Ok, I will close both of them when this is fixed. regards, Anders Widell
2013-12-10 15:57, Hans Nordebäck skrev: > a ticket for this already exists > http://sourceforge.net/p/opensaf/tickets/320/ /BR HansN > > -----Original Message----- > From: Anders Widell [mailto:anders.wid...@ericsson.com] > Sent: den 9 december 2013 12:45 > To: mathi.naic...@oracle.com > Cc: opensaf-devel@lists.sourceforge.net > Subject: [devel] [PATCH 1 of 1] build: Add extra GCC hardening compilation > flags [#650] > > 00-README.conf | 2 +- > Makefile.common | 4 ++-- > README | 16 ++++++++++++---- > configure.ac | 18 ++++++++++++++++++ > tools/cluster_sim_uml/README | 2 +- > 5 files changed, 34 insertions(+), 8 deletions(-) > > > By default, build with the extra hardening flags "-D_FORTIFY_SOURCE=2 > -fstack-protector" for improved security and enhanced run-time error > detection. The flags can be overridden by setting the environment variable > OSAF_HARDEN_FLAGS when building OpenSAF. > > Note that -D_FORTIFY_SOURCE=2 is only enabled in optimized builds. To reduce > the risk that a user accidentally builds without optimization by overriding > the default CFLAGS and/or CXXFLAGS, the README files have been updated to > recommend passing preprocessor definitions using CPPFLAGS instead of CFLAGS. > > diff --git a/00-README.conf b/00-README.conf > --- a/00-README.conf > +++ b/00-README.conf > @@ -85,7 +85,7 @@ file does not have to be changed unless: > - OpenSAF should run as a different UNIX group and user than the default > 'opensaf' > group/user. > > - If OpenSAF was built with the flags "CFLAGS=-DRUNASROOT", then > + If OpenSAF was built with the flags "CPPFLAGS=-DRUNASROOT", then > change OPENSAF_GROUP and OPENSAF_USER to root i.e. for old (<4.2) > behaviour. > > For any other user, change OPENSAF_GROUP and OPENSAF_USER accordingly > diff --git a/Makefile.common b/Makefile.common > --- a/Makefile.common > +++ b/Makefile.common > @@ -12,8 +12,8 @@ AM_CPPFLAGS = \ > $(CORE_INCLUDES) \ > $(all_includes) > > -AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC -AM_CXXFLAGS = -Wall > -fno-strict-aliasing -Werror -fPIC -D__STDC_FORMAT_MACROS > +AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC > +@OSAF_HARDEN_FLAGS@ AM_CXXFLAGS = -Wall -fno-strict-aliasing -Werror > +-fPIC -D__STDC_FORMAT_MACROS @OSAF_HARDEN_FLAGS@ > AM_LDFLAGS = -ldl -lrt -lpthread > > # > diff --git a/README b/README > --- a/README > +++ b/README > @@ -293,7 +293,7 @@ 1.1.1, 1.1.2 etc. > To re-enable the old (pre 4.3) non flat addressing, configure the constant > MDS_USE_SUBSLOT_ID=1 at configure time as in: > > - % ./configure CFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..." > + % ./configure CPPFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..." > > In the non flat scheme, the slot ID is shifted up 4 bits and subslot ID is > added in the 4 LSB. The consequence of this is reduced number of @@ -308,7 > +308,7 @@ 2) Run as root (optional) If the old (<4.2) behaviour of running > all processes as root is desired, use the following configure command: > > - % ./configure CFLAGS=-DRUNASROOT > + % ./configure CPPFLAGS=-DRUNASROOT > > > 3) Configure TIPC importance (optional) @@ -317,13 +317,21 @@ The default > TIPC importance is LOW for a In some cases the default importance must be > changed if e.g. an application starves the LOW importance communication level. > To change the default importance, use the following configure command > > - % ./configure CFLAGS=-DTIPCIMPORTANCE=level > + % ./configure CPPFLAGS=-DTIPCIMPORTANCE=level > where level is any of TIPC_LOW_IMPORTANCE, TIPC_MEDIUM_IMPORTANCE or > TIPC_HIGH_IMPORTANCE > - e.g. configure CFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE > + e.g. configure CPPFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE > > Note: Giving same importance to AVND & all other Opensaf models is not > preferred option. The behavior is unsupported. > > > +4) Configure GCC hardening options (optional) > + > +By default, the options "-fstack-protector -D_FORTIFY_SOURCE=2" are > +passed to GCC for improved security. You can override these options by > +setting the OSAF_HARDEN_FLAGS when configuring OpenSAF. For example: > + > + % ./configure OSAF_HARDEN_FLAGS="-fstack-protector-all > -D_FORTIFY_SOURCE=2" > + > If you are using a released archive (dist tarball) follow the simple common > steps: > > diff --git a/configure.ac b/configure.ac > --- a/configure.ac > +++ b/configure.ac > @@ -545,6 +545,22 @@ if test "$enable_imm_pbe" = yes; then > PKG_CHECK_MODULES([SQLITE3], [sqlite3]) fi > > +if test -z "$OSAF_HARDEN_FLAGS"; then > + # _FORTIFY_SOURCE requires optimization, so only enable it in optimized > + # builds, i.e. when -O is present in both CFLAGS and CXXFLAGS. > + if echo "${CFLAGS}" | grep -q -- -O; then > + if echo "${CXXFLAGS}" | grep -q -- -O; then > + OSAF_HARDEN_FLAGS="-D_FORTIFY_SOURCE=2" > + fi > + fi > + # Also check for -O0 (which explicitly disables optimisation) > + if echo "${CFLAGS} ${CXXFLAGS}" | grep -q -- -O0; then > + OSAF_HARDEN_FLAGS="" > + fi > + OSAF_HARDEN_FLAGS="${OSAF_HARDEN_FLAGS} -fstack-protector" > +fi > +AC_SUBST(OSAF_HARDEN_FLAGS) > + > ############################################# > # Checks for header files. > ############################################# > @@ -925,8 +941,10 @@ echo "" > echo " Compiling Options:" > echo "${ECHO_T} C Compiler: ${CC}" > echo "${ECHO_T} C++ Compiler: ${CXX}" > +echo "${ECHO_T} CPPFLAGS: ${CPPFLAGS} ${AM_CPPFLAGS}" > echo "${ECHO_T} CFLAGS: ${CFLAGS} ${AM_CFLAGS}" > echo "${ECHO_T} CXXFLAGS: ${CXXFLAGS} ${AM_CXXFLAGS}" > +echo "${ECHO_T} OSAF_HARDEN_FLAGS: ${OSAF_HARDEN_FLAGS}" > echo "${ECHO_T} LDFLAGS: ${LDFLAGS}" > echo "${ECHO_T} Enable RPATH: ${enable_rpath}" > > diff --git a/tools/cluster_sim_uml/README b/tools/cluster_sim_uml/README > --- a/tools/cluster_sim_uml/README > +++ b/tools/cluster_sim_uml/README > @@ -77,7 +77,7 @@ When the UML root file system is generat DESTDIR set to > the UML root file system. Make sure you have a default configured Opensaf > like this: > > -$ ./configure CFLAGS=-DRUNASROOT > +$ ./configure CPPFLAGS=-DRUNASROOT > > - Execute './build_uml'. > > > ------------------------------------------------------------------------------ > Sponsored by Intel(R) XDK > Develop, test and display web and hybrid apps with a single code base. > Download it for free now! > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk > _______________________________________________ > Opensaf-devel mailing list > Opensaf-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/opensaf-devel ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel