From: Waldemar Brodkorb <wbx@openadk.org>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v2 2/2] security hardening: add RELFO, FORTIFY options
Date: Tue, 7 Nov 2017 20:31:27 +0100 [thread overview]
Message-ID: <20171107193127.GX1829@waldemar-brodkorb.de> (raw)
In-Reply-To: <00a38063-e166-6ba4-6927-b90285ce031e@mind.be>
Hi Arnout,
Arnout Vandecappelle wrote,
> >>> Do you know how these behave in uClibc and musl? Waldemar, any idea?
> >>> Obviously
> >>> the gcc part will still be activated, which covers about half of the
> >>> functionality.
> >>>
> >>
> >> Checking on the answer, but we ran through the complete test-pkg build list.
> >> I'll see which were skipped. We didn't see specific failures.
> >>
> >
> > The set of test packages I used ended up forcing a glibc only test-pkg
> > build. I'll rerun with a basic busybox scenario.
>
> It will build, that's for sure. My question is: will it actually do anything
> useful? The effect of fortify is shared a bit between GCC and glibc. E.g.
> 'memset' has a GCC implementation (used when it can be inlined) and a glibc
> implementation (used when it's too big or unpredictable). As far as I can see,
> neither uClibc nor musl have support for FORTIFY. So only the GCC part will take
> effect. But I think that that is so little that it's hardly worth it.
I can confirm uClibc-ng does not support FORTIFY security
mechanisms.
There is some old unused code since
82098ab9b853c33ee8ade61c9510b295cc696de1, but I am considering
removing it, because it is unused and incomplete.
best regards
Waldemar
next prev parent reply other threads:[~2017-11-07 19:31 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-25 12:59 [Buildroot] [PATCH v2 1/2] stack protector: moved option out of adv menu Matt Weber
2017-10-25 12:59 ` [Buildroot] [PATCH v2 2/2] security hardening: add RELFO, FORTIFY options Matt Weber
2017-11-06 21:14 ` Arnout Vandecappelle
2017-11-07 0:08 ` Matthew Weber
2017-11-07 3:25 ` Matthew Weber
2017-11-07 9:08 ` Arnout Vandecappelle
2017-11-07 19:31 ` Waldemar Brodkorb [this message]
2017-11-07 20:42 ` Arnout Vandecappelle
2017-11-08 2:01 ` Stefan Fröberg
2017-11-11 10:42 ` Arnout Vandecappelle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171107193127.GX1829@waldemar-brodkorb.de \
--to=wbx@openadk.org \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox