These flags add addition checks at compile, link and runtime to prevent stack smashing, checking for buffer overflows, and link at program start to prevent call spoofing later.
This needs to be explicitly enabled by adding the following line to your local.conf: require conf/distro/include/security_flags.inc [YOCTO #3868] Signed-off-by: Saul Wold <[email protected]> --- meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 meta/conf/distro/include/security_flags.inc diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc new file mode 100644 index 0000000..dc231e2 --- /dev/null +++ b/meta/conf/distro/include/security_flags.inc @@ -0,0 +1,21 @@ +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2" +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now" + +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie" +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-eglibc = "" +SECURITY_CFLAGS_pn-eglibc-initial = "" +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2" + +# These flags seem to +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2" -- 1.8.1.4 _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
