[OE-core] [PATCH] security_flags: Add the compiler and linker flags that enhance security
Mark Hatle
mark.hatle at windriver.com
Fri Jun 28 19:05:41 UTC 2013
On 6/28/13 1:46 PM, Saul Wold wrote:
> These flags add addition checks at compile, link and runtime to prevent
> stack smashing, checking for buffer overflows, and link at program start
> to prevent call spoofing later.
>
> This needs to be explicitly enabled by adding the following line to your
> local.conf:
>
> require conf/distro/include/security_flags.inc
>
> [YOCTO #3868]
>
> Signed-off-by: Saul Wold <sgw at linux.intel.com>
> ---
> meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
> create mode 100644 meta/conf/distro/include/security_flags.inc
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> new file mode 100644
> index 0000000..dc231e2
> --- /dev/null
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -0,0 +1,21 @@
> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
Where do the flags get introduced into the actual CFLAGS and LDFLAGS? Would it
make sense to add this to the existing BUILD_OPTIMIZATION settings.. So they
would always be available, and someone could just flip a switch to enable it?
> +
> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-eglibc = ""
> +SECURITY_CFLAGS_pn-eglibc-initial = ""
I know why you don't use them on -initial, but any reason to not enable this on
'eglibc'? If it doesn't work, it would be good to enhance eglibc's recipe to
spit out a warning and sanitize the build like it does for -O0.
--Mark
> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +
> +# These flags seem to
> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>
More information about the Openembedded-core
mailing list