On 06/28/2013 12:05 PM, Mark Hatle wrote:
On 6/28/13 1:46 PM, Saul Wold wrote:
These flags add addition checks at compile, link and runtime to prevent
stack smashing, checking for buffer overflows, and link at program start
to prevent call spoofing later.
This needs to be explicitly enabled by adding the following line to your
local.conf:
require conf/distro/include/security_flags.inc
[YOCTO #3868]
Signed-off-by: Saul Wold <[email protected]>
---
meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
create mode 100644 meta/conf/distro/include/security_flags.inc
diff --git a/meta/conf/distro/include/security_flags.inc
b/meta/conf/distro/include/security_flags.inc
new file mode 100644
index 0000000..dc231e2
--- /dev/null
+++ b/meta/conf/distro/include/security_flags.inc
@@ -0,0 +1,21 @@
+SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
+SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
Where do the flags get introduced into the actual CFLAGS and LDFLAGS?
Would it make sense to add this to the existing BUILD_OPTIMIZATION
settings.. So they would always be available, and someone could just
flip a switch to enable it?
Opps, sorry forgot to send part 2!
Sau!
+
+#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
+SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-eglibc = ""
+SECURITY_CFLAGS_pn-eglibc-initial = ""
I know why you don't use them on -initial, but any reason to not enable
this on 'eglibc'? If it doesn't work, it would be good to enhance
eglibc's recipe to spit out a warning and sanitize the build like it
does for -O0.
--Mark
+SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all
-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all
-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all
-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all
-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all
-D_FORTIFY_SOURCE=2"
+
+# These flags seem to
+SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all
-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
