From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mail.openembedded.org (Postfix) with ESMTP id 01F2360655 for ; Fri, 28 Jun 2013 18:46:56 +0000 (UTC) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga102.fm.intel.com with ESMTP; 28 Jun 2013 11:48:13 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="4.87,960,1363158000"; d="scan'208";a="362181199" Received: from unknown (HELO swold-linux.bigsur.com) ([10.255.13.119]) by fmsmga002.fm.intel.com with ESMTP; 28 Jun 2013 11:46:57 -0700 From: Saul Wold To: openembedded-core@lists.openembedded.org Date: Fri, 28 Jun 2013 11:46:57 -0700 Message-Id: <1372445217-28739-1-git-send-email-sgw@linux.intel.com> X-Mailer: git-send-email 1.8.1.4 Subject: [PATCH] security_flags: Add the compiler and linker flags that enhance security X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jun 2013 18:46:57 -0000 These flags add addition checks at compile, link and runtime to prevent stack smashing, checking for buffer overflows, and link at program start to prevent call spoofing later. This needs to be explicitly enabled by adding the following line to your local.conf: require conf/distro/include/security_flags.inc [YOCTO #3868] Signed-off-by: Saul Wold --- meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 meta/conf/distro/include/security_flags.inc diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc new file mode 100644 index 0000000..dc231e2 --- /dev/null +++ b/meta/conf/distro/include/security_flags.inc @@ -0,0 +1,21 @@ +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2" +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now" + +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie" +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-eglibc = "" +SECURITY_CFLAGS_pn-eglibc-initial = "" +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2" + +# These flags seem to +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2" +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2" -- 1.8.1.4