[OE-core] [PATCH] security_flags: Add the compiler and linker flags that enhance security
Saul Wold
sgw at linux.intel.com
Fri Jun 28 19:14:23 UTC 2013
On 06/28/2013 12:05 PM, Mark Hatle wrote:
> On 6/28/13 1:46 PM, Saul Wold wrote:
>> These flags add addition checks at compile, link and runtime to prevent
>> stack smashing, checking for buffer overflows, and link at program start
>> to prevent call spoofing later.
>>
>> This needs to be explicitly enabled by adding the following line to your
>> local.conf:
>>
>> require conf/distro/include/security_flags.inc
>>
>> [YOCTO #3868]
>>
>> Signed-off-by: Saul Wold <sgw at linux.intel.com>
>> ---
>> meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
>> 1 file changed, 21 insertions(+)
>> create mode 100644 meta/conf/distro/include/security_flags.inc
>>
>> diff --git a/meta/conf/distro/include/security_flags.inc
>> b/meta/conf/distro/include/security_flags.inc
>> new file mode 100644
>> index 0000000..dc231e2
>> --- /dev/null
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -0,0 +1,21 @@
>> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
>> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
>
> Where do the flags get introduced into the actual CFLAGS and LDFLAGS?
> Would it make sense to add this to the existing BUILD_OPTIMIZATION
> settings.. So they would always be available, and someone could just
> flip a switch to enable it?
>
Opps, sorry forgot to send part 2!
Sau!
>> +
>> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
>> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-eglibc = ""
>> +SECURITY_CFLAGS_pn-eglibc-initial = ""
>
> I know why you don't use them on -initial, but any reason to not enable
> this on 'eglibc'? If it doesn't work, it would be good to enhance
> eglibc's recipe to spit out a warning and sanitize the build like it
> does for -O0.
>
> --Mark
>
>> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +
>> +# These flags seem to
>> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>
More information about the Openembedded-core
mailing list