[PATCH 00/10] Rework GCC PIE and security flags (take 2)

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Khem Raj <raj.khem@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 00/10] Rework GCC PIE and security flags (take 2)
Date: Wed, 28 Jun 2017 09:04:05 -0700	[thread overview]
Message-ID: <cover.1498665211.git.raj.khem@gmail.com> (raw)

* This patchset add a switch to configure gcc driver with PIE defaults
* Add support for generating static PIE in gcc
* Gets rid of lot of bandaids from distro security flags file
* Adjust recipes for new way of specifying pie

v1->v2:

* apply linking spec changes libssp_nonshared.a to musl alone
* icu/iptable/gstreamer1.0-plugins-bad fixes are done on top not really depend on pie rework

The following changes since commit 179b7ae2511974173ae4aa72dfb49384ff69c2e5:

  meta/conf/layer.conf: bump layer version for LSB changes (2017-06-28 15:52:00 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib kraj/hardening-fixes
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=kraj/hardening-fixes

Khem Raj (10):
  gcc: Introduce a knob to configure gcc to default to PIE
  security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS
  distutils,setuptools: Delete use of SECURITY_NO_PIE_CFLAGS
  gcc7: Enable static PIE
  gcc: Link libssp_nonshared.a only on musl targets
  libunwind: We set -fPIE in security flags now if gcc is not configured
    for default PIE
  valgrind: Remove -no-pie from cflags
  iptables: Apply 0001-fix-build-with-musl.patch unconditionally
  icu: Fix build with glibc 2.26
  gstreamer1.0-plugins-bad: Fix missing library with bcm egl

 meta/classes/distutils-common-base.bbclass         |  2 -
 meta/classes/setuptools.bbclass                    |  2 -
 meta/conf/distro/include/security_flags.inc        | 83 ++++++----------------
 meta/recipes-devtools/gcc/gcc-7.1.inc              |  3 +-
 ...shared-to-link-commandline-for-musl-targe.patch | 42 +++++++++++
 .../gcc/gcc-7.1/0040-ssp_nonshared.patch           | 28 --------
 .../gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch   | 37 ++++++++++
 meta/recipes-devtools/gcc/gcc-configure-common.inc |  3 +
 meta/recipes-devtools/valgrind/valgrind_3.12.0.bb  |  2 -
 meta/recipes-extended/iptables/iptables_1.6.1.bb   |  4 +-
 .../link-with-libvchostif.patch                    | 35 +++++++++
 .../gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb   |  1 +
 .../icu/icu/0001-i18n-Drop-include-xlocale.h.patch | 31 ++++++++
 meta/recipes-support/icu/icu_58.2.bb               |  3 +-
 meta/recipes-support/libunwind/libunwind_1.2.bb    |  4 --
 15 files changed, 177 insertions(+), 103 deletions(-)
 create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
 delete mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch
 create mode 100644 meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch

-- 
2.13.2

next             reply	other threads:[~2017-06-28 16:04 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-28 16:04 Khem Raj [this message]
2017-06-28 16:04 ` [PATCH 01/10] gcc: Introduce a knob to configure gcc to default to PIE Khem Raj
2017-06-28 16:04 ` [PATCH 02/10] security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS Khem Raj
2017-06-28 16:04 ` [PATCH 03/10] distutils, setuptools: Delete use of SECURITY_NO_PIE_CFLAGS Khem Raj
2017-06-28 16:04 ` [PATCH 04/10] gcc7: Enable static PIE Khem Raj
2017-06-28 16:04 ` [PATCH 05/10] gcc: Link libssp_nonshared.a only on musl targets Khem Raj
2017-06-28 16:04 ` [PATCH 06/10] libunwind: We set -fPIE in security flags now if gcc is not configured for default PIE Khem Raj
2017-06-28 16:04 ` [PATCH 07/10] valgrind: Remove -no-pie from cflags Khem Raj
2017-06-28 16:04 ` [PATCH 08/10] iptables: Apply 0001-fix-build-with-musl.patch unconditionally Khem Raj
2017-06-28 16:04 ` [PATCH 09/10] icu: Fix build with glibc 2.26 Khem Raj
2017-06-28 16:04 ` [PATCH 10/10] gstreamer1.0-plugins-bad: Fix missing library with bcm egl Khem Raj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1498665211.git.raj.khem@gmail.com \
    --to=raj.khem@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox