Hauke Mehrtens <[email protected]> [2020-01-07 23:21:19]: Hi,
thanks for your work. > > Hauke Mehrtens (6): > > buildsystem: Make PIE ASLR option tristate > > dnsmasq: Activate PIE by default > > dropbear: Activate PIE by default > > hostapd: Activate PIE by default > > uhttpd: Activate PIE by default > > lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers just wondering, if there is any particular reason for leaving odhcp6c and odhcpd out as this are network exposed services and running in default install. Thinking about it now, we should probably consider ubus, procd, rpcd and cgi-io (perhaps missed something) which might possibly process malicious inputs as well. BTW I'm wondering how does this work with the shared libraries, like musl libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well in order to get `TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ? > I would like to apply these patches to master? I don't know if you've something newer in your tree, just looked at your aslr branch in your staging tree: + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK) Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the reason for !SDK? That way binary/library. > Are there any objections to this? I already activated LTO to reduce the > size for all these components and the lantiq patch is already applied. I don't have any objections, I welcome this additional hardening. Which branch can I use for runtime testing? I plan to test it and give you my Acked-by. -- ynezz _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
