=sha1")`
		`+ set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--build-id=sha1")`
		`+ + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie")`
		`+ add_compile_options(-fstack-protector-strong)`
		`+ elseif(${CMAKE_SYSTEM_NAME} MATCHES "Darwin")`
		`+ add_compile_options(-fstack-protector)`

coreclr-27048-sysctl-deprecation.patch

file added

+42

		`@@ -0,0 +1,42 @@`
		`+ From 3dd725eca0079e2b49821dfeb0ec1cb166cc7414 Mon Sep 17 00:00:00 2001`
		`+ From: Omair Majid <omajid@redhat.com>`
		`+ Date: Fri, 4 Oct 2019 19:29:53 -0400`
		`+ Subject: [PATCH] Handle glibc sys/sysctl.h deprecation`
		`+`
		`+ glibc has deprecated sys/sysctl.h:`
		`+`
		`+ In file included from /coreclr/src/pal/src/misc/sysinfo.cpp:32:`
		`+ /usr/include/sys/sysctl.h:21:2: error: "The <sys/sysctl.h> header is deprecated and will be removed." [-Werror,-W#warnings]`
		`+ #warning "The <sys/sysctl.h> header is deprecated and will be removed."`
		`+ ^`
		`+ 1 error generated.`
		`+`
		`+ Fix that by preferring sysconf and only including sys/sysctl.h if`
		`+ HAVE_SYSCONF is not true. This mirrors the order of the implementation`
		`+ code in this file (sysinfo.cpp) which checks for HAVE_SYSCONF`
		`+ before HAVE_SYSCTL.`
		`+`
		`+ Fixes #27008`
		`+ ---`
		`+ src/pal/src/misc/sysinfo.cpp \| 7 +++++--`
		`+ 1 file changed, 5 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/src/pal/src/misc/sysinfo.cpp b/src/pal/src/misc/sysinfo.cpp`
		`+ index e1c949e38d53..50ccf3a75e16 100644`
		`+ --- a/src/pal/src/misc/sysinfo.cpp`
		`+ +++ b/src/pal/src/misc/sysinfo.cpp`
		`+ @@ -28,9 +28,12 @@ Revision History:`
		`+ #include <errno.h>`
		`+ #include <unistd.h>`
		`+ #include <sys/types.h>`
		`+ -#if HAVE_SYSCTL`
		`+ +`
		`+ +#if HAVE_SYSCONF`
		`+ +// <unistd.h> already included above`
		`+ +#elif HAVE_SYSCTL`
		`+ #include <sys/sysctl.h>`
		`+ -#elif !HAVE_SYSCONF`
		`+ +#else`
		`+ #error Either sysctl or sysconf is required for GetSystemInfo.`
		`+ #endif`
		`+`

coreclr-hardening-flags.patch

file added

+11

		`@@ -0,0 +1,11 @@`
		`+ diff --git a/src/debug/createdump/CMakeLists.txt b/src/debug/createdump/CMakeLists.txt`
		`+ --- a/src/debug/createdump/CMakeLists.txt`
		`+ +++ b/src/debug/createdump/CMakeLists.txt`
		`+ @@ -21,6 +21,7 @@ include_directories(BEFORE ${VM_DIR})`
		`+ add_definitions(-DPAL_STDCPP_COMPAT)`
		`+`
		`+ add_compile_options(-fPIE)`
		`+ +add_link_options(-pie)`
		`+`
		`+ set(CREATEDUMP_SOURCES`
		`+ createdump.cpp`

dotnet3.0.spec

file modified

+14 -1

		`@@ -52,7 +52,7 @@`

		`Name: dotnet3.0`
		`Version: %{sdk_rpm_version}`
		`- Release: 2%{?dist}`
		`+ Release: 4%{?dist}`
		`Summary: .NET Core CLI tools and runtime`
		`License: MIT and ASL 2.0 and BSD`
		`URL: https://github.com/dotnet/`
		`@@ -65,7 +65,11 @@`

		`Patch100: corefx-optflags-support.patch`

		`+ Patch200: coreclr-27048-sysctl-deprecation.patch`
		`+ Patch201: coreclr-hardening-flags.patch`
		`+`
		`Patch300: core-setup-do-not-strip.patch`
		`+ Patch301: core-setup-hardening-flags.patch`

		`Patch500: cli-telemetry-optout.patch`

		`@@ -301,10 +305,13 @@`
		`popd`

		`pushd src/coreclr.*`
		`+ %patch200 -p1`
		`+ %patch201 -p1`
		`popd`

		`pushd src/core-setup.*`
		`%patch300 -p1`
		`+ %patch301 -p1`
		`popd`

		`pushd src/cli.*`
		`@@ -431,6 +438,12 @@`
		`%dir %{_libdir}/dotnet/packs`

		`%changelog`
		`+ * Wed Oct 16 2019 Omair Majid <omajid@redhat.com> - 3.0.100-4`
		`+ - Include fix from coreclr for building on Fedora 32`
		`+`
		`+ * Wed Oct 16 2019 Omair Majid <omajid@redhat.com> - 3.0.100-3`
		`+ - Harden built binaries to pass annocheck`
		`+`
		`* Fri Oct 11 2019 Omair Majid <omajid@redhat.com> - 3.0.100-2`
		`- Export DOTNET_ROOT in profile to make apphost lookup work`

omajid commented 4 years ago

After building and installing all the built packages (including -debuginfo and -debugsources), annocheck -v reports no FAILs or MAYBs on my system.

This doesn't mean that .NET Core has been completely hardened. annocheck can only partially check binaries produced by non-gcc compilers. It requires code to have been compiled by gcc to be able to accurately verify binaries. Additionally, clang lacks several hardening flags.

For more information about annocheck, see: https://developers.redhat.com/blog/2019/02/04/annocheck-examining-the-contents-of-binary-files/

There is also some support for building on Fedora 32, but it's currently blocked by corefx RID issues being discussed upstream.

Build: https://copr.fedorainfracloud.org/coprs/g/dotnet-sig/dotnet/build/1062244/