[OE-core] [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS
Khem Raj
raj.khem at gmail.com
Mon Sep 3 16:30:54 UTC 2018
On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>
> The `-fstack-protector-***' should be passed to gcc rather than linker,
> since `4ca946c security_flags: use -fstack-protector-strong', it was
> added to LDFLAGS, although there is no extra build failure introduced,
> but it is still unnecessary.(-Wl,** is for linker)
>
There are cases where CFLAGS is not combined into LDFLAGS by package
component builds
which creates the disjoint, If we remove this here then that will
start to show up. remember we do
not configure toolchains to provide the hardening flags by default as
yet, so we have to be explicit.
Do you see issues with current settings ?
> Reported-by: Lans Zhang <https://github.com/jiazhang0>
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
> meta/conf/distro/include/security_flags.inc | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index 620978a..362b1db 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
> SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
> SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>
> -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now"
> -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro"
> +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
> +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
>
> # powerpc does not get on with pie for reasons not looked into as yet
> GCCPIE_powerpc = ""
> --
> 2.7.4
>
More information about the Openembedded-core
mailing list