summaryrefslogtreecommitdiffstats
path: root/meta/conf/distro/include/security_flags.inc
diff options
context:
space:
mode:
Diffstat (limited to 'meta/conf/distro/include/security_flags.inc')
-rw-r--r--meta/conf/distro/include/security_flags.inc85
1 files changed, 85 insertions, 0 deletions
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
new file mode 100644
index 0000000..60f3049
--- /dev/null
+++ b/meta/conf/distro/include/security_flags.inc
@@ -0,0 +1,85 @@
1SECURITY_CFLAGS ?= "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
2SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-all -D_FORTIFY_SOURCE=2"
3SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
4SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
5
6# powerpc does not get on with pie for reasons not looked into as yet
7SECURITY_CFLAGS_powerpc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
8# Deal with ppc specific linker failures when using the cflags
9SECURITY_CFLAGS_pn-dbus_powerpc = ""
10SECURITY_CFLAGS_pn-dbus-ptest_powerpc = ""
11SECURITY_CFLAGS_pn-libmatchbox_powerpc = ""
12SECURITY_CFLAGS_pn-webkit-gtk_powerpc = ""
13
14# arm specific security flag issues
15SECURITY_CFLAGS_pn-lttng-tools_arm = "${SECURITY_NO_PIE_CFLAGS}"
16
17SECURITY_CFLAGS_pn-aspell = "${SECURITY_NO_PIE_CFLAGS}"
18SECURITY_CFLAGS_pn-beecrypt = "${SECURITY_NO_PIE_CFLAGS}"
19# Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
20# to CPPFLAGS it gets picked into CFLAGS in bitbake.
21#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
22SECURITY_CFLAGS_pn-cups = "${SECURITY_NO_PIE_CLAGS}"
23SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
24SECURITY_CFLAGS_pn-db = "${SECURITY_NO_PIE_CFLAGS}"
25SECURITY_CFLAGS_pn-directfb = "${SECURITY_NO_PIE_CFLAGS}"
26SECURITY_CFLAGS_pn-eglibc = ""
27SECURITY_CFLAGS_pn-eglibc-initial = ""
28SECURITY_CFLAGS_pn-enchant = "${SECURITY_NO_PIE_CFLAGS}"
29SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}"
30SECURITY_CFLAGS_pn-gcc-runtime = "${SECURITY_NO_PIE_CFLAGS}"
31SECURITY_CFLAGS_pn-gdb = "${SECURITY_NO_PIE_CFLAGS}"
32SECURITY_CFLAGS_pn-gmp = "${SECURITY_NO_PIE_CFLAGS}"
33SECURITY_CFLAGS_pn-gnutls = "${SECURITY_NO_PIE_CFLAGS}"
34SECURITY_CFLAGS_pn-grub = ""
35SECURITY_CFLAGS_pn-grub-efi = ""
36SECURITY_CFLAGS_pn-grub-efi-native = ""
37SECURITY_CFLAGS_pn-grub-efi-x86-native = ""
38SECURITY_CFLAGS_pn-grub-efi-x86-64-native = ""
39SECURITY_CFLAGS_pn-grub-efi-i586-native = ""
40SECURITY_CFLAGS_pn-grub-efi-x86-64-native = ""
41SECURITY_CFLAGS_pn-gst-plugins-bad = "${SECURITY_NO_PIE_CFLAGS}"
42SECURITY_CFLAGS_pn-gst-plugins-gl = "${SECURITY_NO_PIE_CFLAGS}"
43SECURITY_CFLAGS_pn-gstreamer1.0-plugins-good = "${SECURITY_NO_PIE_CFLAGS}"
44SECURITY_CFLAGS_pn-harfbuzz = "${SECURITY_NO_PIE_CFLAGS}"
45SECURITY_CFLAGS_pn-kexec-tools = "${SECURITY_NO_PIE_CFLAGS}"
46SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}"
47SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}"
48SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}"
49SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}"
50SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}"
51SECURITY_CFLAGS_pn-libpcap = "${SECURITY_NO_PIE_CFLAGS}"
52SECURITY_CFLAGS_pn-libpcre = "${SECURITY_NO_PIE_CFLAGS}"
53SECURITY_CFLAGS_pn-libproxy = "${SECURITY_NO_PIE_CFLAGS}"
54SECURITY_CFLAGS_pn-lttng-ust = "${SECURITY_NO_PIE_CFLAGS}"
55SECURITY_CFLAGS_pn-mesa = "${SECURITY_NO_PIE_CFLAGS}"
56SECURITY_CFLAGS_pn-mesa-gl = "${SECURITY_NO_PIE_CFLAGS}"
57SECURITY_CFLAGS_pn-openssl = "${SECURITY_NO_PIE_CFLAGS}"
58SECURITY_CFLAGS_pn-opensp = "${SECURITY_NO_PIE_CFLAGS}"
59SECURITY_CFLAGS_pn-ppp = "${SECURITY_NO_PIE_CFLAGS}"
60SECURITY_CFLAGS_pn-python = "${SECURITY_NO_PIE_CFLAGS}"
61SECURITY_CFLAGS_pn-python-imaging = "${SECURITY_NO_PIE_CFLAGS}"
62SECURITY_CFLAGS_pn-python-pycurl = "${SECURITY_NO_PIE_CFLAGS}"
63SECURITY_CFLAGS_pn-python-smartpm = "${SECURITY_NO_PIE_CFLAGS}"
64SECURITY_CFLAGS_pn-tcl = "${SECURITY_NO_PIE_CFLAGS}"
65SECURITY_CFLAGS_pn-tiff = "${SECURITY_NO_PIE_CFLAGS}"
66SECURITY_CFLAGS_pn-valgrind = "${SECURITY_NO_PIE_CFLAGS}"
67SECURITY_CFLAGS_pn-webkit-gtk = "${SECURITY_NO_PIE_CFLAGS}"
68SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}"
69SECURITY_CFLAGS_pn-lvm2 = "${SECURITY_NO_PIE_CFLAGS}"
70SECURITY_CFLAGS_pn-expect = "${SECURITY_NO_PIE_CFLAGS}"
71
72# These 2 have text relco errors with the pie options enabled
73SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}"
74SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
75
76TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
77TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"
78
79SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}"
80SECURITY_LDFLAGS_pn-xf86-video-intel = "${SECURITY_X_LDFLAGS}"
81SECURITY_LDFLAGS_pn-xf86-video-omapfb = "${SECURITY_X_LDFLAGS}"
82SECURITY_LDFLAGS_pn-xf86-video-omap = "${SECURITY_X_LDFLAGS}"
83SECURITY_LDFLAGS_pn-xf86-video-vesa = "${SECURITY_X_LDFLAGS}"
84SECURITY_LDFLAGS_pn-xf86-video-vmware = "${SECURITY_X_LDFLAGS}"
85SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}"