On 14-08-25 12:06:16, [email protected] wrote: > Hi, > > I have been playing with uClibc on some embedded Linux systems, and trying > out some hardening techniques. > > When I tested the .so files built by uClibc (using the checksec.sh tool from > http://www.trapkit.de/tools/checksec.html, which is basically a wrapper > around readelf), the files do not exhibit the GNU_STACK flag. > > What I would like to do is actually build with the linker option > '-Wl,-z,noexecstack' as per > http://www.win.tue.nl/~aeb/linux/hh/protection.html or > http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart (for just two > examples) I eventually managed to do this by using and patching Config.in > (0.9.33.2) to recognise UCLIBC_LDFLAGS_EXTRA , after which the .so files had > the relevant flag. (I can post that patch to enable UCLIBC_LDFLAGS_EXTRA > separately) > > One thing I noticed is that uClibc has a Config setting > UCLIBC_BUILD_NOEXECSTACK but all this seems to do is pass the relevant flag > to the assembler and not to the linker. The gentoo hardening guide applies > the flag to both assembler and linker stage. > > According to Config.in help: "Mark all assembler files as noexecstack. This > will result in marking > all libraries and executables built against uClibc not requiring > executable stack." > > I guess the gap in my knowledge is how uClibc, by only applying to assembler > files, meets "marking all libraries and executables" when the GNU_STACK flag > is missing from the ELF images? Note it has been a very long time since I
it wont. Can you patch UCLIBC_BUILD_NOEXECSTACK code to pass the linker option as well ? _______________________________________________ uClibc mailing list [email protected] http://lists.busybox.net/mailman/listinfo/uclibc
