[OE-core] [PATCHv3] security_flags.inc, xorg-driver-common.inc: Move SECURITY_X_LDFLAGS logic
Khem Raj
raj.khem at gmail.com
Thu Feb 1 18:41:49 UTC 2018
On Thu, Feb 1, 2018 at 6:16 AM, Tom Rini <trini at konsulko.com> wrote:
> We need to ensure that all xorg modules are linked with
> SECURITY_X_LDFLAGS to ensure that they will be able to resolve their run
> time dependencies. The approach of listing each driver in
> security_flags.inc lets less frequently used drivers be run-time
> broken. Move the flag logic into xorg-driver-common.inc so that all
> xorg modules from all layers will have the correct security flags used.
>
> Cc: Khem Raj <raj.khem at gmail.com>
> Signed-off-by: Tom Rini <trini at konsulko.com>
> ---
> Changes in v3:
> - After reviewing fixing the drivers in meta-openembedded/meta-oe if we
> move this logic into the common xf86 drivers inc file that all
> layers use to correctly make these drivers, all layers will get this
> fix for free if we move to overriding there instead. Add a comment to
> security_flags.inc for future reference.
generally, we try to pin this in global inc file so they disappear
when someone is
not using this feature. but here I like this approach since it turns
into a no-op
if security_flags.inc is not included.
> Changes in v2:
> - Oops, can't use % globbing in security_flags.inc, grabs brown paper
> bag
> ---
> meta/conf/distro/include/security_flags.inc | 8 ++------
> meta/recipes-graphics/xorg-driver/xorg-driver-common.inc | 2 ++
> 2 files changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index 7ea1049edff8..49d2417a882f 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -59,12 +59,8 @@ TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong"
> SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong"
> SECURITY_LDFLAGS_remove_pn-glibc-initial = "-fstack-protector-strong"
> -SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}"
> -SECURITY_LDFLAGS_pn-xf86-video-intel = "${SECURITY_X_LDFLAGS}"
> -SECURITY_LDFLAGS_pn-xf86-video-omapfb = "${SECURITY_X_LDFLAGS}"
> -SECURITY_LDFLAGS_pn-xf86-video-omap = "${SECURITY_X_LDFLAGS}"
> -SECURITY_LDFLAGS_pn-xf86-video-vesa = "${SECURITY_X_LDFLAGS}"
> -SECURITY_LDFLAGS_pn-xf86-video-vmware = "${SECURITY_X_LDFLAGS}"
> +# All xorg module drivers need to be linked this way as well and are
> +# handled in recipes-graphics/xorg-driver/xorg-driver-common.inc
> SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}"
>
> TARGET_CC_ARCH_append_pn-binutils = " ${SELECTED_OPTIMIZATION}"
> diff --git a/meta/recipes-graphics/xorg-driver/xorg-driver-common.inc b/meta/recipes-graphics/xorg-driver/xorg-driver-common.inc
> index fe42f11b6898..bca0aade6cb5 100644
> --- a/meta/recipes-graphics/xorg-driver/xorg-driver-common.inc
> +++ b/meta/recipes-graphics/xorg-driver/xorg-driver-common.inc
> @@ -38,3 +38,5 @@ def _add_xorg_abi_depends(d, name):
>
> pn = d.getVar("PN")
> d.appendVar('RDEPENDS_' + pn, ' ' + abi)
> +
> +SECURITY_LDFLAGS = "${SECURITY_X_LDFLAGS}"
> --
> 2.7.4
>
More information about the Openembedded-core
mailing list