Re: [PATCH] security_flags: Add the compiler and linker flags that enhance security

[Mark Hatle <mark.hatle@windriver.com>]

On 6/28/13 1:46 PM, Saul Wold wrote:
> These flags add addition checks at compile, link and runtime to prevent
> stack smashing, checking for buffer overflows, and link at program start
> to prevent call spoofing later.
>
> This needs to be explicitly enabled by adding the following line to your
> local.conf:
>
> require conf/distro/include/security_flags.inc
>
> [YOCTO #3868]
>
> Signed-off-by: Saul Wold <sgw@linux.intel.com>
> ---
>   meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
>   1 file changed, 21 insertions(+)
>   create mode 100644 meta/conf/distro/include/security_flags.inc
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> new file mode 100644
> index 0000000..dc231e2
> --- /dev/null
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -0,0 +1,21 @@
> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"

Where do the flags get introduced into the actual CFLAGS and LDFLAGS?  Would it 
make sense to add this to the existing BUILD_OPTIMIZATION settings..  So they 
would always be available, and someone could just flip a switch to enable it?

> +
> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-eglibc = ""
> +SECURITY_CFLAGS_pn-eglibc-initial = ""

I know why you don't use them on -initial, but any reason to not enable this on 
'eglibc'?  If it doesn't work, it would be good to enhance eglibc's recipe to 
spit out a warning and sanitize the build like it does for -O0.

--Mark

> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +
> +# These flags seem to
> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>