security_flags: Add the compiler and linker flags that enhance security

These flags add addition checks at compile, link and runtime to prevent stack smashing, checking for buffer overflows, and link at program start to prevent call spoofing later. This needs to be explicitly enabled by adding the following line to your local.conf: require conf/distro/include/security_flags.inc [YOCTO #3868] (From OE-Core rev: ff0e863f2d345c42393a14a193f76d699745a2b9) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Saul Wold <sgw@linux.intel.com> 2013-06-28 11:46:03 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2013-07-02 22:26:57 +0100
commit: 6c290e4a35b8eb6e55a8e48236bc1a77c110b271 (patch)
tree: e10ea202050957f171ce7671733e0eaefa4febdc /meta/conf
parent: 85f0cf943d3165a603ccb058d838bc0b6a80ce43 (diff)
download: poky-6c290e4a35b8eb6e55a8e48236bc1a77c110b271.tar.gz
1 files changed, 26 insertions, 0 deletions
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
new file mode 100644
index 0000000000..72dd1ad581
--- /dev/null
+++ b/meta/conf/distro/include/security_flags.inc
@@ -0,0 +1,26 @@
+SECURITY_CFLAGS ?= "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
+SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
+# Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
+# to CPPFLAGS it gets picked into CFLAGS in bitbake.
+#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
+SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-eglibc = ""
+SECURITY_CFLAGS_pn-eglibc-initial = ""
+SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+# These 2 have text relco errors with the pie options enabled
+SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
+TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"
author	Saul Wold <sgw@linux.intel.com>	2013-06-28 11:46:03 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2013-07-02 22:26:57 +0100
commit	6c290e4a35b8eb6e55a8e48236bc1a77c110b271 (patch)
tree	e10ea202050957f171ce7671733e0eaefa4febdc /meta/conf
parent	85f0cf943d3165a603ccb058d838bc0b6a80ce43 (diff)
download	poky-6c290e4a35b8eb6e55a8e48236bc1a77c110b271.tar.gz

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc new file mode 100644 index 0000000000..72dd1ad581 --- /dev/null +++ b/meta/conf/distro/include/security_flags.inc
@@ -0,0 +1,26 @@
	1	SECURITY_CFLAGS ?= "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
	2	SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
	3
	4	# Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
	5	# to CPPFLAGS it gets picked into CFLAGS in bitbake.
	6	#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
	7	SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
	8	SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	9	SECURITY_CFLAGS_pn-eglibc = ""
	10	SECURITY_CFLAGS_pn-eglibc-initial = ""
	11	SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	12	SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	13	SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	14	SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	15	SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	16	SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	17	SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	18	SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	19	SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	20
	21	# These 2 have text relco errors with the pie options enabled
	22	SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	23	SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
	24
	25	TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
	26	TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"