[oe-commits] Saul Wold : security_flags: Add the compiler and linker flags that enhance security

git at git.openembedded.org git at git.openembedded.org
Tue Jul 2 21:20:46 UTC 2013 

Module: openembedded-core.git
Branch: master
Commit: ff0e863f2d345c42393a14a193f76d699745a2b9
URL:    http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=ff0e863f2d345c42393a14a193f76d699745a2b9

Author: Saul Wold <sgw at linux.intel.com>
Date:   Fri Jun 28 11:46:03 2013 -0700

security_flags: Add the compiler and linker flags that enhance security

These flags add addition checks at compile, link and runtime to prevent
stack smashing, checking for buffer overflows, and link at program start
to prevent call spoofing later.

This needs to be explicitly enabled by adding the following line to your
local.conf:

require conf/distro/include/security_flags.inc

[YOCTO #3868]

Signed-off-by: Saul Wold <sgw at linux.intel.com>

---

 meta/conf/distro/include/security_flags.inc |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
new file mode 100644
index 0000000..72dd1ad
--- /dev/null
+++ b/meta/conf/distro/include/security_flags.inc
@@ -0,0 +1,26 @@
+SECURITY_CFLAGS ?= "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
+SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
+
+# Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
+# to CPPFLAGS it gets picked into CFLAGS in bitbake.
+#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
+SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-eglibc = ""
+SECURITY_CFLAGS_pn-eglibc-initial = ""
+SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+
+# These 2 have text relco errors with the pie options enabled
+SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+
+TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
+TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"

More information about the Openembedded-commits mailing list