From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dan.rpsys.net (5751f4a1.skybroadband.com [87.81.244.161]) by mail.openembedded.org (Postfix) with ESMTP id D6239607BB for ; Fri, 29 May 2015 13:17:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by dan.rpsys.net (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id t4TDH2ii014232 for ; Fri, 29 May 2015 14:17:02 +0100 Received: from dan.rpsys.net ([127.0.0.1]) by localhost (dan.rpsys.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id PgaZ_zDaPqj8 for ; Fri, 29 May 2015 14:17:02 +0100 (BST) Received: from [192.168.3.10] ([192.168.3.10]) (authenticated bits=0) by dan.rpsys.net (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id t4TDGoPv014214 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 29 May 2015 14:17:01 +0100 Message-ID: <1432905410.404.136.camel@linuxfoundation.org> From: Richard Purdie To: openembedded-core Date: Fri, 29 May 2015 14:16:50 +0100 X-Mailer: Evolution 3.12.10-0ubuntu1~14.10.1 Mime-Version: 1.0 Subject: [PATCH] security_flags: Add comment about what it does and who uses it X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2015 13:17:02 -0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit It was pointed out that people couldn't easily see who used this or why so add some comments about that. Signed-off-by: Richard Purdie diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 0ee3814..9608c7f 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -1,3 +1,10 @@ +# Setup extra CFLAGS and LDFLAGS which have 'security' benefits. These +# don't work universally, there are recipes which can't use one, the other +# or both so a blacklist is maintained here. The idea would be over +# time to reduce this list to nothing. +# From a Yocto Project perspective, this file is included and tested +# in the DISTRO="poky-lsb" configuration. + SECURITY_CFLAGS ?= "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2" SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-all -D_FORTIFY_SOURCE=2" SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"