[Buildroot] [PATCH v4 01/13] stack protector: moved option out of adv menu

[Buildroot] [PATCH v4 01/13] stack protector: moved option out of adv menu

[Matt Weber]

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
 - Broke out into an individual commit for the menu change (Arnout)

v2 -> v3
 - Moved back up to the menu instead of a submenu (Arnout)

v3 -> v4
 - None.
---
 Config.in | 112 ++++++++++++++++++++++++++++++++------------------------------
 1 file changed, 57 insertions(+), 55 deletions(-)

diff --git a/Config.in b/Config.in
index 62d67ce..e7e5c2d 100644
--- a/Config.in
+++ b/Config.in
@@ -568,61 +568,6 @@ config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES
 endif
 
 choice
-	bool "build code with Stack Smashing Protection"
-	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
-	depends on BR2_TOOLCHAIN_HAS_SSP
-	help
-	  Enable stack smashing protection support using GCC's
-	  -fstack-protector option family.
-
-	  See
-	  http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
-	  for details.
-
-	  Note that this requires the toolchain to have SSP support.
-	  This is always the case for glibc and eglibc toolchain, but is
-	  optional in uClibc toolchains.
-
-config BR2_SSP_NONE
-	bool "None"
-	help
-	  Disable stack-smashing protection.
-
-config BR2_SSP_REGULAR
-	bool "-fstack-protector"
-	help
-	  Emit extra code to check for buffer overflows, such as stack
-	  smashing attacks. This is done by adding a guard variable to
-	  functions with vulnerable objects. This includes functions
-	  that call alloca, and functions with buffers larger than 8
-	  bytes. The guards are initialized when a function is entered
-	  and then checked when the function exits. If a guard check
-	  fails, an error message is printed and the program exits.
-
-config BR2_SSP_STRONG
-	bool "-fstack-protector-strong"
-	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
-	help
-	  Like -fstack-protector but includes additional functions to be
-	  protected - those that have local array definitions, or have
-	  references to local frame addresses.
-
-comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9"
-	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
-
-config BR2_SSP_ALL
-	bool "-fstack-protector-all"
-	help
-	  Like -fstack-protector except that all functions are
-	  protected. This option might have a significant performance
-	  impact on the compiled binaries.
-
-endchoice
-
-comment "Stack Smashing Protection needs a toolchain w/ SSP"
-	depends on !BR2_TOOLCHAIN_HAS_SSP
-
-choice
 	bool "libraries"
 	default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED
 	default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED
@@ -732,6 +677,63 @@ config BR2_REPRODUCIBLE
 
 endmenu
 
+comment "Security Hardening Options"
+
+choice
+	bool "Stack Smashing Protection"
+	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
+	depends on BR2_TOOLCHAIN_HAS_SSP
+	help
+	  Enable stack smashing protection support using GCC's
+	  -fstack-protector option family.
+
+	  See
+	  http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
+	  for details.
+
+	  Note that this requires the toolchain to have SSP support.
+	  This is always the case for glibc and eglibc toolchain, but is
+	  optional in uClibc toolchains.
+
+config BR2_SSP_NONE
+	bool "None"
+	help
+	  Disable stack-smashing protection.
+
+config BR2_SSP_REGULAR
+	bool "-fstack-protector"
+	help
+	  Emit extra code to check for buffer overflows, such as stack
+	  smashing attacks. This is done by adding a guard variable to
+	  functions with vulnerable objects. This includes functions
+	  that call alloca, and functions with buffers larger than 8
+	  bytes. The guards are initialized when a function is entered
+	  and then checked when the function exits. If a guard check
+	  fails, an error message is printed and the program exits.
+
+config BR2_SSP_STRONG
+	bool "-fstack-protector-strong"
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+	help
+	  Like -fstack-protector but includes additional functions to be
+	  protected - those that have local array definitions, or have
+	  references to local frame addresses.
+
+comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9"
+	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+
+config BR2_SSP_ALL
+	bool "-fstack-protector-all"
+	help
+	  Like -fstack-protector except that all functions are
+	  protected. This option might have a significant performance
+	  impact on the compiled binaries.
+
+endchoice
+
+comment "Stack Smashing Protection needs a toolchain w/ SSP"
+	depends on !BR2_TOOLCHAIN_HAS_SSP
+
 endmenu
 
 source "toolchain/Config.in"
-- 
1.9.1

[Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options

[Matt Weber]

This enables a user to build a complete system using these
options.  It is important to note that not all packages will
build correctly to start with.

Modeled after OpenWRT approach
https://github.com/openwrt/openwrt/blob/master/config/Config-build.in#L176

A good testing tool to check a target's elf files for compliance
to an array of hardening techniques can be found here:
https://github.com/slimm609/checksec.sh

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes

v1 -> v2
 - Cosmetic caps on titles

v2 -> v3
 - Consolidated the way flags were set using CPPFLAGS (Arnout)
 - Removed fortran flag as not relevant for this feature (Arnout)
 - Added BR2_TOOLCHAIN_USES_GLIBC and optimization level dependency

v3 -> v4
[Nicolas C
 - Used BR2_OPTIMIZE_0 as Config.in dependency
   for Fortify instead of using a warning at
   make time.
 - Enable -> Disable for the None options I
   mislabeled as enabling (relro/fortify).
---
 Config.in           | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 package/Makefile.in | 42 ++++++++++++++++++++------------
 2 files changed, 97 insertions(+), 15 deletions(-)

diff --git a/Config.in b/Config.in
index e7e5c2d..447b642 100644
--- a/Config.in
+++ b/Config.in
@@ -734,6 +734,76 @@ endchoice
 comment "Stack Smashing Protection needs a toolchain w/ SSP"
 	depends on !BR2_TOOLCHAIN_HAS_SSP
 
+choice
+	bool "RELRO Protection"
+	depends on BR2_SHARED_LIBS
+	help
+	  Enable a link-time protection know as RELRO (RELocation Read Only)
+	  which helps to protect from certain type of exploitation techniques
+	  altering the content of some ELF sections.
+
+config BR2_RELRO_NONE
+	bool "None"
+	help
+	  Disables Relocation link-time protections.
+
+config BR2_RELRO_PARTIAL
+	bool "Partial"
+	help
+	  This option makes the dynamic section not writeable after
+	  initialization (with almost no performance penalty).
+
+config BR2_RELRO_FULL
+	bool "Full"
+	help
+	  This option includes the partial configuration, but also
+	  marks the GOT as read-only at the cost of initialization time
+	  during program loading, i.e every time an executable is started.
+
+endchoice
+
+comment "RELocation Read Only (RELRO) needs shared libraries"
+	depends on !BR2_SHARED_LIBS
+
+choice
+	bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
+	depends on BR2_TOOLCHAIN_USES_GLIBC
+	depends on !BR2_OPTIMIZE_0
+	help
+	  Enable the _FORTIFY_SOURCE macro which introduces additional
+	  checks to detect buffer-overflows in the following standard library
+	  functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
+	  strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
+	  gets.
+
+	  NOTE: This feature requires an optimization level of s/1/2/3/g
+
+	  Support for this feature has been present since GCC 4.x.
+
+config BR2_FORTIFY_SOURCE_NONE
+	bool "None"
+	help
+	  Disables additional checks to detect buffer-overflows.
+
+config BR2_FORTIFY_SOURCE_1
+	bool "Conservative"
+	help
+	  This option sets _FORTIFY_SOURCE set to 1 and only introduces
+	  checks that shouldn't change the behavior of conforming programs.
+	  Adds checks at compile-time only.
+
+config BR2_FORTIFY_SOURCE_2
+	bool "Aggressive"
+	help
+	  This option sets _FORTIFY_SOURCES set to 2 and some more checking
+	  is added, but some conforming programs might fail.
+	  Also adds checks at run-time (detected buffer overflow terminates
+	  the program)
+
+endchoice
+
+comment "Fortify Source needs a GLIBC toolchain and some level of optimization"
+	depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0)
 endmenu
 
 source "toolchain/Config.in"
diff --git a/package/Makefile.in b/package/Makefile.in
index a1a5316..36c3d55 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -138,11 +138,37 @@ ifeq ($(BR2_DEBUG_3),y)
 TARGET_DEBUGGING = -g3
 endif
 
+TARGET_CFLAGS_RELRO = -Wl,-z,relro
+TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO)
+
+TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
+
+ifeq ($(BR2_SSP_REGULAR),y)
+TARGET_CPPFLAGS += -fstack-protector
+else ifeq ($(BR2_SSP_STRONG),y)
+TARGET_CPPFLAGS += -fstack-protector-strong
+else ifeq ($(BR2_SSP_ALL),y)
+TARGET_CPPFLAGS += -fstack-protector-all
+endif
+
+ifeq ($(BR2_RELRO_PARTIAL),y)
+TARGET_CPPFLAGS += $(TARGET_CFLAGS_RELRO)
+TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
+else ifeq ($(BR2_RELRO_FULL),y)
+TARGET_CPPFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
+TARGET_LDFLAGS += -pie
+endif
+
+ifeq ($(BR2_FORTIFY_SOURCE_1),y)
+TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
+else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
+TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
+endif
+
 TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
 TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
 TARGET_CXXFLAGS = $(TARGET_CFLAGS)
 TARGET_FCFLAGS = $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
-TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
 
 ifeq ($(BR2_BINFMT_FLAT),y)
 TARGET_CFLAGS += $(if $($(PKG)_FLAT_STACKSIZE),-Wl$(comma)-elf2flt=-s$($(PKG)_FLAT_STACKSIZE),\
@@ -167,20 +193,6 @@ TARGET_FCFLAGS += -msep-data
 TARGET_CXXFLAGS += -msep-data
 endif
 
-ifeq ($(BR2_SSP_REGULAR),y)
-TARGET_CFLAGS += -fstack-protector
-TARGET_CXXFLAGS += -fstack-protector
-TARGET_FCFLAGS += -fstack-protector
-else ifeq ($(BR2_SSP_STRONG),y)
-TARGET_CFLAGS += -fstack-protector-strong
-TARGET_CXXFLAGS += -fstack-protector-strong
-TARGET_FCFLAGS += -fstack-protector-strong
-else ifeq ($(BR2_SSP_ALL),y)
-TARGET_CFLAGS += -fstack-protector-all
-TARGET_CXXFLAGS += -fstack-protector-all
-TARGET_FCFLAGS += -fstack-protector-all
-endif
-
 ifeq ($(BR2_TOOLCHAIN_BUILDROOT),y)
 TARGET_CROSS = $(HOST_DIR)/bin/$(GNU_TARGET_NAME)-
 else
-- 
1.9.1

[Buildroot] [PATCH v4 03/13] valgrind: correct linker flag seq

[Matt Weber]

This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.

Upstream: https://sourceforge.net/p/valgrind/mailman/message/36114834/

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes

v3 -> v4
 - New
---
 ...ind-patch-to-correct-linker-flag-sequence.patch | 160 +++++++++++++++++++++
 1 file changed, 160 insertions(+)
 create mode 100644 package/valgrind/0005-valgrind-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/valgrind/0005-valgrind-patch-to-correct-linker-flag-sequence.patch b/package/valgrind/0005-valgrind-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..34da655
--- /dev/null
+++ b/package/valgrind/0005-valgrind-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,160 @@
+From b845cb1d2e0f0d91dae056237e00cba2e6f8377d Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Wed, 11 Oct 2017 09:14:10 -0500
+Subject: [PATCH 1/1] valgrind: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+-------------------------------------------------------------------------
+/build/valgrind-3.12.0/coregrind/vg_preloaded.c:124:
+ undefined reference to `_restgpr_27_x'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[5]: *** [vgpreload_core-ppc32-linux.so] Error 1
+make[4]: *** [all] Error 2
+make[3]: *** [all-recursive] Error 1
+make[2]: *** [all] Error 2
+make[1]: *** [/build/valgrind-3.12.0/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ coregrind/Makefile.am   | 6 ++++++
+ drd/Makefile.am         | 6 ++++++
+ exp-dhat/Makefile.am    | 6 ++++++
+ exp-sgcheck/Makefile.am | 6 ++++++
+ helgrind/Makefile.am    | 6 ++++++
+ massif/Makefile.am      | 6 ++++++
+ memcheck/Makefile.am    | 7 ++++++-
+ 7 files changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/coregrind/Makefile.am b/coregrind/Makefile.am
+index d798015..ce7acad 100644
+--- a/coregrind/Makefile.am
++++ b/coregrind/Makefile.am
+@@ -541,6 +541,12 @@ vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS = \
+ 	$(AM_CFLAGS_PSO_ at VGCONF_PLATFORM_PRI_CAPS@)
+ vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS = \
+ 	$(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++        $(vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++        $(CFLAGS) \
++        $(LDFLAGS) \
++        $(vgpreload_core_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++        -o $@
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_core_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES = vg_preloaded.c
+ vgpreload_core_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_CPPFLAGS = \
+diff --git a/drd/Makefile.am b/drd/Makefile.am
+index 9ba4c58..bf32229 100644
+--- a/drd/Makefile.am
++++ b/drd/Makefile.am
+@@ -143,6 +143,12 @@ vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS      = \
+ 	$(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ 	$(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++        $(vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++        $(CFLAGS) \
++        $(LDFLAGS) \
++        $(vgpreload_drd_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++        -o $@
+ 
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_drd_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES      = \
+diff --git a/exp-dhat/Makefile.am b/exp-dhat/Makefile.am
+index 647b72b..29619cf 100644
+--- a/exp-dhat/Makefile.am
++++ b/exp-dhat/Makefile.am
+@@ -84,6 +84,12 @@ vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS      = \
+ 	$(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ 	$(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++        $(vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++        $(CFLAGS) \
++        $(LDFLAGS) \
++        $(vgpreload_exp_dhat_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++        -o $@
+ 
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_exp_dhat_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES      = 
+diff --git a/exp-sgcheck/Makefile.am b/exp-sgcheck/Makefile.am
+index 211a5ff..ecbe89b 100644
+--- a/exp-sgcheck/Makefile.am
++++ b/exp-sgcheck/Makefile.am
+@@ -92,6 +92,12 @@ vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS      = \
+ 	$(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ 	$(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++        $(vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++        $(CFLAGS) \
++        $(LDFLAGS) \
++        $(vgpreload_exp_sgcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++        -o $@
+ 
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_exp_sgcheck_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES      = \
+diff --git a/helgrind/Makefile.am b/helgrind/Makefile.am
+index b6f1b89..a9b7ef3 100644
+--- a/helgrind/Makefile.am
++++ b/helgrind/Makefile.am
+@@ -103,6 +103,12 @@ vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS      = \
+ 	$(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ 	$(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++        $(vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++        $(CFLAGS) \
++        $(LDFLAGS) \
++        $(vgpreload_helgrind_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++        -o $@
+ 
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_helgrind_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES      = \
+diff --git a/massif/Makefile.am b/massif/Makefile.am
+index 2933403..6ccb973 100644
+--- a/massif/Makefile.am
++++ b/massif/Makefile.am
+@@ -84,6 +84,12 @@ vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS      = \
+ 	$(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ 	$(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
++vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++        $(vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++        $(CFLAGS) \
++        $(LDFLAGS) \
++        $(vgpreload_massif_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++        -o $@
+ 
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_massif_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES      = 
+diff --git a/memcheck/Makefile.am b/memcheck/Makefile.am
+index 476bc70..ca51c64 100644
+--- a/memcheck/Makefile.am
++++ b/memcheck/Makefile.am
+@@ -100,7 +100,12 @@ vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_DEPENDENCIES = \
+ vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS      = \
+ 	$(PRELOAD_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@) \
+ 	$(LIBREPLACEMALLOC_LDFLAGS_ at VGCONF_PLATFORM_PRI_CAPS@)
+-
++vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LINK = $(CCLD) \
++        $(vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_CFLAGS) \
++        $(CFLAGS) \
++        $(LDFLAGS) \
++        $(vgpreload_memcheck_ at VGCONF_ARCH_PRI@_ at VGCONF_OS@_so_LDFLAGS) \
++        -o $@
+ if VGCONF_HAVE_PLATFORM_SEC
+ vgpreload_memcheck_ at VGCONF_ARCH_SEC@_ at VGCONF_OS@_so_SOURCES      = \
+ 	$(VGPRELOAD_MEMCHECK_SOURCES_COMMON)
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 04/13] ncurses: correct linker flag seq

[Matt Weber]

This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.

Upstream: http://lists.gnu.org/archive/html/bug-ncurses/2017-11/msg00024.html

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes

v3 -> v4
 - New
---
 ...ses-patch-to-correct-linker-flag-sequence.patch | 61 ++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 package/ncurses/0003-ncurses-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/ncurses/0003-ncurses-patch-to-correct-linker-flag-sequence.patch b/package/ncurses/0003-ncurses-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..34c1bbd
--- /dev/null
+++ b/package/ncurses/0003-ncurses-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,61 @@
+From bca0dfabe9a4fa21d5b3b8bed8c138822188564f Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Fri, 29 Sep 2017 11:02:32 -0500
+Subject: [PATCH 1/1] ncurses: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+The patch fixes Makefile.am for below libs within setools:
+ - libncurses.so.6.0
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[3]: *** [../lib/libncurses.so.6.0] Error 1
+make[2]: *** [all] Error 2
+make[1]: *** [/build/ncurses-6.0/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ configure  | 2 +-
+ mk-1st.awk | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure b/configure
+index 29c61bd..aa42c0a 100755
+--- a/configure
++++ b/configure
+@@ -6204,7 +6204,7 @@ echo "${ECHO_T}$cf_cv_ldflags_search_paths_first" >&6
+ 		cf_cv_shared_soname='`basename $@`'
+ 	fi
+ 
+-		MK_SHARED_LIB='${CC} ${CFLAGS} -shared -Wl,-soname,'$cf_cv_shared_soname',-stats,-lc -o $@'
++		MK_SHARED_LIB='${CC} ${CFLAGS} -Wl,-soname,'$cf_cv_shared_soname',-stats,-lc -o $@'
+ 		;;
+ 	(mingw*)
+ 		cf_cv_shlib_version=mingw
+diff --git a/mk-1st.awk b/mk-1st.awk
+index 1b88127..054e9d5 100644
+--- a/mk-1st.awk
++++ b/mk-1st.awk
+@@ -170,7 +170,7 @@ function removelinks(directory) {
+ 		}
+ 	}
+ function make_shlib(objs, shlib_list) {
+-		printf "\t$(MK_SHARED_LIB) $(%s_OBJS) $(%s) $(LDFLAGS)\n", objs, shlib_list
++		printf "\t$(MK_SHARED_LIB) $(LDFLAGS) -shared $(%s_OBJS) $(%s)\n", objs, shlib_list
+ 	}
+ function sharedlinks(directory) {
+ 		if ( ShlibVer != "auto" && ShlibVer != "cygdll" && ShlibVer != "msysdll" && ShlibVer != "mingw" ) {
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 05/13] boost: correct linker flag seq

[Matt Weber]

This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.

Upstream: https://lists.boost.org/boost-build/2017/11/29701.php

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes

v3 -> v4
 - New
---
 ...ost-patch-to-correct-linker-flag-sequence.patch | 41 ++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 package/boost/0004-boost-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/boost/0004-boost-patch-to-correct-linker-flag-sequence.patch b/package/boost/0004-boost-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..697aab7
--- /dev/null
+++ b/package/boost/0004-boost-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,41 @@
+From 8d59b42a87320a05feb81897c6ba4e47274e65ae Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Fri, 29 Sep 2017 15:48:37 -0500
+Subject: [PATCH 1/1] boost: patch to correct linker flag sequence
+
+Description
+This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ tools/build/src/tools/gcc.jam | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/build/src/tools/gcc.jam b/tools/build/src/tools/gcc.jam
+index 0f346a5..b2076c7 100644
+--- a/tools/build/src/tools/gcc.jam
++++ b/tools/build/src/tools/gcc.jam
+@@ -1027,7 +1027,7 @@ rule link.dll ( targets * : sources * : properties * )
+ # Differs from 'link' above only by -shared.
+ actions link.dll bind LIBRARIES
+ {
+-    "$(CONFIG_COMMAND)" -L"$(LINKPATH)" -Wl,$(RPATH_OPTION:E=-R)$(SPACE)-Wl,$(RPATH) "$(.IMPLIB-COMMAND)$(<[1])" -o "$(<[-1])" $(HAVE_SONAME)-Wl,$(SONAME_OPTION)$(SPACE)-Wl,$(<[-1]:D=) -shared $(START-GROUP) "$(>)" "$(LIBRARIES)" $(FINDLIBS-ST-PFX) -l$(FINDLIBS-ST) $(FINDLIBS-SA-PFX) -l$(FINDLIBS-SA) $(END-GROUP) $(OPTIONS) $(USER_OPTIONS)
++    "$(CONFIG_COMMAND)" -L"$(LINKPATH)" $(OPTIONS) $(USER_OPTIONS) -Wl,$(RPATH_OPTION:E=-R)$(SPACE)-Wl,$(RPATH) "$(.IMPLIB-COMMAND)$(<[1])" -o "$(<[-1])" $(HAVE_SONAME)-Wl,$(SONAME_OPTION)$(SPACE)-Wl,$(<[-1]:D=) -shared $(START-GROUP) "$(>)" "$(LIBRARIES)" $(FINDLIBS-ST-PFX) -l$(FINDLIBS-ST) $(FINDLIBS-SA-PFX) -l$(FINDLIBS-SA) $(END-GROUP)
+ }
+ 
+ rule setup-threading ( targets * : sources * : properties * )
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 06/13] busybox: patch to remove -pie from LDFLAGS

[Matt Weber]

This patch will remove '-pie' option from LDFLAGS if it was passed
from TARGET_LDFLAGS. Removing of -pie linker option is required
because it cannot be used with the -r option.
Busybox bydefault enables -r option.

Upstream: http://lists.busybox.net/pipermail/busybox/2017-November/085971.html

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes

v3 -> v4
 - New
---
 ...-busybox-patch-to-remove-pie-from-LDFLAGS.patch | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 package/busybox/0005-busybox-patch-to-remove-pie-from-LDFLAGS.patch

diff --git a/package/busybox/0005-busybox-patch-to-remove-pie-from-LDFLAGS.patch b/package/busybox/0005-busybox-patch-to-remove-pie-from-LDFLAGS.patch
new file mode 100644
index 0000000..e8223fc
--- /dev/null
+++ b/package/busybox/0005-busybox-patch-to-remove-pie-from-LDFLAGS.patch
@@ -0,0 +1,42 @@
+From 140c2a447a068ff0572dd2e5df53ee12fff0c547 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Tue, 3 Oct 2017 10:46:46 -0500
+Subject: [PATCH 1/1] busybox: patch to remove -pie from LDFLAGS
+
+Description
+This patch will remove '-pie' option from LDFLAGS if it was passed
+from TARGET_LDFLAGS. Removing of -pie linker option is required
+because it cannot be used with the -r option.
+Busybox bydefault enables -r option. if -r and -pie are used together
+below error is thrown by the linker.
+-------------------------------------------------------------------------
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../../
+powerpc-buildroot-linux-gnu/bin/ld: -r and -pie may not be used together
+collect2: error: ld returned 1 exit status
+make[3]: *** [applets/built-in.o] Error 1
+make[2]: *** [applets_dir] Error 2
+make[1]: *** [/build/busybox-1.27.1/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ scripts/Makefile.lib | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
+index 3e54ea7..acf5d33 100644
+--- a/scripts/Makefile.lib
++++ b/scripts/Makefile.lib
+@@ -121,7 +121,7 @@ cpp_flags      = -Wp,-MD,$(depfile) $(NOSTDINC_FLAGS) $(__cpp_flags)
+ # yet ld_flags is fed to ld.
+ #ld_flags       = $(LDFLAGS) $(EXTRA_LDFLAGS)
+ # Remove the -Wl, prefix from linker options normally passed through gcc
+-ld_flags       = $(filter-out -Wl$(comma)%,$(LDFLAGS) $(EXTRA_LDFLAGS))
++ld_flags       = $(filter-out -Wl$(comma)% -pie,$(LDFLAGS) $(EXTRA_LDFLAGS))
+ 
+ 
+ # Finds the multi-part object the current object will be linked into
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 07/13] libpcap: correct linker flag seq

[Matt Weber]

This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.

Upstream:
https://github.com/the-tcpdump-group/libpcap/commit/800fff521b3a90300d03af880b4626ede13c57bd

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes

v3 -> v4
 - New
---
 ...cap-patch-to-correct-linker-flag-sequence.patch | 52 ++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 package/libpcap/0001-libpcap-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/libpcap/0001-libpcap-patch-to-correct-linker-flag-sequence.patch b/package/libpcap/0001-libpcap-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..5b1c133
--- /dev/null
+++ b/package/libpcap/0001-libpcap-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,52 @@
+From eb4806e2a4f4575889ff8ecf7eb4a473a654ec02 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Tue, 26 Sep 2017 15:03:52 -0500
+Subject: [PATCH 1/1] libpcap: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws
+ below error.
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../../
+powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1 assertion
+fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[2]: *** [libpcap.so] Error 1
+make[1]: *** [/build/libpcap-1.8.1/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index e71d973..34b1097 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -371,7 +371,7 @@ libpcap.so: $(OBJ)
+ 	@rm -f $@
+ 	VER=`cat $(srcdir)/VERSION`; \
+ 	MAJOR_VER=`sed 's/\([0-9][0-9]*\)\..*/\1/' $(srcdir)/VERSION`; \
+-	@V_SHLIB_CMD@ @V_SHLIB_OPT@ @V_SONAME_OPT@$@.$$MAJOR_VER $(LDFLAGS) \
++	@V_SHLIB_CMD@ $(LDFLAGS) @V_SHLIB_OPT@ @V_SONAME_OPT@$@.$$MAJOR_VER \
+ 	    -o $@.$$VER $(OBJ) $(ADDLOBJS) $(LIBS)
+ 
+ #
+@@ -434,7 +434,7 @@ libpcap.sl: $(OBJ)
+ #
+ libpcap.shareda: $(OBJ)
+ 	@rm -f $@ shr.o
+-	$(CC) @V_SHLIB_OPT@ -o shr.o $(OBJ) $(ADDLOBJS) $(LDFLAGS) $(LIBS)
++	$(CC) $(LDFLAGS) @V_SHLIB_OPT@ -o shr.o $(OBJ) $(ADDLOBJS) $(LIBS)
+ 	$(AR) rc $@ shr.o
+ 
+ #
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 08/13] iptables: correct linker flag seq

[Matt Weber]

This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.

Upstream: https://marc.info/?l=netfilter-devel&m=151193652302080&w=2

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes

v3 -> v4
 - New
---
 ...les-patch-to-correct-linker-flag-sequence.patch | 48 ++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 package/iptables/0002-iptables-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/iptables/0002-iptables-patch-to-correct-linker-flag-sequence.patch b/package/iptables/0002-iptables-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..b65c138
--- /dev/null
+++ b/package/iptables/0002-iptables-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,48 @@
+From 83a8109fa92c8c3a5969df6dae6cc75746ec6380 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Mon, 2 Oct 2017 14:34:14 -0500
+Subject: [PATCH 1/1] iptables: patch to correct linker flag sequence
+
+Description
+This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+-------------------------------------------------------------------------
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+        + ./libxt_SYNPROXY.man
+make[4]: *** [libxt_TCPOPTSTRIP.so] Error 1
+        + ./libip6t_mh.man
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu      + ./libxt_TCPMSS.man
+/6.4.0/../../../../powerpc-buildroot-linux-gnu/bin/ld:
+ BFD (GNU Binutils) 2.28.1 assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ extensions/GNUmakefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index b7a8a83..bee666e 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -101,7 +101,7 @@ init%.o: init%.c
+ #	Shared libraries
+ #
+ lib%.so: lib%.oo
+-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -shared -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
+ 
+ lib%.oo: ${srcdir}/lib%.c
+ 	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 09/13] zlib: correct linker flag sequence

[Matt Weber]

This patch corrects the sequence of -pie and -shared
options. When used together, -pie should be provided
to the linker before -shared. If -pie is provided
after -shared, the linker throws an error.

Upstream: https://github.com/madler/zlib/pull/328

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes
v3 -> v4
 - New
---
 ...lib-patch-to-correct-linker-flag-sequence.patch | 109 +++++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 package/zlib/0001-zlib-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/zlib/0001-zlib-patch-to-correct-linker-flag-sequence.patch b/package/zlib/0001-zlib-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..b468175
--- /dev/null
+++ b/package/zlib/0001-zlib-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,109 @@
+From 07624ecd1914fc3c2df0ac21c5a9ef61f1416823 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Thu, 28 Sep 2017 12:41:36 -0500
+Subject: [PATCH 1/1] zlib: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+The patch fixes below pkgs:
+ - libz.so
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[2]: *** [libz.so.1.2.11] Error 1
+make[1]: *** [/build/zlib-1.2.11/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ Makefile.in | 3 ++-
+ configure   | 8 ++++++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 5a77949..18711ce 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -28,6 +28,7 @@ SFLAGS=-O
+ LDFLAGS=
+ TEST_LDFLAGS=-L. libz.a
+ LDSHARED=$(CC)
++LDSHAREDFLAGS=-shared
+ CPP=$(CC) -E
+ 
+ STATICLIB=libz.a
+@@ -279,7 +280,7 @@ gzwrite.lo: $(SRCDIR)gzwrite.c
+ 
+ 
+ placebo $(SHAREDLIBV): $(PIC_OBJS) libz.a
+-	$(LDSHARED) $(SFLAGS) -o $@ $(PIC_OBJS) $(LDSHAREDLIBC) $(LDFLAGS)
++	$(LDSHARED) $(SFLAGS) $(LDFLAGS) $(LDSHAREDFLAGS) -o $@ $(PIC_OBJS) $(LDSHAREDLIBC)
+ 	rm -f $(SHAREDLIB) $(SHAREDLIBM)
+ 	ln -s $@ $(SHAREDLIB)
+ 	ln -s $@ $(SHAREDLIBM)
+diff --git a/configure b/configure
+index e974d1f..09ece63 100755
+--- a/configure
++++ b/configure
+@@ -69,6 +69,7 @@ fi
+ 
+ # set defaults before processing command line options
+ LDCONFIG=${LDCONFIG-"ldconfig"}
++LDSHAREDFLAGS="${LDSHAREDFLAGS--shared}"
+ LDSHAREDLIBC="${LDSHAREDLIBC--lc}"
+ ARCHS=
+ prefix=${prefix-/usr/local}
+@@ -208,7 +209,7 @@ if test "$gcc" -eq 1 && ($cc -c $test.c) >> configure.log 2>&1; then
+   fi
+   case "$uname" in
+   Linux* | linux* | GNU | GNU/* | solaris*)
+-        LDSHARED=${LDSHARED-"$cc -shared -Wl,-soname,libz.so.1,--version-script,${SRCDIR}zlib.map"} ;;
++        LDSHARED=${LDSHARED-"$cc -Wl,-soname,libz.so.1,--version-script,${SRCDIR}zlib.map"} ;;
+   *BSD | *bsd* | DragonFly)
+         LDSHARED=${LDSHARED-"$cc -shared -Wl,-soname,libz.so.1,--version-script,${SRCDIR}zlib.map"}
+         LDCONFIG="ldconfig -m" ;;
+@@ -410,7 +411,7 @@ if test $shared -eq 1; then
+   echo Checking for shared library support... | tee -a configure.log
+   # we must test in two steps (cc then ld), required at least on SunOS 4.x
+   if try $CC -w -c $SFLAGS $test.c &&
+-     try $LDSHARED $SFLAGS -o $test$shared_ext $test.o; then
++     try $LDSHARED $SFLAGS $LDSHAREDFLAGS -o $test$shared_ext $test.o; then
+     echo Building shared library $SHAREDLIBV with $CC. | tee -a configure.log
+   elif test -z "$old_cc" -a -z "$old_cflags"; then
+     echo No shared library support. | tee -a configure.log
+@@ -838,6 +839,7 @@ echo EXE = $EXE >> configure.log
+ echo LDCONFIG = $LDCONFIG >> configure.log
+ echo LDFLAGS = $LDFLAGS >> configure.log
+ echo LDSHARED = $LDSHARED >> configure.log
++echo LDSHAREDFLAGS = $LDSHAREDFLAGS >> configure.log
+ echo LDSHAREDLIBC = $LDSHAREDLIBC >> configure.log
+ echo OBJC = $OBJC >> configure.log
+ echo PIC_OBJC = $PIC_OBJC >> configure.log
+@@ -866,6 +868,7 @@ sed < ${SRCDIR}Makefile.in "
+ /^SFLAGS *=/s#=.*#=$SFLAGS#
+ /^LDFLAGS *=/s#=.*#=$LDFLAGS#
+ /^LDSHARED *=/s#=.*#=$LDSHARED#
++/^LDSHAREDFLAGS *=/s#=.*#=$LDSHAREDFLAGS#
+ /^CPP *=/s#=.*#=$CPP#
+ /^STATICLIB *=/s#=.*#=$STATICLIB#
+ /^SHAREDLIB *=/s#=.*#=$SHAREDLIB#
+@@ -898,6 +901,7 @@ sed < ${SRCDIR}zlib.pc.in "
+ /^CFLAGS *=/s#=.*#=$CFLAGS#
+ /^CPP *=/s#=.*#=$CPP#
+ /^LDSHARED *=/s#=.*#=$LDSHARED#
++/^LDSHAREDFLAGS *=/s#=.*#=$LDSHAREDFLAGS#
+ /^STATICLIB *=/s#=.*#=$STATICLIB#
+ /^SHAREDLIB *=/s#=.*#=$SHAREDLIB#
+ /^SHAREDLIBV *=/s#=.*#=$SHAREDLIBV#
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 10/13] ustr: correct linker flag sequence

[Matt Weber]

This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes
v3 -> v4
 - New
---
 ...str-patch-to-correct-linker-flag-sequence.patch | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 package/ustr/0001-ustr-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/ustr/0001-ustr-patch-to-correct-linker-flag-sequence.patch b/package/ustr/0001-ustr-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..16751d4
--- /dev/null
+++ b/package/ustr/0001-ustr-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,51 @@
+From 037242704adde8dfdcaa705a8fbc383e36516639 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Wed, 27 Sep 2017 08:52:08 -0500
+Subject: [PATCH 1/1] ustr: patch to correct linker flag sequence
+
+Description
+This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws
+ below error.
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../../
+powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[2]: *** [libustr-debug-1.0.so.1.0.4] Error 1
+make[2]: *** Waiting for unfinished jobs....
+collect2: error: ld returned 1 exit status
+make[2]: *** [libustr-1.0.so.1.0.4] Error 1
+make[1]: *** [/build/ustr-1.0.4/.stamp_built] Error 2
+make: *** [_all] Error 2
+--------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 78357bb..489376d 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -507,11 +507,11 @@ ustr-import: ustr-import.in config.status
+ # Use LDFLAGS for LDFLAGS="-m32"
+ $(OPT_LIB_SHARED): $(LIB_SHARED_OPT)
+ 		$(if $(HIDE), @echo Linking SO OPT lib: $@)
+-		$(HIDE)$(CC) -shared $^ -Wl,-soname -Wl,$(OPT_LIB_SHARED_NAME) -Wl,-version-script -Wl,libustr.ver $(LDFLAGS) -o $@
++		$(HIDE)$(CC) $(LDFLAGS) -shared $^ -Wl,-soname -Wl,$(OPT_LIB_SHARED_NAME) -Wl,-version-script -Wl,libustr.ver -o $@
+ 
+ $(DBG_LIB_SHARED): $(LIB_SHARED_DBG)
+ 		$(if $(HIDE), @echo Linking SO DBG lib: $@)
+-		$(HIDE)$(CC) -shared $^ -Wl,-soname -Wl,$(DBG_LIB_SHARED_NAME) -Wl,-version-script -Wl,libustr.ver $(LDFLAGS) -o $@
++		$(HIDE)$(CC) $(LDFLAGS) -shared $^ -Wl,-soname -Wl,$(DBG_LIB_SHARED_NAME) -Wl,-version-script -Wl,libustr.ver -o $@
+ 
+ libustr.a: $(LIB_STATIC_OPT)
+ 		$(if $(HIDE), @echo Linking A OPT lib: $@)
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 11/13] tcl: correct linker flag sequence

[Matt Weber]

When used together, -pie should be provided to the linker before
-shared.

Upstream: http://core.tcl.tk/tcl/info/eb2c85495faaa9ed

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes
v3 -> v4
 - New
---
 ...tcl-patch-to-correct-linker-flag-sequence.patch | 87 ++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 package/tcl/0002-tcl-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/tcl/0002-tcl-patch-to-correct-linker-flag-sequence.patch b/package/tcl/0002-tcl-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..5f2b6f9
--- /dev/null
+++ b/package/tcl/0002-tcl-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,87 @@
+From 66fd0c72620c9ab17c528b34fb4a2ccf6a82c116 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Thu, 28 Sep 2017 10:38:51 -0500
+Subject: [PATCH 1/1] tcl: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+The patch fixes below pkgs:
+ - libtcl8.6.so
+ - libitcl4.0.5.so
+ - libtdbc1.0.4.so
+ - libthread2.8.0.so
+
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+collect2: error: ld returned 1 exit status
+make[2]: *** [libtcl8.6.so] Error 1
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ pkgs/itcl4.0.5/configure   | 2 +-
+ pkgs/tdbc1.0.4/configure   | 2 +-
+ pkgs/thread2.8.0/configure | 2 +-
+ unix/tcl.m4                | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/pkgs/itcl4.0.5/configure b/pkgs/itcl4.0.5/configure
+index 39a994b..8c67865 100755
+--- a/pkgs/itcl4.0.5/configure
++++ b/pkgs/itcl4.0.5/configure
+@@ -7346,7 +7346,7 @@ fi
+ 	    CFLAGS_OPTIMIZE="-O2 -fomit-frame-pointer"
+ 
+ 	    # TEA specific: use LDFLAGS_DEFAULT instead of LDFLAGS
+-	    SHLIB_LD='${CC} -shared ${CFLAGS} ${LDFLAGS_DEFAULT}'
++	    SHLIB_LD='${CC} ${CFLAGS} ${LDFLAGS_DEFAULT} -shared'
+ 	    LDFLAGS="$LDFLAGS -Wl,--export-dynamic"
+ 	    if test $doRpath = yes; then :
+ 
+diff --git a/pkgs/tdbc1.0.4/configure b/pkgs/tdbc1.0.4/configure
+index 94dfd63..fe7d7b3 100755
+--- a/pkgs/tdbc1.0.4/configure
++++ b/pkgs/tdbc1.0.4/configure
+@@ -7421,7 +7421,7 @@ fi
+ 	    CFLAGS_OPTIMIZE="-O2 -fomit-frame-pointer"
+ 
+ 	    # TEA specific: use LDFLAGS_DEFAULT instead of LDFLAGS
+-	    SHLIB_LD='${CC} -shared ${CFLAGS} ${LDFLAGS_DEFAULT}'
++	    SHLIB_LD='${CC} ${CFLAGS} ${LDFLAGS_DEFAULT} -shared'
+ 	    LDFLAGS="$LDFLAGS -Wl,--export-dynamic"
+ 	    if test $doRpath = yes; then :
+ 
+diff --git a/pkgs/thread2.8.0/configure b/pkgs/thread2.8.0/configure
+index 2aa66a8..58b5ffd 100755
+--- a/pkgs/thread2.8.0/configure
++++ b/pkgs/thread2.8.0/configure
+@@ -7422,7 +7422,7 @@ fi
+ 	    CFLAGS_OPTIMIZE="-O2 -fomit-frame-pointer"
+ 
+ 	    # TEA specific: use LDFLAGS_DEFAULT instead of LDFLAGS
+-	    SHLIB_LD='${CC} -shared ${CFLAGS} ${LDFLAGS_DEFAULT}'
++	    SHLIB_LD='${CC} ${CFLAGS} ${LDFLAGS_DEFAULT} -shared'
+ 	    LDFLAGS="$LDFLAGS -Wl,--export-dynamic"
+ 	    if test $doRpath = yes; then :
+ 
+diff --git a/unix/tcl.m4 b/unix/tcl.m4
+index ec7218e..1c286f8 100644
+--- a/unix/tcl.m4
++++ b/unix/tcl.m4
+@@ -1403,7 +1403,7 @@ AC_DEFUN([SC_CONFIG_CFLAGS], [
+ 	    # get rid of the warnings.
+ 	    #CFLAGS_OPTIMIZE="${CFLAGS_OPTIMIZE} -D__NO_STRING_INLINES -D__NO_MATH_INLINES"
+ 
+-	    SHLIB_LD='${CC} -shared ${CFLAGS} ${LDFLAGS}'
++	    SHLIB_LD='${CC} ${CFLAGS} ${LDFLAGS} -shared'
+ 	    DL_OBJS="tclLoadDl.o"
+ 	    DL_LIBS="-ldl"
+ 	    LDFLAGS="$LDFLAGS -Wl,--export-dynamic"
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 12/13] readline: correct linker flag sequence

[Matt Weber]

This patch will correct the sequence of -pie and -shared options.
When used together, -pie should be provided to the linker before
-shared.

Upstream: https://www.mail-archive.com/bug-readline at gnu.org/msg01114.html

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
--
Changes
v3 -> v4
 - New
---
 ...ine-patch-to-correct-linker-flag-sequence.patch | 58 ++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 package/readline/0001-readline-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/readline/0001-readline-patch-to-correct-linker-flag-sequence.patch b/package/readline/0001-readline-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..10383f6
--- /dev/null
+++ b/package/readline/0001-readline-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,58 @@
+From 25713f017b1501c39f474367b93c7948a1efee0d Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Thu, 28 Sep 2017 15:37:43 -0500
+Subject: [PATCH 1/1] readline: patch to correct linker flag sequence
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws an
+ error shown below as example.
+
+The patch fixes Makefile.am for below libs within setools:
+ - libhistory.so.7.0
+ - libreadline.so.7.0
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+/host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../..
+/powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[3]: *** [libhistory.so.7.0] Error 1
+make[3]: *** Waiting for unfinished jobs....
+mv vi_mode.o vi_mode.so
+mv complete.o complete.so
+mv bind.o bind.so
+mv display.o display.so
+make[2]: *** [shared] Error 2
+make[1]: *** [/build/readline-7.0/.stamp_built] Error 2
+make: *** [_all] Error 2
+-------------------------------------------------------------------------
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+---
+ shlib/Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/shlib/Makefile.in b/shlib/Makefile.in
+index f2ec3e4..7c01859 100644
+--- a/shlib/Makefile.in
++++ b/shlib/Makefile.in
+@@ -174,11 +174,11 @@ unsupported:
+ 
+ $(SHARED_READLINE):	$(SHARED_OBJ)
+ 	$(RM) $@
+-	$(SHOBJ_LD) ${SHOBJ_LDFLAGS} ${SHLIB_XLDFLAGS} -o $@ $(SHARED_OBJ) $(SHLIB_LIBS)
++	$(SHOBJ_LD) ${SHLIB_XLDFLAGS} ${SHOBJ_LDFLAGS} -o $@ $(SHARED_OBJ) $(SHLIB_LIBS)
+ 
+ $(SHARED_HISTORY):	$(SHARED_HISTOBJ) xmalloc.so xfree.so
+ 	$(RM) $@
+-	$(SHOBJ_LD) ${SHOBJ_LDFLAGS} ${SHLIB_XLDFLAGS} -o $@ $(SHARED_HISTOBJ) xmalloc.so xfree.so $(SHLIB_LIBS)
++	$(SHOBJ_LD) ${SHLIB_XLDFLAGS} ${SHOBJ_LDFLAGS} -o $@ $(SHARED_HISTOBJ) xmalloc.so xfree.so $(SHLIB_LIBS)
+ 
+ # Since tilde.c is shared between readline and bash, make sure we compile 
+ # it with the right flags when it's built as part of readline
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 13/13] libcap: corrected linker flag sequence

[Matt Weber]

Patches
  0001 - added upstream note as we had to submit it upstream along
         with 0004
  0004 - corrects the sequence of -pie and -shared options. When
         used together, -pie should be provided to the linker before
         -shared.

Upstream: (Emailed to morgan at kernel.org)

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
CC: "Yann E. MORIN" <yann.morin.1998@free.fr>
--
Changes
v3 -> v4
 - New
---
 ...-build-system-fixes-for-cross-compilation.patch |  2 +
 ...cap-patch-to-correct-linker-flag-sequence.patch | 76 ++++++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 package/libcap/0004-libcap-patch-to-correct-linker-flag-sequence.patch

diff --git a/package/libcap/0001-build-system-fixes-for-cross-compilation.patch b/package/libcap/0001-build-system-fixes-for-cross-compilation.patch
index de24090..58217b5 100644
--- a/package/libcap/0001-build-system-fixes-for-cross-compilation.patch
+++ b/package/libcap/0001-build-system-fixes-for-cross-compilation.patch
@@ -5,6 +5,8 @@ Subject: [PATCH] build-system: fixes for cross-compilation
 
 Avoid the libcap buildsys forcing CC/CFLAGS/LDFLAGS/AR/RANLIB
 
+Upstream: (Emailed to morgan at kernel.org)
+
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 [yann.morin.1998 at free.fr: dont chmod +x the shared lib]
 Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
diff --git a/package/libcap/0004-libcap-patch-to-correct-linker-flag-sequence.patch b/package/libcap/0004-libcap-patch-to-correct-linker-flag-sequence.patch
new file mode 100644
index 0000000..173325f
--- /dev/null
+++ b/package/libcap/0004-libcap-patch-to-correct-linker-flag-sequence.patch
@@ -0,0 +1,76 @@
+From 147ad6b4c6b5035061196473c2b3d129fa650392 Mon Sep 17 00:00:00 2001
+From: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+Date: Tue, 26 Sep 2017 13:47:05 -0500
+Subject: [PATCH 1/1] libcap: patch to correct linker flag sequence.
+
+Description
+ This patch will correct the sequence of -pie and -shared options.
+ When used together, -pie should be provided to the linker before
+ -shared. If -pie is provided after -shared, the linker throws
+ below error.
+-------------------------------------------------------------------------
+/host/powerpc-buildroot-linux-gnu/sysroot/usr/lib/Scrt1.o:(.data+0x4):
+ undefined reference to `main'
+ /host/lib/gcc/powerpc-buildroot-linux-gnu/6.4.0/../../../../
+ powerpc-buildroot-linux-gnu/bin/ld: BFD (GNU Binutils) 2.28.1
+ assertion fail elf32-ppc.c:8923
+collect2: error: ld returned 1 exit status
+make[2]: *** [libcap.so.2.25] Error 1
+---------------------------------------------------------------------------
+
+Upstream: (Emailed to morgan at kernel.org)
+
+Signed-off-by: Yogesh Prasad <yogesh.prasad@rockwellcollins.com>
+--
+Changes
+v3 -> v4
+ - New
+
+---
+ Make.Rules       | 2 +-
+ libcap/Makefile  | 2 +-
+ pam_cap/Makefile | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Make.Rules b/Make.Rules
+index 8a07a3f..03b3680 100644
+--- a/Make.Rules
++++ b/Make.Rules
+@@ -59,7 +59,7 @@ WARNINGS=-Wall -Wwrite-strings \
+         -Wpointer-arith -Wcast-qual -Wcast-align \
+         -Wstrict-prototypes -Wmissing-prototypes \
+         -Wnested-externs -Winline -Wshadow
+-LD=$(CC) -Wl,-x -shared
++LDOPTS= -Wl,-x -shared
+ LDFLAGS ?= #-g
+ BUILD_GPERF := $(shell which gperf >/dev/null 2>/dev/null && echo yes)
+ 
+diff --git a/libcap/Makefile b/libcap/Makefile
+index 44ddb27..c80a5e6 100644
+--- a/libcap/Makefile
++++ b/libcap/Makefile
+@@ -52,7 +52,7 @@ $(STALIBNAME): $(OBJS)
+ 	$(RANLIB) $@
+ 
+ $(MINLIBNAME): $(OBJS)
+-	$(LD) $(CFLAGS) $(LDFLAGS) -Wl,-soname,$(MAJLIBNAME) -o $@ $^
++	$(CC) $(CFLAGS) $(LDFLAGS) $(LDOPTS) -Wl,-soname,$(MAJLIBNAME) -o $@ $^
+ 	ln -sf $(MINLIBNAME) $(MAJLIBNAME)
+ 	ln -sf $(MAJLIBNAME) $(LIBNAME)
+ 
+diff --git a/pam_cap/Makefile b/pam_cap/Makefile
+index cc32fb6..6772075 100644
+--- a/pam_cap/Makefile
++++ b/pam_cap/Makefile
+@@ -17,7 +17,7 @@ install: all
+ 	install -m 0755 pam_cap.so $(FAKEROOT)$(LIBDIR)/security
+ 
+ pam_cap.so: pam_cap.o
+-	$(LD) $(LDFLAGS) -o pam_cap.so $< $(LDLIBS)
++	$(CC) $(LDFLAGS) $(LDOPTS) -o pam_cap.so $< $(LDLIBS)
+ 
+ pam_cap.o: pam_cap.c
+ 	$(CC) $(CFLAGS) $(IPATH) -c $< -o $@
+-- 
+1.9.1
+
-- 
1.9.1

[Buildroot] [PATCH v4 01/13] stack protector: moved option out of adv menu

[Peter Korsgaard]

>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes:

 > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
 > ---
 > Changes
 > v1 -> v2
 >  - Broke out into an individual commit for the menu change (Arnout)

 > v2 -> v3
 >  - Moved back up to the menu instead of a submenu (Arnout)

 > v3 -> v4
 >  - None.

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options

[Peter Korsgaard]

>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes:

 > This enables a user to build a complete system using these
 > options.  It is important to note that not all packages will
 > build correctly to start with.

 > Modeled after OpenWRT approach
 > https://github.com/openwrt/openwrt/blob/master/config/Config-build.in#L176

 > A good testing tool to check a target's elf files for compliance
 > to an array of hardening techniques can be found here:
 > https://github.com/slimm609/checksec.sh

 > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
 > --
 > Changes

 > v1 -> v2
 >  - Cosmetic caps on titles

 > v2 -> v3
 >  - Consolidated the way flags were set using CPPFLAGS (Arnout)
 >  - Removed fortran flag as not relevant for this feature (Arnout)
 >  - Added BR2_TOOLCHAIN_USES_GLIBC and optimization level dependency

 > v3 -> v4
 > [Nicolas C
 >  - Used BR2_OPTIMIZE_0 as Config.in dependency
 >    for Fortify instead of using a warning at
 >    make time.
 >  - Enable -> Disable for the None options I
 >    mislabeled as enabling (relro/fortify).

 > +config BR2_FORTIFY_SOURCE_1
 > +	bool "Conservative"
 > +	help
 > +	  This option sets _FORTIFY_SOURCE set to 1 and only introduces

This sounds odd. Dropped the 2nd 'set' and rewrapped (here and for _SOURCE_2).

 > +comment "Fortify Source needs a GLIBC toolchain and some level of optimization"
 > +	depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0)

We elsewhere don't write glibc in CAPITALS. 'Some level of optimization'
sounds a bit odd to me, so I reworded it to 'and optimization'.

Committed with that fixed, thanks!

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options

[Matthew Weber]

Peter,

On Wed, Jan 24, 2018 at 5:09 AM, Matt Weber
<matthew.weber@rockwellcollins.com> wrote:
> This enables a user to build a complete system using these
> options.  It is important to note that not all packages will
> build correctly to start with.
>
> Modeled after OpenWRT approach
> https://github.com/openwrt/openwrt/blob/master/config/Config-build.in#L176
>
> A good testing tool to check a target's elf files for compliance
> to an array of hardening techniques can be found here:
> https://github.com/slimm609/checksec.sh
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> --
> Changes
>
> v1 -> v2
>  - Cosmetic caps on titles
>
> v2 -> v3
>  - Consolidated the way flags were set using CPPFLAGS (Arnout)
>  - Removed fortran flag as not relevant for this feature (Arnout)
>  - Added BR2_TOOLCHAIN_USES_GLIBC and optimization level dependency
>
> v3 -> v4
> [Nicolas C
>  - Used BR2_OPTIMIZE_0 as Config.in dependency
>    for Fortify instead of using a warning at
>    make time.
>  - Enable -> Disable for the None options I
>    mislabeled as enabling (relro/fortify).
> ---
>  Config.in           | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  package/Makefile.in | 42 ++++++++++++++++++++------------
>  2 files changed, 97 insertions(+), 15 deletions(-)
>
> diff --git a/Config.in b/Config.in
> index e7e5c2d..447b642 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -734,6 +734,76 @@ endchoice
>  comment "Stack Smashing Protection needs a toolchain w/ SSP"
>         depends on !BR2_TOOLCHAIN_HAS_SSP
>
> +choice
> +       bool "RELRO Protection"
> +       depends on BR2_SHARED_LIBS
> +       help
> +         Enable a link-time protection know as RELRO (RELocation Read Only)
> +         which helps to protect from certain type of exploitation techniques
> +         altering the content of some ELF sections.
> +
> +config BR2_RELRO_NONE
> +       bool "None"
> +       help
> +         Disables Relocation link-time protections.
> +
> +config BR2_RELRO_PARTIAL
> +       bool "Partial"
> +       help
> +         This option makes the dynamic section not writeable after
> +         initialization (with almost no performance penalty).
> +
> +config BR2_RELRO_FULL
> +       bool "Full"
> +       help
> +         This option includes the partial configuration, but also
> +         marks the GOT as read-only at the cost of initialization time
> +         during program loading, i.e every time an executable is started.
> +
> +endchoice
> +
> +comment "RELocation Read Only (RELRO) needs shared libraries"
> +       depends on !BR2_SHARED_LIBS
> +
> +choice
> +       bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
> +       depends on BR2_TOOLCHAIN_USES_GLIBC
> +       depends on !BR2_OPTIMIZE_0
> +       help
> +         Enable the _FORTIFY_SOURCE macro which introduces additional
> +         checks to detect buffer-overflows in the following standard library
> +         functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
> +         strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
> +         gets.
> +
> +         NOTE: This feature requires an optimization level of s/1/2/3/g
> +
> +         Support for this feature has been present since GCC 4.x.
> +
> +config BR2_FORTIFY_SOURCE_NONE
> +       bool "None"
> +       help
> +         Disables additional checks to detect buffer-overflows.
> +
> +config BR2_FORTIFY_SOURCE_1
> +       bool "Conservative"
> +       help
> +         This option sets _FORTIFY_SOURCE set to 1 and only introduces
> +         checks that shouldn't change the behavior of conforming programs.
> +         Adds checks at compile-time only.
> +
> +config BR2_FORTIFY_SOURCE_2
> +       bool "Aggressive"
> +       help
> +         This option sets _FORTIFY_SOURCES set to 2 and some more checking
> +         is added, but some conforming programs might fail.
> +         Also adds checks at run-time (detected buffer overflow terminates
> +         the program)
> +
> +endchoice
> +
> +comment "Fortify Source needs a GLIBC toolchain and some level of optimization"
> +       depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0)
>  endmenu
>
>  source "toolchain/Config.in"
> diff --git a/package/Makefile.in b/package/Makefile.in
> index a1a5316..36c3d55 100644
> --- a/package/Makefile.in
> +++ b/package/Makefile.in
> @@ -138,11 +138,37 @@ ifeq ($(BR2_DEBUG_3),y)
>  TARGET_DEBUGGING = -g3
>  endif
>
> +TARGET_CFLAGS_RELRO = -Wl,-z,relro
> +TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO)
> +
> +TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
> +
> +ifeq ($(BR2_SSP_REGULAR),y)
> +TARGET_CPPFLAGS += -fstack-protector
> +else ifeq ($(BR2_SSP_STRONG),y)
> +TARGET_CPPFLAGS += -fstack-protector-strong
> +else ifeq ($(BR2_SSP_ALL),y)
> +TARGET_CPPFLAGS += -fstack-protector-all
> +endif
> +
> +ifeq ($(BR2_RELRO_PARTIAL),y)
> +TARGET_CPPFLAGS += $(TARGET_CFLAGS_RELRO)

Adding the CPPFLAGS (above) to the wrapper looks Ok.  However the
LDFAGS (below) would, now need to include a new wrapper to do the
fixups on flag ordering.  Should that be a new app or something added
onto the existing toolchain wrapper?

> +TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)

Matt

[Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options

[Johan Oudinet]

Hi Matt,

This is a late reply but we encounter a build failure in our system
due to changes in this patch, which I believe are wrong. See below.

On Wed, Jan 24, 2018 at 5:09 AM, Matt Weber
<matthew.weber@rockwellcollins.com> wrote:
> +
> +ifeq ($(BR2_SSP_REGULAR),y)
> +TARGET_CPPFLAGS += -fstack-protector
> +else ifeq ($(BR2_SSP_STRONG),y)
> +TARGET_CPPFLAGS += -fstack-protector-strong
> +else ifeq ($(BR2_SSP_ALL),y)
> +TARGET_CPPFLAGS += -fstack-protector-all
> +endif
...
>
> -ifeq ($(BR2_SSP_REGULAR),y)
> -TARGET_CFLAGS += -fstack-protector
> -TARGET_CXXFLAGS += -fstack-protector
> -TARGET_FCFLAGS += -fstack-protector
> -else ifeq ($(BR2_SSP_STRONG),y)
> -TARGET_CFLAGS += -fstack-protector-strong
> -TARGET_CXXFLAGS += -fstack-protector-strong
> -TARGET_FCFLAGS += -fstack-protector-strong
> -else ifeq ($(BR2_SSP_ALL),y)
> -TARGET_CFLAGS += -fstack-protector-all
> -TARGET_CXXFLAGS += -fstack-protector-all
> -TARGET_FCFLAGS += -fstack-protector-all
> -endif

I don't think -fstack-protector* flags belongs to the preprocessor flags.
Why did you move them from CFLAGS and CXXFLAGS? Your commit message
suggests this was an proposition from Arnout but I can't find his
email where he says that.

Best regards,
-- 
Johan

[Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options

[Matthew Weber]

Johan,

On Thu, Apr 26, 2018 at 10:55 AM, Johan Oudinet <johan.oudinet@gmail.com> wrote:
> Hi Matt,
>
[snip]
>
> I don't think -fstack-protector* flags belongs to the preprocessor flags.
> Why did you move them from CFLAGS and CXXFLAGS? Your commit message
> suggests this was an proposition from Arnout but I can't find his
> email where he says that.
>

There's a new patchset proposed this week which should resolve this.
I also noticed a couple other half/full RELO issues too after things
were merged, my testing on that original set missed some cases.

Pending patches(I've tested these and they look good for my test case)
http://patchwork.ozlabs.org/project/buildroot/list/?series=40826

Matt

[Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options

[Matthew Weber]

Johan,

On Fri, Apr 27, 2018 at 8:05 AM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
>
> Johan,
>
> On Thu, Apr 26, 2018 at 10:55 AM, Johan Oudinet <johan.oudinet@gmail.com> wrote:
> > Hi Matt,
> >
> [snip]
> >
> > I don't think -fstack-protector* flags belongs to the preprocessor flags.
> > Why did you move them from CFLAGS and CXXFLAGS? Your commit message
> > suggests this was an proposition from Arnout but I can't find his
> > email where he says that.
> >
>
> There's a new patchset proposed this week which should resolve this.
> I also noticed a couple other half/full RELO issues too after things
> were merged, my testing on that original set missed some cases.
>
> Pending patches(I've tested these and they look good for my test case)
> http://patchwork.ozlabs.org/project/buildroot/list/?series=40826

Would you mind testing with the following bundle mbox link?  I've
finished my testing (this bundle includes a new patch for one of
Stefan's that doesn't apply after I dropped the patch 3of4).
http://patchwork.ozlabs.org/bundle/matthewlweber/hardening_flags_fixup/

Matt