build hardening for TBB
I was looking at the latest 64bit stable tbb and ran scanelf on it:
~/tor-browser_en-US % find .| xargs -n 1 scanelf -a -v
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libevent_extra-2.0.so.5
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libpng15.so.15
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libpng15.so.15.13.0
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libevent_core-2.0.so.5
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtGui.so.4
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtCore.so.4
ET_DYN PeMRxS 0644 LE RW- --- RW- - - LAZY ./Lib/libcrypto.so.1.0.0
ET_DYN PeMRxS 0644 LE RW- --- RW- - - LAZY ./Lib/libssl.so.1.0.0
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libevent-2.0.so.5
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtNetwork.so.4
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtXml.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libevent_extra-2.0.so.5
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libpng15.so.15
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libz/libz.so.1
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libz/libz.so.1
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libpng15.so.15.13.0
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libevent_core-2.0.so.5
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtGui.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtCore.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0644 LE RW- --- RW- - - LAZY ./Lib/libcrypto.so.1.0.0
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0644 LE RW- --- RW- - - LAZY ./Lib/libssl.so.1.0.0
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./Lib/libevent-2.0.so.5
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtNetwork.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtXml.so.4
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/vidalia
ET_EXEC PeMRxS 0755 LE RW- R-- RW- - /srv/build-trees/build-alpha/x86_64/built/lib NOW ./App/tor
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/vidalia
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/firefox-bin
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/webapprt-stub
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libmozalloc.so
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/firefox
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libsoftokn3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libxpcom.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnssdbm3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libplc4.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libxul.so
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/mozilla-xremote-client
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnssckbi.so
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/plugin-container
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnss3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libmozsqlite3.so
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/updater
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libssl3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libplds4.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libfreebl3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnssutil3.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnspr4.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libsmime3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/firefox-bin
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/webapprt-stub
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libmozalloc.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/firefox
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libsoftokn3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libxpcom.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnssdbm3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/components/libdbusservice.so
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/components/libbrowsercomps.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/components/libdbusservice.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/components/libbrowsercomps.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libplc4.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libxul.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/mozilla-xremote-client
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnssckbi.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/plugin-container
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnss3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libmozsqlite3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/updater
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libssl3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libplds4.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libfreebl3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnssutil3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libnspr4.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_DYN PeMRxS 0755 LE RW- --- RW- - - LAZY ./App/Firefox/libsmime3.so
TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE
ET_EXEC PeMRxS 0755 LE RW- R-- RW- - /srv/build-trees/build-alpha/x86_64/built/lib NOW ./App/tor The output is explained on the pax-utils documentation website.
A few things come to mind - one is that all our binaries should be set to BIND 'NOW' at run time. There are likely other things we could/should improve about these builds.