diff options
Diffstat (limited to 'meta/conf/distro')
| -rw-r--r-- | meta/conf/distro/include/security_flags.inc | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index ff5f34e3a3..5755d28104 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc | |||
| @@ -9,8 +9,11 @@ | |||
| 9 | # -O0 which then results in a compiler warning. | 9 | # -O0 which then results in a compiler warning. |
| 10 | lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}" | 10 | lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}" |
| 11 | 11 | ||
| 12 | SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify}" | 12 | # Error on use of format strings that represent possible security problems |
| 13 | SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify}" | 13 | SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" |
| 14 | |||
| 15 | SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" | ||
| 16 | SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" | ||
| 14 | 17 | ||
| 15 | SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now" | 18 | SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now" |
| 16 | SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro" | 19 | SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro" |
| @@ -92,6 +95,23 @@ SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}" | |||
| 92 | SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}" | 95 | SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}" |
| 93 | SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}" | 96 | SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}" |
| 94 | 97 | ||
| 98 | # Recipes which fail to compile when elevating -Wformat-security to an error | ||
| 99 | SECURITY_STRINGFORMAT_pn-busybox = "" | ||
| 100 | SECURITY_STRINGFORMAT_pn-console-tools = "" | ||
| 101 | SECURITY_STRINGFORMAT_pn-cmake = "" | ||
| 102 | SECURITY_STRINGFORMAT_pn-expect = "" | ||
| 103 | SECURITY_STRINGFORMAT_pn-gcc = "" | ||
| 104 | SECURITY_STRINGFORMAT_pn-gettext = "" | ||
| 105 | SECURITY_STRINGFORMAT_pn-kexec-tools = "" | ||
| 106 | SECURITY_STRINGFORMAT_pn-leafpad = "" | ||
| 107 | SECURITY_STRINGFORMAT_pn-libuser = "" | ||
| 108 | SECURITY_STRINGFORMAT_pn-ltp = "" | ||
| 109 | SECURITY_STRINGFORMAT_pn-makedevs = "" | ||
| 110 | SECURITY_STRINGFORMAT_pn-oh-puzzles = "" | ||
| 111 | SECURITY_STRINGFORMAT_pn-stat = "" | ||
| 112 | SECURITY_STRINGFORMAT_pn-unzip = "" | ||
| 113 | SECURITY_STRINGFORMAT_pn-zip = "" | ||
| 114 | |||
| 95 | TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}" | 115 | TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}" |
| 96 | TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}" | 116 | TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}" |
| 97 | 117 | ||