* [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu
@ 2018-01-10 4:15 Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options Matt Weber
` (6 more replies)
0 siblings, 7 replies; 13+ messages in thread
From: Matt Weber @ 2018-01-10 4:15 UTC (permalink / raw)
To: buildroot
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v2 -> v3
- Moved back up to the menu instead of a submenu (Arnout)
v1 -> v2
- Broke out into an individual commit for the menu change (Arnout)
---
Config.in | 112 ++++++++++++++++++++++++++++++++------------------------------
1 file changed, 57 insertions(+), 55 deletions(-)
diff --git a/Config.in b/Config.in
index 62d67ce..e7e5c2d 100644
--- a/Config.in
+++ b/Config.in
@@ -568,61 +568,6 @@ config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES
endif
choice
- bool "build code with Stack Smashing Protection"
- default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
- depends on BR2_TOOLCHAIN_HAS_SSP
- help
- Enable stack smashing protection support using GCC's
- -fstack-protector option family.
-
- See
- http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
- for details.
-
- Note that this requires the toolchain to have SSP support.
- This is always the case for glibc and eglibc toolchain, but is
- optional in uClibc toolchains.
-
-config BR2_SSP_NONE
- bool "None"
- help
- Disable stack-smashing protection.
-
-config BR2_SSP_REGULAR
- bool "-fstack-protector"
- help
- Emit extra code to check for buffer overflows, such as stack
- smashing attacks. This is done by adding a guard variable to
- functions with vulnerable objects. This includes functions
- that call alloca, and functions with buffers larger than 8
- bytes. The guards are initialized when a function is entered
- and then checked when the function exits. If a guard check
- fails, an error message is printed and the program exits.
-
-config BR2_SSP_STRONG
- bool "-fstack-protector-strong"
- depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
- help
- Like -fstack-protector but includes additional functions to be
- protected - those that have local array definitions, or have
- references to local frame addresses.
-
-comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9"
- depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
-
-config BR2_SSP_ALL
- bool "-fstack-protector-all"
- help
- Like -fstack-protector except that all functions are
- protected. This option might have a significant performance
- impact on the compiled binaries.
-
-endchoice
-
-comment "Stack Smashing Protection needs a toolchain w/ SSP"
- depends on !BR2_TOOLCHAIN_HAS_SSP
-
-choice
bool "libraries"
default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED
default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED
@@ -732,6 +677,63 @@ config BR2_REPRODUCIBLE
endmenu
+comment "Security Hardening Options"
+
+choice
+ bool "Stack Smashing Protection"
+ default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
+ depends on BR2_TOOLCHAIN_HAS_SSP
+ help
+ Enable stack smashing protection support using GCC's
+ -fstack-protector option family.
+
+ See
+ http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
+ for details.
+
+ Note that this requires the toolchain to have SSP support.
+ This is always the case for glibc and eglibc toolchain, but is
+ optional in uClibc toolchains.
+
+config BR2_SSP_NONE
+ bool "None"
+ help
+ Disable stack-smashing protection.
+
+config BR2_SSP_REGULAR
+ bool "-fstack-protector"
+ help
+ Emit extra code to check for buffer overflows, such as stack
+ smashing attacks. This is done by adding a guard variable to
+ functions with vulnerable objects. This includes functions
+ that call alloca, and functions with buffers larger than 8
+ bytes. The guards are initialized when a function is entered
+ and then checked when the function exits. If a guard check
+ fails, an error message is printed and the program exits.
+
+config BR2_SSP_STRONG
+ bool "-fstack-protector-strong"
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+ help
+ Like -fstack-protector but includes additional functions to be
+ protected - those that have local array definitions, or have
+ references to local frame addresses.
+
+comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9"
+ depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+
+config BR2_SSP_ALL
+ bool "-fstack-protector-all"
+ help
+ Like -fstack-protector except that all functions are
+ protected. This option might have a significant performance
+ impact on the compiled binaries.
+
+endchoice
+
+comment "Stack Smashing Protection needs a toolchain w/ SSP"
+ depends on !BR2_TOOLCHAIN_HAS_SSP
+
endmenu
source "toolchain/Config.in"
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options
2018-01-10 4:15 [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu Matt Weber
@ 2018-01-10 4:15 ` Matt Weber
2018-01-10 8:22 ` Nicolas Cavallari
2018-01-10 9:41 ` Nicolas Cavallari
2018-01-10 4:15 ` [Buildroot] [PATCH v3 3/8] valgrind: correct linker flag seq Matt Weber
` (5 subsequent siblings)
6 siblings, 2 replies; 13+ messages in thread
From: Matt Weber @ 2018-01-10 4:15 UTC (permalink / raw)
To: buildroot
This enables a user to build a complete system using these
options. It is important to note that not all packages will
build correctly to start with.
A good testing tool to check a target's elf files for compliance
to an array of hardening techniques can be found here:
https://github.com/slimm609/checksec.sh
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes
v2 -> v3
- Consolidated the way flags were set using CPPFLAGS (Arnout)
- Removed fortran flag as not relevant for this feature (Arnout)
- Added BR2_TOOLCHAIN_USES_GLIBC and optimization level dependency
v1 -> v2
- Cosmetic caps on titles
---
Config.in | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++
package/Makefile.in | 46 +++++++++++++++++++++++------------
2 files changed, 100 insertions(+), 15 deletions(-)
diff --git a/Config.in b/Config.in
index e7e5c2d..f57e2b6 100644
--- a/Config.in
+++ b/Config.in
@@ -734,6 +734,75 @@ endchoice
comment "Stack Smashing Protection needs a toolchain w/ SSP"
depends on !BR2_TOOLCHAIN_HAS_SSP
+choice
+ bool "RELRO Protection"
+ depends on BR2_SHARED_LIBS
+ help
+ Enable a link-time protection know as RELRO (RELocation Read Only)
+ which helps to protect from certain type of exploitation techniques
+ altering the content of some ELF sections.
+
+config BR2_RELRO_NONE
+ bool "None"
+ help
+ Enables Relocation link-time protections.
+
+config BR2_RELRO_PARTIAL
+ bool "Partial"
+ help
+ This option makes the dynamic section not writeable after
+ initialization (with almost no performance penalty).
+
+config BR2_RELRO_FULL
+ bool "Full"
+ help
+ This option includes the partial configuration, but also
+ marks the GOT as read-only at the cost of initialization time
+ during program loading, i.e every time an executable is started.
+
+endchoice
+
+comment "RELocation Read Only (RELRO) needs shared libraries"
+ depends on !BR2_SHARED_LIBS
+
+choice
+ bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
+ depends on BR2_TOOLCHAIN_USES_GLIBC
+ help
+ Enable the _FORTIFY_SOURCE macro which introduces additional
+ checks to detect buffer-overflows in the following standard library
+ functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
+ strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
+ gets.
+
+ NOTE: This feature requires an optimization level of s/1/2/3/g
+
+ Support for this feature has been present since GCC 4.x.
+
+config BR2_FORTIFY_SOURCE_NONE
+ bool "None"
+ help
+ Enables additional checks to detect buffer-overflows.
+
+config BR2_FORTIFY_SOURCE_1
+ bool "Conservative"
+ help
+ This option sets _FORTIFY_SOURCE set to 1 and only introduces
+ checks that shouldn't change the behavior of conforming programs.
+ Adds checks at compile-time only.
+
+config BR2_FORTIFY_SOURCE_2
+ bool "Aggressive"
+ help
+ This option sets _FORTIFY_SOURCES set to 2 and some more checking
+ is added, but some conforming programs might fail.
+ Also adds checks at run-time (detected buffer overflow terminates
+ the program)
+
+endchoice
+
+comment "Fortify Source needs a GLIBC toolchain"
+ depends on !BR2_TOOLCHAIN_USES_GLIBC
endmenu
source "toolchain/Config.in"
diff --git a/package/Makefile.in b/package/Makefile.in
index a1a5316..84d4f0c 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -138,11 +138,41 @@ ifeq ($(BR2_DEBUG_3),y)
TARGET_DEBUGGING = -g3
endif
+TARGET_CFLAGS_RELRO = -Wl,-z,relro
+TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO)
+
+TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
+
+ifeq ($(BR2_SSP_REGULAR),y)
+TARGET_CPPFLAGS += -fstack-protector
+else ifeq ($(BR2_SSP_STRONG),y)
+TARGET_CPPFLAGS += -fstack-protector-strong
+else ifeq ($(BR2_SSP_ALL),y)
+TARGET_CPPFLAGS += -fstack-protector-all
+endif
+
+ifeq ($(BR2_RELRO_PARTIAL),y)
+TARGET_CPPFLAGS += $(TARGET_CFLAGS_RELRO)
+TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
+else ifeq ($(BR2_RELRO_FULL),y)
+TARGET_CPPFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
+TARGET_LDFLAGS += -pie
+endif
+
+ifneq ($(BR2_OPTIMIZE_S)$(BR2_OPTIMIZE_0)$(BR2_OPTIMIZE_1)$(BR2_OPTIMIZE_2)$(BR2_OPTIMIZE_G),)
+ifeq ($(BR2_FORTIFY_SOURCE_1),y)
+TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
+else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
+TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
+endif
+else
+$(error BR2_FORTIFY_SOURCE_# requires optimization level s/1/2/3/g)
+endif
+
TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
TARGET_CXXFLAGS = $(TARGET_CFLAGS)
TARGET_FCFLAGS = $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
-TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
ifeq ($(BR2_BINFMT_FLAT),y)
TARGET_CFLAGS += $(if $($(PKG)_FLAT_STACKSIZE),-Wl$(comma)-elf2flt=-s$($(PKG)_FLAT_STACKSIZE),\
@@ -167,20 +197,6 @@ TARGET_FCFLAGS += -msep-data
TARGET_CXXFLAGS += -msep-data
endif
-ifeq ($(BR2_SSP_REGULAR),y)
-TARGET_CFLAGS += -fstack-protector
-TARGET_CXXFLAGS += -fstack-protector
-TARGET_FCFLAGS += -fstack-protector
-else ifeq ($(BR2_SSP_STRONG),y)
-TARGET_CFLAGS += -fstack-protector-strong
-TARGET_CXXFLAGS += -fstack-protector-strong
-TARGET_FCFLAGS += -fstack-protector-strong
-else ifeq ($(BR2_SSP_ALL),y)
-TARGET_CFLAGS += -fstack-protector-all
-TARGET_CXXFLAGS += -fstack-protector-all
-TARGET_FCFLAGS += -fstack-protector-all
-endif
-
ifeq ($(BR2_TOOLCHAIN_BUILDROOT),y)
TARGET_CROSS = $(HOST_DIR)/bin/$(GNU_TARGET_NAME)-
else
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 3/8] valgrind: correct linker flag seq
2018-01-10 4:15 [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options Matt Weber
@ 2018-01-10 4:15 ` Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 4/8] ncurses: " Matt Weber
` (4 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Matt Weber @ 2018-01-10 4:15 UTC (permalink / raw)
To: buildroot
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.
Upstream: https://sourceforge.net/p/valgrind/mailman/message/36114834/
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
...ind-patch-to-correct-linker-flag-sequence.patch | 160 +++++++++++++++++++++
1 file changed, 160 insertions(+)
create mode 100644 package/valgrind/0005-valgrind-patch-to-correct-linker-flag-sequence.patch
diff --git a/package/valgrind/0005-valgrind-patch-to-correct-linker-flag-sequence.patch b/package/valgrind/0005-valgrind-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..34da655
--- /dev/null
+++ b/package/valgrind/0005-valgrind-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,160 @@
+From b845cb1d2e0f0d91dae056237e00cba2e6f8377d Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Wed, 11 Oct 2017 09:14:10 -0500
+Subject: [PATCH 1/1] valgrind: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+-------------------------------------------------------------------------
+/build/valgrind-3.12.0/coregrind/vg_preloaded.c:124:
+ undefined reference to `_restgpr_27_x'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[5]: *** [vgpreload_core-ppc32-linux.so] Error 1
+make[4]: *** [all] Error 2
+make[3]: *** [all-recursive] Error 1
+make[2]: *** [all] Error 2
+make[1]: *** [/build/valgrind-3.12.0/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ coregrind/Makefile.am | 6 ++++++
+ drd/Makefile.am | 6 ++++++
+ exp-dhat/Makefile.am | 6 ++++++
+ exp-sgcheck/Makefile.am | 6 ++++++
+ helgrind/Makefile.am | 6 ++++++
+ massif/Makefile.am | 6 ++++++
+ memcheck/Makefile.am | 7 ++++++-
+ 7 files changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/coregrind/Makefile.am b/coregrind/Makefile.am
+index d798015..ce7acad 100644
+--- a/coregrind/Makefile.am
++++ b/coregrind/Makefile.am
+@@ -541,6 +541,12 @@ vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS = \
+ $(AM_CFLAGS_PSO_ at VGCONF_PLATFORM_PRI_CAPS@)
+ vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS = \
+ $(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++ $(vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++ $(CFLAGS) \
++ $(LDFLAGS) \
++ $(vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++ -o $@
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_core_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES = vg_preloaded.c
+ vgpreload_core_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_CPPFLAGS = \
+diff --git a/drd/Makefile.am b/drd/Makefile.am
+index 9ba4c58..bf32229 100644
+--- a/drd/Makefile.am
++++ b/drd/Makefile.am
+@@ -143,6 +143,12 @@ vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS = \
+ $(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ $(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++ $(vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++ $(CFLAGS) \
++ $(LDFLAGS) \
++ $(vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++ -o $@
+
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_drd_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES = \
+diff --git a/exp-dhat/Makefile.am b/exp-dhat/Makefile.am
+index 647b72b..29619cf 100644
+--- a/exp-dhat/Makefile.am
++++ b/exp-dhat/Makefile.am
+@@ -84,6 +84,12 @@ vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS = \
+ $(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ $(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++ $(vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++ $(CFLAGS) \
++ $(LDFLAGS) \
++ $(vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++ -o $@
+
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_exp_dhat_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES =
+diff --git a/exp-sgcheck/Makefile.am b/exp-sgcheck/Makefile.am
+index 211a5ff..ecbe89b 100644
+--- a/exp-sgcheck/Makefile.am
++++ b/exp-sgcheck/Makefile.am
+@@ -92,6 +92,12 @@ vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS = \
+ $(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ $(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++ $(vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++ $(CFLAGS) \
++ $(LDFLAGS) \
++ $(vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++ -o $@
+
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_exp_sgcheck_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES = \
+diff --git a/helgrind/Makefile.am b/helgrind/Makefile.am
+index b6f1b89..a9b7ef3 100644
+--- a/helgrind/Makefile.am
++++ b/helgrind/Makefile.am
+@@ -103,6 +103,12 @@ vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS = \
+ $(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ $(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++ $(vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++ $(CFLAGS) \
++ $(LDFLAGS) \
++ $(vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++ -o $@
+
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_helgrind_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES = \
+diff --git a/massif/Makefile.am b/massif/Makefile.am
+index 2933403..6ccb973 100644
+--- a/massif/Makefile.am
++++ b/massif/Makefile.am
+@@ -84,6 +84,12 @@ vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS = \
+ $(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ $(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++ $(vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++ $(CFLAGS) \
++ $(LDFLAGS) \
++ $(vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++ -o $@
+
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_massif_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES =
+diff --git a/memcheck/Makefile.am b/memcheck/Makefile.am
+index 476bc70..ca51c64 100644
+--- a/memcheck/Makefile.am
++++ b/memcheck/Makefile.am
+@@ -100,7 +100,12 @@ vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS = \
+ $(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ $(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
+-
++vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++ $(vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++ $(CFLAGS) \
++ $(LDFLAGS) \
++ $(vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++ -o $@
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_memcheck_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES = \
+ $(VGPRELOAD_MEMCHECK_SOURCES_COMMON)
+--
+1.9.1
+
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 4/8] ncurses: correct linker flag seq
2018-01-10 4:15 [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 3/8] valgrind: correct linker flag seq Matt Weber
@ 2018-01-10 4:15 ` Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 5/8] boost: " Matt Weber
` (3 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Matt Weber @ 2018-01-10 4:15 UTC (permalink / raw)
To: buildroot
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.
Upstream: http://lists.gnu.org/archive/html/bug-ncurses/2017-11/msg00024.html
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
...ses-patch-to-correct-linker-flag-sequence.patch | 61 ++++++++++++++++++++++
1 file changed, 61 insertions(+)
create mode 100644 package/ncurses/0003-ncurses-patch-to-correct-linker-flag-sequence.patch
diff --git a/package/ncurses/0003-ncurses-patch-to-correct-linker-flag-sequence.patch b/package/ncurses/0003-ncurses-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..34c1bbd
--- /dev/null
+++ b/package/ncurses/0003-ncurses-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,61 @@
+From bca0dfabe9a4fa21d5b3b8bed8c138822188564f Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Fri, 29 Sep 2017 11:02:32 -0500
+Subject: [PATCH 1/1] ncurses: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+The patch fixes Makefile.am for below libs within setools:
+ - libncurses.so.6.0
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[3]: *** [../lib/libncurses.so.6.0] Error 1
+make[2]: *** [all] Error 2
+make[1]: *** [/build/ncurses-6.0/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ configure | 2 +-
+ mk-1st.awk | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure b/configure
+index 29c61bd..aa42c0a 100755
+--- a/configure
++++ b/configure
+@@ -6204,7 +6204,7 @@ echo "${ECHO_T}$cf_cv_ldflags_search_paths_first" >&6
+ cf_cv_shared_soname='`basename $@`'
+ fi
+
+- MK_SHARED_LIB='${CC} ${CFLAGS} -shared -Wl,-soname,'$cf_cv_shared_soname',-stats,-lc -o $@'
++ MK_SHARED_LIB='${CC} ${CFLAGS} -Wl,-soname,'$cf_cv_shared_soname',-stats,-lc -o $@'
+ ;;
+ (mingw*)
+ cf_cv_shlib_version=mingw
+diff --git a/mk-1st.awk b/mk-1st.awk
+index 1b88127..054e9d5 100644
+--- a/mk-1st.awk
++++ b/mk-1st.awk
+@@ -170,7 +170,7 @@ function removelinks(directory) {
+ }
+ }
+ function make_shlib(objs, shlib_list) {
+- printf "\t$(MK_SHARED_LIB) $(%s_OBJS) $(%s) $(LDFLAGS)\n", objs, shlib_list
++ printf "\t$(MK_SHARED_LIB) $(LDFLAGS) -shared $(%s_OBJS) $(%s)\n", objs, shlib_list
+ }
+ function sharedlinks(directory) {
+ if ( ShlibVer != "auto" && ShlibVer != "cygdll" && ShlibVer != "msysdll" && ShlibVer != "mingw" ) {
+--
+1.9.1
+
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 5/8] boost: correct linker flag seq
2018-01-10 4:15 [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu Matt Weber
` (2 preceding siblings ...)
2018-01-10 4:15 ` [Buildroot] [PATCH v3 4/8] ncurses: " Matt Weber
@ 2018-01-10 4:15 ` Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 6/8] busybox: patch to remove -pie from LDFLAGS Matt Weber
` (2 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Matt Weber @ 2018-01-10 4:15 UTC (permalink / raw)
To: buildroot
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.
Upstream: https://lists.boost.org/boost-build/2017/11/29701.php
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
...ost-patch-to-correct-linker-flag-sequence.patch | 41 ++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 package/boost/0004-boost-patch-to-correct-linker-flag-sequence.patch
diff --git a/package/boost/0004-boost-patch-to-correct-linker-flag-sequence.patch b/package/boost/0004-boost-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..697aab7
--- /dev/null
+++ b/package/boost/0004-boost-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,41 @@
+From 8d59b42a87320a05feb81897c6ba4e47274e65ae Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Fri, 29 Sep 2017 15:48:37 -0500
+Subject: [PATCH 1/1] boost: patch to correct linker flag sequence
+
+Description
+This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ tools/build/src/tools/gcc.jam | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/build/src/tools/gcc.jam b/tools/build/src/tools/gcc.jam
+index 0f346a5..b2076c7 100644
+--- a/tools/build/src/tools/gcc.jam
++++ b/tools/build/src/tools/gcc.jam
+@@ -1027,7 +1027,7 @@ rule link.dll ( targets * : sources * : properties * )
+ # Differs from 'link' above only by -shared.
+ actions link.dll bind LIBRARIES
+ {
+- "$(CONFIG_COMMAND)" -L"$(LINKPATH)" -Wl,$(RPATH_OPTION:E=-R)$(SPACE)-Wl,$(RPATH) "$(.IMPLIB-COMMAND)$(<[1])" -o "$(<[-1])" $(HAVE_SONAME)-Wl,$(SONAME_OPTION)$(SPACE)-Wl,$(<[-1]:D=) -shared $(START-GROUP) "$(>)" "$(LIBRARIES)" $(FINDLIBS-ST-PFX) -l$(FINDLIBS-ST) $(FINDLIBS-SA-PFX) -l$(FINDLIBS-SA) $(END-GROUP) $(OPTIONS) $(USER_OPTIONS)
++ "$(CONFIG_COMMAND)" -L"$(LINKPATH)" $(OPTIONS) $(USER_OPTIONS) -Wl,$(RPATH_OPTION:E=-R)$(SPACE)-Wl,$(RPATH) "$(.IMPLIB-COMMAND)$(<[1])" -o "$(<[-1])" $(HAVE_SONAME)-Wl,$(SONAME_OPTION)$(SPACE)-Wl,$(<[-1]:D=) -shared $(START-GROUP) "$(>)" "$(LIBRARIES)" $(FINDLIBS-ST-PFX) -l$(FINDLIBS-ST) $(FINDLIBS-SA-PFX) -l$(FINDLIBS-SA) $(END-GROUP)
+ }
+
+ rule setup-threading ( targets * : sources * : properties * )
+--
+1.9.1
+
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 6/8] busybox: patch to remove -pie from LDFLAGS
2018-01-10 4:15 [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu Matt Weber
` (3 preceding siblings ...)
2018-01-10 4:15 ` [Buildroot] [PATCH v3 5/8] boost: " Matt Weber
@ 2018-01-10 4:15 ` Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 7/8] libpcap: correct linker flag seq Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 8/8] iptables: " Matt Weber
6 siblings, 0 replies; 13+ messages in thread
From: Matt Weber @ 2018-01-10 4:15 UTC (permalink / raw)
To: buildroot
This patch will remove '-pie' option from LDFLAGS if it was passed
from TARGET_LDFLAGS. Removing of -pie linker option is required
because it cannot be used with the -r option.
Busybox bydefault enables -r option.
Upstream: http://lists.busybox.net/pipermail/busybox/2017-November/085971.html
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
...-busybox-patch-to-remove-pie-from-LDFLAGS.patch | 42 ++++++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 package/busybox/0005-busybox-patch-to-remove-pie-from-LDFLAGS.patch
diff --git a/package/busybox/0005-busybox-patch-to-remove-pie-from-LDFLAGS.patch b/package/busybox/0005-busybox-patch-to-remove-pie-from-LDFLAGS.patch
new file mode 100644
index 0000000..e8223fc
--- /dev/null
+++ b/package/busybox/0005-busybox-patch-to-remove-pie-from-LDFLAGS.patch
@@ -0,0 +1,42 @@
+From 140c2a447a068ff0572dd2e5df53ee12fff0c547 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Tue, 3 Oct 2017 10:46:46 -0500
+Subject: [PATCH 1/1] busybox: patch to remove -pie from LDFLAGS
+
+Description
+This patch will remove '-pie' option from LDFLAGS if it was passed
+from TARGET_LDFLAGS. Removing of -pie linker option is required
+because it cannot be used with the -r option.
+Busybox bydefault enables -r option. if -r and -pie are used together
+below error is thrown by the linker.
+-------------------------------------------------------------------------
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../../
+powerpc-buildroot-linux-gnu/bin/ld: -r and -pie may not be used together
+collect2: error: ld returned 1 exit status
+make[3]: *** [applets/built-in.o] Error 1
+make[2]: *** [applets_dir] Error 2
+make[1]: *** [/build/busybox-1.27.1/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ scripts/Makefile.lib | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
+index 3e54ea7..acf5d33 100644
+--- a/scripts/Makefile.lib
++++ b/scripts/Makefile.lib
+@@ -121,7 +121,7 @@ cpp_flags = -Wp,-MD,$(depfile) $(NOSTDINC_FLAGS) $(__cpp_flags)
+ # yet ld_flags is fed to ld.
+ #ld_flags = $(LDFLAGS) $(EXTRA_LDFLAGS)
+ # Remove the -Wl, prefix from linker options normally passed through gcc
+-ld_flags = $(filter-out -Wl$(comma)%,$(LDFLAGS) $(EXTRA_LDFLAGS))
++ld_flags = $(filter-out -Wl$(comma)% -pie,$(LDFLAGS) $(EXTRA_LDFLAGS))
+
+
+ # Finds the multi-part object the current object will be linked into
+--
+1.9.1
+
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 7/8] libpcap: correct linker flag seq
2018-01-10 4:15 [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu Matt Weber
` (4 preceding siblings ...)
2018-01-10 4:15 ` [Buildroot] [PATCH v3 6/8] busybox: patch to remove -pie from LDFLAGS Matt Weber
@ 2018-01-10 4:15 ` Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 8/8] iptables: " Matt Weber
6 siblings, 0 replies; 13+ messages in thread
From: Matt Weber @ 2018-01-10 4:15 UTC (permalink / raw)
To: buildroot
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.
Upstream:
https://github.com/the-tcpdump-group/libpcap/commit/800fff521b3a90300d03af880b4626ede13c57bd
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
...cap-patch-to-correct-linker-flag-sequence.patch | 52 ++++++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 package/libpcap/0001-libpcap-patch-to-correct-linker-flag-sequence.patch
diff --git a/package/libpcap/0001-libpcap-patch-to-correct-linker-flag-sequence.patch b/package/libpcap/0001-libpcap-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..5b1c133
--- /dev/null
+++ b/package/libpcap/0001-libpcap-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,52 @@
+From eb4806e2a4f4575889ff8ecf7eb4a473a654ec02 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Tue, 26 Sep 2017 15:03:52 -0500
+Subject: [PATCH 1/1] libpcap: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws
+ below error.
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../../
+powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1 assertion
+fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[2]: *** [libpcap.so] Error 1
+make[1]: *** [/build/libpcap-1.8.1/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index e71d973..34b1097 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -371,7 +371,7 @@ libpcap.so: $(OBJ)
+ @rm -f $@
+ VER=`cat $(srcdir)/VERSION`; \
+ MAJOR_VER=`sed 's/\([0-9][0-9]*\)\..*/\1/' $(srcdir)/VERSION`; \
+- @V_SHLIB_CMD@ @V_SHLIB_OPT@ @V_SONAME_OPT@$@.$$MAJOR_VER $(LDFLAGS) \
++ @V_SHLIB_CMD@ $(LDFLAGS) @V_SHLIB_OPT@ @V_SONAME_OPT@$@.$$MAJOR_VER \
+ -o $@.$$VER $(OBJ) $(ADDLOBJS) $(LIBS)
+
+ #
+@@ -434,7 +434,7 @@ libpcap.sl: $(OBJ)
+ #
+ libpcap.shareda: $(OBJ)
+ @rm -f $@ shr.o
+- $(CC) @V_SHLIB_OPT@ -o shr.o $(OBJ) $(ADDLOBJS) $(LDFLAGS) $(LIBS)
++ $(CC) $(LDFLAGS) @V_SHLIB_OPT@ -o shr.o $(OBJ) $(ADDLOBJS) $(LIBS)
+ $(AR) rc $@ shr.o
+
+ #
+--
+1.9.1
+
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 8/8] iptables: correct linker flag seq
2018-01-10 4:15 [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu Matt Weber
` (5 preceding siblings ...)
2018-01-10 4:15 ` [Buildroot] [PATCH v3 7/8] libpcap: correct linker flag seq Matt Weber
@ 2018-01-10 4:15 ` Matt Weber
6 siblings, 0 replies; 13+ messages in thread
From: Matt Weber @ 2018-01-10 4:15 UTC (permalink / raw)
To: buildroot
This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.
Upstream: https://marc.info/?l=netfilter-devel&m=151193652302080&w=2
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
...les-patch-to-correct-linker-flag-sequence.patch | 48 ++++++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 package/iptables/0002-iptables-patch-to-correct-linker-flag-sequence.patch
diff --git a/package/iptables/0002-iptables-patch-to-correct-linker-flag-sequence.patch b/package/iptables/0002-iptables-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..b65c138
--- /dev/null
+++ b/package/iptables/0002-iptables-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,48 @@
+From 83a8109fa92c8c3a5969df6dae6cc75746ec6380 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Mon, 2 Oct 2017 14:34:14 -0500
+Subject: [PATCH 1/1] iptables: patch to correct linker flag sequence
+
+Description
+This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+-------------------------------------------------------------------------
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+ + ./libxt_SYNPROXY.man
+make[4]: *** [libxt_TCPOPTSTRIP.so] Error 1
+ + ./libip6t_mh.man
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu + ./libxt_TCPMSS.man
+/6.4.0/../../../../powerpc-buildroot-linux-gnu/bin/ld:
+ BFD (GNU Binutils) 2.28.1 assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ extensions/GNUmakefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index b7a8a83..bee666e 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -101,7 +101,7 @@ init%.o: init%.c
+ # Shared libraries
+ #
+ lib%.so: lib%.oo
+- ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -shared -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
+
+ lib%.oo: ${srcdir}/lib%.c
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+--
+1.9.1
+
--
1.9.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options
2018-01-10 4:15 ` [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options Matt Weber
@ 2018-01-10 8:22 ` Nicolas Cavallari
2018-01-10 12:20 ` Matthew Weber
2018-01-10 9:41 ` Nicolas Cavallari
1 sibling, 1 reply; 13+ messages in thread
From: Nicolas Cavallari @ 2018-01-10 8:22 UTC (permalink / raw)
To: buildroot
On 10/01/2018 05:15, Matt Weber wrote:
> [...]
> +config BR2_RELRO_NONE
> + bool "None"
> + help
> + Enables Relocation link-time protections.
Disables ?
> +config BR2_FORTIFY_SOURCE_NONE
> + bool "None"
> + help
> + Enables additional checks to detect buffer-overflows.
And here too ?
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options
2018-01-10 4:15 ` [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options Matt Weber
2018-01-10 8:22 ` Nicolas Cavallari
@ 2018-01-10 9:41 ` Nicolas Cavallari
2018-01-10 12:25 ` Matthew Weber
1 sibling, 1 reply; 13+ messages in thread
From: Nicolas Cavallari @ 2018-01-10 9:41 UTC (permalink / raw)
To: buildroot
On 10/01/2018 05:15, Matt Weber wrote:
> +ifneq ($(BR2_OPTIMIZE_S)$(BR2_OPTIMIZE_0)$(BR2_OPTIMIZE_1)$(BR2_OPTIMIZE_2)$(BR2_OPTIMIZE_G),)
> +ifeq ($(BR2_FORTIFY_SOURCE_1),y)
> +TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
> +else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
> +TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
> +endif
> +else
> +$(error BR2_FORTIFY_SOURCE_# requires optimization level s/1/2/3/g)
> +endif
This seems to test if the optimization level is s/0/1/2/g instead of
s/1/2/3/g
Shouldn't this actually be expressed as a dependency in Config.in
instead ? (i.e. make BR2_FORTIFY_SOURCE_{1,2} depends on !BR2_OPTIMIZE_0)
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options
2018-01-10 8:22 ` Nicolas Cavallari
@ 2018-01-10 12:20 ` Matthew Weber
0 siblings, 0 replies; 13+ messages in thread
From: Matthew Weber @ 2018-01-10 12:20 UTC (permalink / raw)
To: buildroot
Nicolas,
On Wed, Jan 10, 2018 at 2:22 AM, Nicolas Cavallari
<Nicolas.Cavallari@green-communications.fr> wrote:
> On 10/01/2018 05:15, Matt Weber wrote:
>> [...]
>> +config BR2_RELRO_NONE
>> + bool "None"
>> + help
>> + Enables Relocation link-time protections.
>
> Disables ?
>
>> +config BR2_FORTIFY_SOURCE_NONE
>> + bool "None"
>> + help
>> + Enables additional checks to detect buffer-overflows.
>
> And here too ?
Correct in both cases, oops. I'll update in v4.
Thanks for the review!
Matt
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options
2018-01-10 9:41 ` Nicolas Cavallari
@ 2018-01-10 12:25 ` Matthew Weber
2018-01-10 16:30 ` Nicolas Cavallari
0 siblings, 1 reply; 13+ messages in thread
From: Matthew Weber @ 2018-01-10 12:25 UTC (permalink / raw)
To: buildroot
Nicolas,
On Wed, Jan 10, 2018 at 3:41 AM, Nicolas Cavallari
<Nicolas.Cavallari@green-communications.fr> wrote:
> On 10/01/2018 05:15, Matt Weber wrote:
>> +ifneq ($(BR2_OPTIMIZE_S)$(BR2_OPTIMIZE_0)$(BR2_OPTIMIZE_1)$(BR2_OPTIMIZE_2)$(BR2_OPTIMIZE_G),)
>> +ifeq ($(BR2_FORTIFY_SOURCE_1),y)
>> +TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
>> +else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
>> +TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
>> +endif
>> +else
>> +$(error BR2_FORTIFY_SOURCE_# requires optimization level s/1/2/3/g)
>> +endif
>
> This seems to test if the optimization level is s/0/1/2/g instead of
> s/1/2/3/g
Good catch, will update in v4
>
> Shouldn't this actually be expressed as a dependency in Config.in
> instead ? (i.e. make BR2_FORTIFY_SOURCE_{1,2} depends on !BR2_OPTIMIZE_0)
I looked at a few ways of doing this and since those optimize
variables are from a choice, I couldn't depend on them in Kconfig. I
think I could change how that choice works to evaluate a value which
is set to the choice, however that seemed more complex then just
documenting and errorring. I'm definitely open to ideas on this.
Matt
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options
2018-01-10 12:25 ` Matthew Weber
@ 2018-01-10 16:30 ` Nicolas Cavallari
0 siblings, 0 replies; 13+ messages in thread
From: Nicolas Cavallari @ 2018-01-10 16:30 UTC (permalink / raw)
To: buildroot
On 10/01/2018 13:25, Matthew Weber wrote:
> Nicolas,
>
> On Wed, Jan 10, 2018 at 3:41 AM, Nicolas Cavallari
> <Nicolas.Cavallari@green-communications.fr> wrote:
>> On 10/01/2018 05:15, Matt Weber wrote:
>>> +ifneq ($(BR2_OPTIMIZE_S)$(BR2_OPTIMIZE_0)$(BR2_OPTIMIZE_1)$(BR2_OPTIMIZE_2)$(BR2_OPTIMIZE_G),)
>>> +ifeq ($(BR2_FORTIFY_SOURCE_1),y)
>>> +TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
>>> +else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
>>> +TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
>>> +endif
>>> +else
>>> +$(error BR2_FORTIFY_SOURCE_# requires optimization level s/1/2/3/g)
>>> +endif
>>
>> This seems to test if the optimization level is s/0/1/2/g instead of
>> s/1/2/3/g
>
> Good catch, will update in v4
>
>>
>> Shouldn't this actually be expressed as a dependency in Config.in
>> instead ? (i.e. make BR2_FORTIFY_SOURCE_{1,2} depends on !BR2_OPTIMIZE_0)
>
> I looked at a few ways of doing this and since those optimize
> variables are from a choice, I couldn't depend on them in Kconfig.
It should work fine. What issue do you have ?
just adding "depends on !BR2_OPTIMIZE_0"
on the BR2_FORTIFY_SOURCE_1 and BR2_FORTIFY_SOURCE_2 definitions
should work.
if BR2_OPTIMIZE_0 is selected, then the choice will only have one
possible value.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2018-01-10 16:30 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-10 4:15 [Buildroot] [PATCH v3 1/8] stack protector: moved option out of adv menu Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options Matt Weber
2018-01-10 8:22 ` Nicolas Cavallari
2018-01-10 12:20 ` Matthew Weber
2018-01-10 9:41 ` Nicolas Cavallari
2018-01-10 12:25 ` Matthew Weber
2018-01-10 16:30 ` Nicolas Cavallari
2018-01-10 4:15 ` [Buildroot] [PATCH v3 3/8] valgrind: correct linker flag seq Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 4/8] ncurses: " Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 5/8] boost: " Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 6/8] busybox: patch to remove -pie from LDFLAGS Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 7/8] libpcap: correct linker flag seq Matt Weber
2018-01-10 4:15 ` [Buildroot] [PATCH v3 8/8] iptables: " Matt Weber
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.