Openembedded Core Discussions
 help / color / mirror / Atom feed
* [PATCH] security_flags: Add the compiler and linker flags that enhance security
@ 2013-06-28 18:46 Saul Wold
  2013-06-28 19:05 ` Mark Hatle
  0 siblings, 1 reply; 3+ messages in thread
From: Saul Wold @ 2013-06-28 18:46 UTC (permalink / raw)
  To: openembedded-core

These flags add addition checks at compile, link and runtime to prevent
stack smashing, checking for buffer overflows, and link at program start
to prevent call spoofing later.

This needs to be explicitly enabled by adding the following line to your
local.conf:

require conf/distro/include/security_flags.inc

[YOCTO #3868]

Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 meta/conf/distro/include/security_flags.inc

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
new file mode 100644
index 0000000..dc231e2
--- /dev/null
+++ b/meta/conf/distro/include/security_flags.inc
@@ -0,0 +1,21 @@
+SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
+SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
+
+#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
+SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-eglibc = ""
+SECURITY_CFLAGS_pn-eglibc-initial = ""
+SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+
+# These flags seem to 
+SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
-- 
1.8.1.4



^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] security_flags: Add the compiler and linker flags that enhance security
  2013-06-28 18:46 [PATCH] security_flags: Add the compiler and linker flags that enhance security Saul Wold
@ 2013-06-28 19:05 ` Mark Hatle
  2013-06-28 19:14   ` Saul Wold
  0 siblings, 1 reply; 3+ messages in thread
From: Mark Hatle @ 2013-06-28 19:05 UTC (permalink / raw)
  To: openembedded-core

On 6/28/13 1:46 PM, Saul Wold wrote:
> These flags add addition checks at compile, link and runtime to prevent
> stack smashing, checking for buffer overflows, and link at program start
> to prevent call spoofing later.
>
> This needs to be explicitly enabled by adding the following line to your
> local.conf:
>
> require conf/distro/include/security_flags.inc
>
> [YOCTO #3868]
>
> Signed-off-by: Saul Wold <sgw@linux.intel.com>
> ---
>   meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
>   1 file changed, 21 insertions(+)
>   create mode 100644 meta/conf/distro/include/security_flags.inc
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> new file mode 100644
> index 0000000..dc231e2
> --- /dev/null
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -0,0 +1,21 @@
> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"

Where do the flags get introduced into the actual CFLAGS and LDFLAGS?  Would it 
make sense to add this to the existing BUILD_OPTIMIZATION settings..  So they 
would always be available, and someone could just flip a switch to enable it?

> +
> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-eglibc = ""
> +SECURITY_CFLAGS_pn-eglibc-initial = ""

I know why you don't use them on -initial, but any reason to not enable this on 
'eglibc'?  If it doesn't work, it would be good to enhance eglibc's recipe to 
spit out a warning and sanitize the build like it does for -O0.

--Mark

> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +
> +# These flags seem to
> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] security_flags: Add the compiler and linker flags that enhance security
  2013-06-28 19:05 ` Mark Hatle
@ 2013-06-28 19:14   ` Saul Wold
  0 siblings, 0 replies; 3+ messages in thread
From: Saul Wold @ 2013-06-28 19:14 UTC (permalink / raw)
  To: Mark Hatle; +Cc: openembedded-core

On 06/28/2013 12:05 PM, Mark Hatle wrote:
> On 6/28/13 1:46 PM, Saul Wold wrote:
>> These flags add addition checks at compile, link and runtime to prevent
>> stack smashing, checking for buffer overflows, and link at program start
>> to prevent call spoofing later.
>>
>> This needs to be explicitly enabled by adding the following line to your
>> local.conf:
>>
>> require conf/distro/include/security_flags.inc
>>
>> [YOCTO #3868]
>>
>> Signed-off-by: Saul Wold <sgw@linux.intel.com>
>> ---
>>   meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
>>   1 file changed, 21 insertions(+)
>>   create mode 100644 meta/conf/distro/include/security_flags.inc
>>
>> diff --git a/meta/conf/distro/include/security_flags.inc
>> b/meta/conf/distro/include/security_flags.inc
>> new file mode 100644
>> index 0000000..dc231e2
>> --- /dev/null
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -0,0 +1,21 @@
>> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
>> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
>
> Where do the flags get introduced into the actual CFLAGS and LDFLAGS?
> Would it make sense to add this to the existing BUILD_OPTIMIZATION
> settings..  So they would always be available, and someone could just
> flip a switch to enable it?
>
Opps, sorry forgot to send part 2!

Sau!

>> +
>> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
>> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-eglibc = ""
>> +SECURITY_CFLAGS_pn-eglibc-initial = ""
>
> I know why you don't use them on -initial, but any reason to not enable
> this on 'eglibc'?  If it doesn't work, it would be good to enhance
> eglibc's recipe to spit out a warning and sanitize the build like it
> does for -O0.
>
> --Mark
>
>> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +
>> +# These flags seem to
>> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-06-28 19:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-28 18:46 [PATCH] security_flags: Add the compiler and linker flags that enhance security Saul Wold
2013-06-28 19:05 ` Mark Hatle
2013-06-28 19:14   ` Saul Wold

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox