Re: [OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default
On 2/23/19 4:36 PM, Dave Taht wrote: > Hauke Mehrtens writes: > >> On 2/13/19 11:51 PM, Felix Fietkau wrote: >>> On 2019-02-13 23:15, Hauke Mehrtens wrote: This will build all executable as Position Independent Executables (PIE) by default. PIE executable can make full use of Address Space Layout Randomization (ASLR) because all sections can be placed at random offsets of the executed program. This makes it harder to exploit bugs in our binaries. This will increase the size of executable, libraries are already build position independent and their size will not change. This increases the size of the resulting images by about 3% on MIPS BE. I tested this with the default configuration for the lantiq xrx200 target. The size of the initramfs binaries increased by 2.88%: Without PIE: 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin With PIE: 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin With PIE activated the executable are getting bigger, here are some examples from the lantiq mips_24kc target: Without PIE: 112.309 /bin/opkg 299.061 /bin/busybox 456.549 /usr/sbin/wpad With PIE: 142.496 /bin/opkg (26.87% increase) 388.404 /bin/busybox(29.87% increase) 580.128 /usr/sbin/wpad (27.06% increase) With PIE activated the sections of the binaries are loaded to different offsets for each program instance like shown here: root@OpenWrt:/# cat /proc/self/maps 555c4000-55622000 r-xp 00:02 1030 /bin/busybox 55631000-55632000 r-xp 0005d000 00:02 1030 /bin/busybox 55632000-55633000 rwxp 0005e000 00:02 1030 /bin/busybox 55633000-55634000 rwxp 00:00 0 77ee2000-77f04000 r-xp 00:02 331/lib/libgcc_s.so.1 77f04000-77f05000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 77f05000-77f06000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 77f06000-77f9a000 r-xp 00:02 329/lib/libc.so 77fa9000-77fab000 rwxp 00093000 00:02 329/lib/libc.so 77fab000-77fad000 rwxp 00:00 0 7fb26000-7fb47000 rw-p 00:00 0 [stack] 7fefb000-7fefc000 r-xp 00:00 0 7ff0a000-7ff0b000 r--p 00:00 0 [vvar] 7ff0b000-7ff0c000 r-xp 00:00 0 [vdso] root@OpenWrt:/# cat /proc/self/maps 5561d000-5567b000 r-xp 00:02 1030 /bin/busybox 5568a000-5568b000 r-xp 0005d000 00:02 1030 /bin/busybox 5568b000-5568c000 rwxp 0005e000 00:02 1030 /bin/busybox 5568c000-5568d000 rwxp 00:00 0 77e8e000-77eb r-xp 00:02 331/lib/libgcc_s.so.1 77eb-77eb1000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 77eb1000-77eb2000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 77eb2000-77f46000 r-xp 00:02 329/lib/libc.so 77f55000-77f57000 rwxp 00093000 00:02 329/lib/libc.so 77f57000-77f59000 rwxp 00:00 0 7fd1c000-7fd3d000 rw-p 00:00 0 [stack] 7fefb000-7fefc000 r-xp 00:00 0 7ff6-7ff61000 r--p 00:00 0 [vvar] 7ff61000-7ff62000 r-xp 00:00 0 [vdso] root@OpenWrt:/# Signed-off-by: Hauke Mehrtens --- I would like to get some comments if we should activate PIE by default. The advantage is that it will be harder to exploit OpenWrt, but on the other hand the binaries are getting bigger. We could also restrict this to some CPU types, but as targets share the binaries it is not really possible to do this based on the target. I am not sure if this should go into the next release or wait for later. This could also break some packages, as it is possible to activate PIE by default for some time many bugs are already fixed, but probably not all of them. >>> I think this is a lot of extra bloat. Maybe we can add a restricted PIE >>> mode where packages can opt-in individually? >> >> So we should probably make it a chose with 3 options: >> 1. No PIE >> 2. Use PIE for exposed binaries >> 3. Use PIE for all binaries > > I hate that we have to make choices like this for space reasons. Option > 2 will help but means attackers will try to go after something else. We could also make this depended n the architecture, I think device with ARM64 or x86 CPU normally also have much RAM and flash, while many MIPS based devices are constrained. > By exposed, you mean "on the network", I guess? Yes with exposed applications I meant exposed from the network like dnsmasq, dropbear and so on. >> Then we need something in addition to the existing PKG_ASLR_PIE we >> already have to deactivate it. >> >> Do we want a generic name like this: >> PKG_CRITICAL >> or something
Re: [OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default
Hauke Mehrtens writes: > On 2/13/19 11:51 PM, Felix Fietkau wrote: >> On 2019-02-13 23:15, Hauke Mehrtens wrote: >>> This will build all executable as Position Independent Executables (PIE) >>> by default. PIE executable can make full use of Address Space Layout >>> Randomization (ASLR) because all sections can be placed at random >>> offsets of the executed program. This makes it harder to exploit bugs >>> in our binaries. >>> >>> This will increase the size of executable, libraries are already build >>> position independent and their size will not change. >>> >>> This increases the size of the resulting images by about 3% on MIPS BE. >>> I tested this with the default configuration for the lantiq xrx200 >>> target. >>> >>> The size of the initramfs binaries increased by 2.88%: >>> Without PIE: >>> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin >>> With PIE: >>> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin >>> >>> With PIE activated the executable are getting bigger, here are some >>> examples from the lantiq mips_24kc target: >>> >>> Without PIE: >>> 112.309 /bin/opkg >>> 299.061 /bin/busybox >>> 456.549 /usr/sbin/wpad >>> >>> With PIE: >>> 142.496 /bin/opkg (26.87% increase) >>> 388.404 /bin/busybox(29.87% increase) >>> 580.128 /usr/sbin/wpad (27.06% increase) >>> >>> With PIE activated the sections of the binaries are loaded to >>> different offsets for each program instance like shown here: >>> >>> root@OpenWrt:/# cat /proc/self/maps >>> 555c4000-55622000 r-xp 00:02 1030 /bin/busybox >>> 55631000-55632000 r-xp 0005d000 00:02 1030 /bin/busybox >>> 55632000-55633000 rwxp 0005e000 00:02 1030 /bin/busybox >>> 55633000-55634000 rwxp 00:00 0 >>> 77ee2000-77f04000 r-xp 00:02 331/lib/libgcc_s.so.1 >>> 77f04000-77f05000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 >>> 77f05000-77f06000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 >>> 77f06000-77f9a000 r-xp 00:02 329/lib/libc.so >>> 77fa9000-77fab000 rwxp 00093000 00:02 329/lib/libc.so >>> 77fab000-77fad000 rwxp 00:00 0 >>> 7fb26000-7fb47000 rw-p 00:00 0 [stack] >>> 7fefb000-7fefc000 r-xp 00:00 0 >>> 7ff0a000-7ff0b000 r--p 00:00 0 [vvar] >>> 7ff0b000-7ff0c000 r-xp 00:00 0 [vdso] >>> root@OpenWrt:/# cat /proc/self/maps >>> 5561d000-5567b000 r-xp 00:02 1030 /bin/busybox >>> 5568a000-5568b000 r-xp 0005d000 00:02 1030 /bin/busybox >>> 5568b000-5568c000 rwxp 0005e000 00:02 1030 /bin/busybox >>> 5568c000-5568d000 rwxp 00:00 0 >>> 77e8e000-77eb r-xp 00:02 331/lib/libgcc_s.so.1 >>> 77eb-77eb1000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 >>> 77eb1000-77eb2000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 >>> 77eb2000-77f46000 r-xp 00:02 329/lib/libc.so >>> 77f55000-77f57000 rwxp 00093000 00:02 329/lib/libc.so >>> 77f57000-77f59000 rwxp 00:00 0 >>> 7fd1c000-7fd3d000 rw-p 00:00 0 [stack] >>> 7fefb000-7fefc000 r-xp 00:00 0 >>> 7ff6-7ff61000 r--p 00:00 0 [vvar] >>> 7ff61000-7ff62000 r-xp 00:00 0 [vdso] >>> root@OpenWrt:/# >>> >>> Signed-off-by: Hauke Mehrtens >>> --- >>> >>> I would like to get some comments if we should activate PIE by default. >>> The advantage is that it will be harder to exploit OpenWrt, but on the >>> other hand the binaries are getting bigger. We could also restrict this >>> to some CPU types, but as targets share the binaries it is not really >>> possible to do this based on the target. >>> >>> I am not sure if this should go into the next release or wait for later. >>> >>> This could also break some packages, as it is possible to activate PIE >>> by default for some time many bugs are already fixed, but probably not >>> all of them. >> I think this is a lot of extra bloat. Maybe we can add a restricted PIE >> mode where packages can opt-in individually? > > So we should probably make it a chose with 3 options: > 1. No PIE > 2. Use PIE for exposed binaries > 3. Use PIE for all binaries I hate that we have to make choices like this for space reasons. Option 2 will help but means attackers will try to go after something else. By exposed, you mean "on the network", I guess? > > Then we need something in addition to the existing PKG_ASLR_PIE we > already have to deactivate it. > > Do we want a generic name like this: > PKG_CRITICAL > or something specific to PIE: > PKG_ASLR_PIE_PREFERED > > Hauke > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default
On 2/13/19 11:51 PM, Felix Fietkau wrote: > On 2019-02-13 23:15, Hauke Mehrtens wrote: >> This will build all executable as Position Independent Executables (PIE) >> by default. PIE executable can make full use of Address Space Layout >> Randomization (ASLR) because all sections can be placed at random >> offsets of the executed program. This makes it harder to exploit bugs >> in our binaries. >> >> This will increase the size of executable, libraries are already build >> position independent and their size will not change. >> >> This increases the size of the resulting images by about 3% on MIPS BE. >> I tested this with the default configuration for the lantiq xrx200 >> target. >> >> The size of the initramfs binaries increased by 2.88%: >> Without PIE: >> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin >> With PIE: >> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin >> >> With PIE activated the executable are getting bigger, here are some >> examples from the lantiq mips_24kc target: >> >> Without PIE: >> 112.309 /bin/opkg >> 299.061 /bin/busybox >> 456.549 /usr/sbin/wpad >> >> With PIE: >> 142.496 /bin/opkg (26.87% increase) >> 388.404 /bin/busybox(29.87% increase) >> 580.128 /usr/sbin/wpad (27.06% increase) >> >> With PIE activated the sections of the binaries are loaded to >> different offsets for each program instance like shown here: >> >> root@OpenWrt:/# cat /proc/self/maps >> 555c4000-55622000 r-xp 00:02 1030 /bin/busybox >> 55631000-55632000 r-xp 0005d000 00:02 1030 /bin/busybox >> 55632000-55633000 rwxp 0005e000 00:02 1030 /bin/busybox >> 55633000-55634000 rwxp 00:00 0 >> 77ee2000-77f04000 r-xp 00:02 331/lib/libgcc_s.so.1 >> 77f04000-77f05000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 >> 77f05000-77f06000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 >> 77f06000-77f9a000 r-xp 00:02 329/lib/libc.so >> 77fa9000-77fab000 rwxp 00093000 00:02 329/lib/libc.so >> 77fab000-77fad000 rwxp 00:00 0 >> 7fb26000-7fb47000 rw-p 00:00 0 [stack] >> 7fefb000-7fefc000 r-xp 00:00 0 >> 7ff0a000-7ff0b000 r--p 00:00 0 [vvar] >> 7ff0b000-7ff0c000 r-xp 00:00 0 [vdso] >> root@OpenWrt:/# cat /proc/self/maps >> 5561d000-5567b000 r-xp 00:02 1030 /bin/busybox >> 5568a000-5568b000 r-xp 0005d000 00:02 1030 /bin/busybox >> 5568b000-5568c000 rwxp 0005e000 00:02 1030 /bin/busybox >> 5568c000-5568d000 rwxp 00:00 0 >> 77e8e000-77eb r-xp 00:02 331/lib/libgcc_s.so.1 >> 77eb-77eb1000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 >> 77eb1000-77eb2000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 >> 77eb2000-77f46000 r-xp 00:02 329/lib/libc.so >> 77f55000-77f57000 rwxp 00093000 00:02 329/lib/libc.so >> 77f57000-77f59000 rwxp 00:00 0 >> 7fd1c000-7fd3d000 rw-p 00:00 0 [stack] >> 7fefb000-7fefc000 r-xp 00:00 0 >> 7ff6-7ff61000 r--p 00:00 0 [vvar] >> 7ff61000-7ff62000 r-xp 00:00 0 [vdso] >> root@OpenWrt:/# >> >> Signed-off-by: Hauke Mehrtens >> --- >> >> I would like to get some comments if we should activate PIE by default. >> The advantage is that it will be harder to exploit OpenWrt, but on the >> other hand the binaries are getting bigger. We could also restrict this >> to some CPU types, but as targets share the binaries it is not really >> possible to do this based on the target. >> >> I am not sure if this should go into the next release or wait for later. >> >> This could also break some packages, as it is possible to activate PIE >> by default for some time many bugs are already fixed, but probably not >> all of them. > I think this is a lot of extra bloat. Maybe we can add a restricted PIE > mode where packages can opt-in individually? So we should probably make it a chose with 3 options: 1. No PIE 2. Use PIE for exposed binaries 3. Use PIE for all binaries Then we need something in addition to the existing PKG_ASLR_PIE we already have to deactivate it. Do we want a generic name like this: PKG_CRITICAL or something specific to PIE: PKG_ASLR_PIE_PREFERED Hauke ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default
Hi, PIE adds overhead (it can be quite a bit) both to binary size and performance during execution. There are usually discussions about kilobytes and this is well beyond that and space is still quite precious on 8/16Mbyte flash devices. Most target platforms are "slow" and have limited space to begin with, ASLR and PIE won't help. https://nebelwelt.net/publications/files/12TRpie.pdf Far from all supported platforms have NX-bit or equvalent which makes it as I understand it less effective? https://www.vusec.net/projects/anc/ Effectiveness using vanilla Linux kernel seems to be questionable? https://wiki.archlinux.org/index.php/security#Userspace_ASLR_comparison https://en.wikipedia.org/wiki/Grsecurity#PaX Interesting discussion about ASLR PIE in general here: http://lists.dragonflybsd.org/pipermail/users/2017-April/335158.html Debian seems to cherrypick applications https://wiki.debian.org/Hardening Perhaps the best solution wout be to provide two images, one with ASLR and one without? Best regards, Daniel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default
On 2019-02-13 23:15, Hauke Mehrtens wrote: > This will build all executable as Position Independent Executables (PIE) > by default. PIE executable can make full use of Address Space Layout > Randomization (ASLR) because all sections can be placed at random > offsets of the executed program. This makes it harder to exploit bugs > in our binaries. > > This will increase the size of executable, libraries are already build > position independent and their size will not change. > > This increases the size of the resulting images by about 3% on MIPS BE. > I tested this with the default configuration for the lantiq xrx200 > target. > > The size of the initramfs binaries increased by 2.88%: > Without PIE: > 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin > With PIE: > 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin > > With PIE activated the executable are getting bigger, here are some > examples from the lantiq mips_24kc target: > > Without PIE: > 112.309 /bin/opkg > 299.061 /bin/busybox > 456.549 /usr/sbin/wpad > > With PIE: > 142.496 /bin/opkg (26.87% increase) > 388.404 /bin/busybox(29.87% increase) > 580.128 /usr/sbin/wpad (27.06% increase) > > With PIE activated the sections of the binaries are loaded to > different offsets for each program instance like shown here: > > root@OpenWrt:/# cat /proc/self/maps > 555c4000-55622000 r-xp 00:02 1030 /bin/busybox > 55631000-55632000 r-xp 0005d000 00:02 1030 /bin/busybox > 55632000-55633000 rwxp 0005e000 00:02 1030 /bin/busybox > 55633000-55634000 rwxp 00:00 0 > 77ee2000-77f04000 r-xp 00:02 331/lib/libgcc_s.so.1 > 77f04000-77f05000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 > 77f05000-77f06000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 > 77f06000-77f9a000 r-xp 00:02 329/lib/libc.so > 77fa9000-77fab000 rwxp 00093000 00:02 329/lib/libc.so > 77fab000-77fad000 rwxp 00:00 0 > 7fb26000-7fb47000 rw-p 00:00 0 [stack] > 7fefb000-7fefc000 r-xp 00:00 0 > 7ff0a000-7ff0b000 r--p 00:00 0 [vvar] > 7ff0b000-7ff0c000 r-xp 00:00 0 [vdso] > root@OpenWrt:/# cat /proc/self/maps > 5561d000-5567b000 r-xp 00:02 1030 /bin/busybox > 5568a000-5568b000 r-xp 0005d000 00:02 1030 /bin/busybox > 5568b000-5568c000 rwxp 0005e000 00:02 1030 /bin/busybox > 5568c000-5568d000 rwxp 00:00 0 > 77e8e000-77eb r-xp 00:02 331/lib/libgcc_s.so.1 > 77eb-77eb1000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 > 77eb1000-77eb2000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 > 77eb2000-77f46000 r-xp 00:02 329/lib/libc.so > 77f55000-77f57000 rwxp 00093000 00:02 329/lib/libc.so > 77f57000-77f59000 rwxp 00:00 0 > 7fd1c000-7fd3d000 rw-p 00:00 0 [stack] > 7fefb000-7fefc000 r-xp 00:00 0 > 7ff6-7ff61000 r--p 00:00 0 [vvar] > 7ff61000-7ff62000 r-xp 00:00 0 [vdso] > root@OpenWrt:/# > > Signed-off-by: Hauke Mehrtens > --- > > I would like to get some comments if we should activate PIE by default. > The advantage is that it will be harder to exploit OpenWrt, but on the > other hand the binaries are getting bigger. We could also restrict this > to some CPU types, but as targets share the binaries it is not really > possible to do this based on the target. > > I am not sure if this should go into the next release or wait for later. > > This could also break some packages, as it is possible to activate PIE > by default for some time many bugs are already fixed, but probably not > all of them. I think this is a lot of extra bloat. Maybe we can add a restricted PIE mode where packages can opt-in individually? - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default
This will build all executable as Position Independent Executables (PIE) by default. PIE executable can make full use of Address Space Layout Randomization (ASLR) because all sections can be placed at random offsets of the executed program. This makes it harder to exploit bugs in our binaries. This will increase the size of executable, libraries are already build position independent and their size will not change. This increases the size of the resulting images by about 3% on MIPS BE. I tested this with the default configuration for the lantiq xrx200 target. The size of the initramfs binaries increased by 2.88%: Without PIE: 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin With PIE: 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin With PIE activated the executable are getting bigger, here are some examples from the lantiq mips_24kc target: Without PIE: 112.309 /bin/opkg 299.061 /bin/busybox 456.549 /usr/sbin/wpad With PIE: 142.496 /bin/opkg (26.87% increase) 388.404 /bin/busybox(29.87% increase) 580.128 /usr/sbin/wpad (27.06% increase) With PIE activated the sections of the binaries are loaded to different offsets for each program instance like shown here: root@OpenWrt:/# cat /proc/self/maps 555c4000-55622000 r-xp 00:02 1030 /bin/busybox 55631000-55632000 r-xp 0005d000 00:02 1030 /bin/busybox 55632000-55633000 rwxp 0005e000 00:02 1030 /bin/busybox 55633000-55634000 rwxp 00:00 0 77ee2000-77f04000 r-xp 00:02 331/lib/libgcc_s.so.1 77f04000-77f05000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 77f05000-77f06000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 77f06000-77f9a000 r-xp 00:02 329/lib/libc.so 77fa9000-77fab000 rwxp 00093000 00:02 329/lib/libc.so 77fab000-77fad000 rwxp 00:00 0 7fb26000-7fb47000 rw-p 00:00 0 [stack] 7fefb000-7fefc000 r-xp 00:00 0 7ff0a000-7ff0b000 r--p 00:00 0 [vvar] 7ff0b000-7ff0c000 r-xp 00:00 0 [vdso] root@OpenWrt:/# cat /proc/self/maps 5561d000-5567b000 r-xp 00:02 1030 /bin/busybox 5568a000-5568b000 r-xp 0005d000 00:02 1030 /bin/busybox 5568b000-5568c000 rwxp 0005e000 00:02 1030 /bin/busybox 5568c000-5568d000 rwxp 00:00 0 77e8e000-77eb r-xp 00:02 331/lib/libgcc_s.so.1 77eb-77eb1000 r-xp 00012000 00:02 331/lib/libgcc_s.so.1 77eb1000-77eb2000 rwxp 00013000 00:02 331/lib/libgcc_s.so.1 77eb2000-77f46000 r-xp 00:02 329/lib/libc.so 77f55000-77f57000 rwxp 00093000 00:02 329/lib/libc.so 77f57000-77f59000 rwxp 00:00 0 7fd1c000-7fd3d000 rw-p 00:00 0 [stack] 7fefb000-7fefc000 r-xp 00:00 0 7ff6-7ff61000 r--p 00:00 0 [vvar] 7ff61000-7ff62000 r-xp 00:00 0 [vdso] root@OpenWrt:/# Signed-off-by: Hauke Mehrtens --- I would like to get some comments if we should activate PIE by default. The advantage is that it will be harder to exploit OpenWrt, but on the other hand the binaries are getting bigger. We could also restrict this to some CPU types, but as targets share the binaries it is not really possible to do this based on the target. I am not sure if this should go into the next release or wait for later. This could also break some packages, as it is possible to activate PIE by default for some time many bugs are already fixed, but probably not all of them. config/Config-build.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/Config-build.in b/config/Config-build.in index 6d749476db..2d8a9db74c 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -196,7 +196,7 @@ menu "Global build settings" bool prompt "User space ASLR PIE compilation" select BUSYBOX_DEFAULT_PIE - default n + default y help Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. This enables package build as Position Independent Executables (PIE) -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel