On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <[email protected]> wrote: > > The `-fstack-protector-***' should be passed to gcc rather than linker, > since `4ca946c security_flags: use -fstack-protector-strong', it was > added to LDFLAGS, although there is no extra build failure introduced, > but it is still unnecessary.(-Wl,** is for linker) >
There are cases where CFLAGS is not combined into LDFLAGS by package component builds which creates the disjoint, If we remove this here then that will start to show up. remember we do not configure toolchains to provide the hardening flags by default as yet, so we have to be explicit. Do you see issues with current settings ? > Reported-by: Lans Zhang <https://github.com/jiazhang0> > > Signed-off-by: Hongxu Jia <[email protected]> > --- > meta/conf/distro/include/security_flags.inc | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/meta/conf/distro/include/security_flags.inc > b/meta/conf/distro/include/security_flags.inc > index 620978a..362b1db 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong" > SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} > ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} > ${SECURITY_STRINGFORMAT}" > > -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now" > -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro" > +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" > +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro" > > # powerpc does not get on with pie for reasons not looked into as yet > GCCPIE_powerpc = "" > -- > 2.7.4 > -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
