diff options
| author | Saul Wold <sgw@linux.intel.com> | 2013-06-28 11:46:03 -0700 |
|---|---|---|
| committer | Saul Wold <sgw@linux.intel.com> | 2013-07-02 07:58:10 -0700 |
| commit | ff0e863f2d345c42393a14a193f76d699745a2b9 (patch) | |
| tree | ffbc60161ec8c704bbf01ed614f8a2047f06ce5a | |
| parent | 1b894d56fae61d7f8da8fb50b82d1cce5cc9b8f2 (diff) | |
| download | openembedded-core-ff0e863f2d345c42393a14a193f76d699745a2b9.tar.gz openembedded-core-ff0e863f2d345c42393a14a193f76d699745a2b9.tar.bz2 openembedded-core-ff0e863f2d345c42393a14a193f76d699745a2b9.zip | |
security_flags: Add the compiler and linker flags that enhance security
These flags add addition checks at compile, link and runtime to prevent
stack smashing, checking for buffer overflows, and link at program start
to prevent call spoofing later.
This needs to be explicitly enabled by adding the following line to your
local.conf:
require conf/distro/include/security_flags.inc
[YOCTO #3868]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
| -rw-r--r-- | meta/conf/distro/include/security_flags.inc | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc new file mode 100644 index 0000000000..72dd1ad581 --- /dev/null +++ b/meta/conf/distro/include/security_flags.inc @@ -0,0 +1,26 @@ +SECURITY_CFLAGS ?= "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2" +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" + +# Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned +# to CPPFLAGS it gets picked into CFLAGS in bitbake. +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie" +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-eglibc = "" +SECURITY_CFLAGS_pn-eglibc-initial = "" +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2" + +# These 2 have text relco errors with the pie options enabled +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2" + +TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}" +TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}" |