[OE-core] [PATCH 1/2] security_flags: turn potential string format security issues into an error
Khem Raj
raj.khem at gmail.com
Thu Apr 28 15:58:41 UTC 2016
> On Apr 28, 2016, at 6:27 AM, Joshua Lock <joshua.g.lock at intel.com> wrote:
>
> -SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify}"
> -SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify}"
> +# Error on use of format strings that represent possible security problems
> +SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
> +
> +SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
> +SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>
> SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
> SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
> @@ -92,6 +95,23 @@ SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
>
> +# Recipes which fail to compile when elevating -Wformat-security to an error
> +SECURITY_STRINGFORMAT_pn-busybox = ""
> +SECURITY_STRINGFORMAT_pn-console-tools = ""
> +SECURITY_STRINGFORMAT_pn-cmake = ""
> +SECURITY_STRINGFORMAT_pn-expect = ""
> +SECURITY_STRINGFORMAT_pn-gcc = ""
> +SECURITY_STRINGFORMAT_pn-gettext = ""
> +SECURITY_STRINGFORMAT_pn-kexec-tools = ""
> +SECURITY_STRINGFORMAT_pn-leafpad = ""
> +SECURITY_STRINGFORMAT_pn-libuser = ""
> +SECURITY_STRINGFORMAT_pn-ltp = ""
> +SECURITY_STRINGFORMAT_pn-makedevs = ""
> +SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
> +SECURITY_STRINGFORMAT_pn-stat = ""
> +SECURITY_STRINGFORMAT_pn-unzip = ""
> +SECURITY_STRINGFORMAT_pn-zip = ""
Can we use _remove operation instead of introducing a new variable and emptying it out here.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160428/a217c57e/attachment-0002.sig>
More information about the Openembedded-core
mailing list