summaryrefslogtreecommitdiffstats
path: root/meta/conf/distro/include/security_flags.inc
Commit message (Collapse)AuthorAgeFilesLines
...
* security_flags.inc: don't do -pie for syslinuxRoss Burton2016-02-071-0/+1
| | | | | | | | | | | sysroots/x86_64-linux/usr/libexec/x86_64-poky-linux/gcc/x86_64-poky-linux/5.3.0/ld: syslinux.o: relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC (From OE-Core rev: b87a9c82663446fa8c002e144de57127e8902b54) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags.inc: remove obsolete workarounds for curlAndre McCurdy2016-01-191-4/+0
| | | | | | | | | | | | | | | | | | | | | | The curl configure script contains sanity checks for unexpected options being passed via CFLAGS, LDFLAGS, etc. environment variables. These sanity checks catch -Dxxx options in CFLAGS, which clashes with OE's approach of using CFLAGS to pass -D_FORTIFY_SOURCE (curl's configure script suggests, quite correctly, that -Dxxx options should be passed via CPPFLAGS instead). These sanity checks previously generated fatal errors, but have been downgraded to warnings since curl v7.32. Therefore the workaround of avoiding -D_FORTIFY_SOURCE for curl is obsolete and can be removed. https://github.com/bagder/curl/commit/5d3cbde72ece7d83c280492957a26e26ab4e5cca (From OE-Core rev: d0dfd7bf9b2d6fb269f4d9b62263fd7ccc805fde) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags.inc: disable -fstack-protector-XXX for valgrindAndre McCurdy2016-01-071-1/+1
| | | | | | | | | | | | | | | | | Valgrind (v3.11.0) expects to build with stack protection disabled and includes -fno-stack-protector in its default CFLAGS. However, the CFLAGS provided by OE are included on the compiler command line after the defaults so any -fstack-protector-all / -fstack-protector-strong option provided by security_flags.inc will cause problems. | .../build-bcm97425vms/tmp/work/mips32el-rdk-linux/valgrind/3.11.0-r0/valgrind-3.11.0/coregrind/m_mallocfree.c:892: undefined reference to `__stack_chk_guard' | .../build-bcm97425vms/tmp/work/mips32el-rdk-linux/valgrind/3.11.0-r0/valgrind-3.11.0/coregrind/m_mallocfree.c:947: undefined reference to `__stack_chk_fail' (From OE-Core rev: ff4f46700a4810fcb49c58978b17af4f52fa9925) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* webkit-gtk: remove the recipe for the obsolete version 1.8.3Alexander Kanavin2015-09-141-2/+0
| | | | | | | | | | | | webkitgtk 2.8.3 is provided instead and midori browser is replaced by epiphany in separate commits. (From OE-Core rev: 1a72dc9c44c7806c869c3b3afcd5d31bcf2da979) (From OE-Core rev: 68a1e346751c4d644a14035b0d7acf01d212f38c) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags.inc: disable -pie and -fpie from Python3 compilation.Topi Kuutela2015-08-091-0/+1
| | | | | | | | | | | | | | | If security_flags.inc is 'required' to the image, -pie and -fpie options are added to CFLAGS. These are not compatible with -shared GCC option. The result is several errors of following form and missing Python3 modules in the image: *.o In function `_start': *.S undefined reference to `main' collect2: error: ld returned 1 exit status (From OE-Core rev: 94818c5240b793464700945d0cf057bffb9e1008) Signed-off-by: Topi Kuutela <topi.kuutela@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security-flags: Disable PIE for coreutils, elfutils, gcc, iptablesRichard Purdie2015-07-271-2/+4
| | | | | | | | | With gcc 5, we need to disable the PIE flags for more recipes in order to have successful builds. (From OE-Core rev: ec2f1b5af102ab6a8fcc23bf115c8f0451ab7eb8) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: eliminate FORTIFY_SOURCE for debug buildsJoe Slater2015-07-081-3/+8
| | | | | | | | | | | | If -D_FORTIFY_SOURCE=2 is included in CFLAGS for debug builds, many warnings will be generated and some packages will fail to build. So, only conditionally include it. (From OE-Core rev: 1b576012a6a2b2ebc2c507cdaebd62174810b191) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags.inc: remove duplicated over-ridesAndre McCurdy2015-06-231-2/+0
| | | | | | | | | | | | | The following over-rides were both defined twice: SECURITY_CFLAGS_pn-grub-efi-x86-64-native SECURITY_CFLAGS_pn-ltp (From OE-Core rev: dfae10889ab0fce2bae94294a78f4ea0aaf1b81e) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: Add comment about what it does and who uses itRichard Purdie2015-05-301-0/+7
| | | | | | | | | It was pointed out that people couldn't easily see who used this or why so add some comments about that. (From OE-Core rev: 67f09e9086b8fb1c0c8a1dd19419afb1a5af8daf) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: Add python-numpy to pie incompatible listRichard Purdie2015-05-031-0/+1
| | | | | | | | | With poky-lsb (security flags enabled), python-numpy doesn't build with pie flags. (From OE-Core rev: d4694ac5e18db1d0db314d0d8b1104c073037a60) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags.inc: elfutils on ARM fails with PIE flagsDenys Dmytriyenko2015-04-091-0/+1
| | | | | | | | | | The error messages look like this: R_ARM_TLS_LE32 relocation not permitted in shared object (From OE-Core rev: a915adfd1eaad9a0d65dffe9da92811284e491c8) Signed-off-by: Denys Dmytriyenko <denys@ti.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: remove PIE flags from flex and gstreamer1.0-plugins-badRoss Burton2015-03-021-0/+2
| | | | | | | | | | | These recipes both fail to build with "relocation R_X86_64_PC32 against undefined hidden symbol `__init_array_start' can not be used when making a shared object" when using PIE. (From OE-Core rev: 37e6e62f0faae3fa16421b051599aea0e03a5825) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: disable PIE on expectRoss Burton2015-01-291-0/+1
| | | | | | | | | | Disable PIE in expect as otherwise it tries to link the shared library as an executable. (From OE-Core rev: fe1f5c90eede593100fe57630d39cf329e59ef8f) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc-sanitizers: Enable GCC sanitizersDan McGregor2015-01-231-0/+1
| | | | | | | | | | | | | | | AddressSanitizer is a fast memory error detector. ThreadSanitizer detects data races. UBSanitizer detectes undefined behaviour. All consist of compiler instrumentation and a run-time library. The compiler instrumentation was already enabled, this builds the run-time library component. (From OE-Core rev: 1709bf0c3a84bb04bc52e9104ad8e09fba6c6f91) Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: disable pie support for libaio, blktrace and ltpSaul Wold2015-01-161-0/+3
| | | | | | | | | | libaio when built with pie and fpie does not link correctly with blktrace or ltp so we need to disable those flags until a better solution comes along. (From OE-Core rev: 4fbf13a6c28fc1170a4defbf50032546a14eaa59) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: Fix typo for cupsRichard Purdie2014-12-191-1/+1
| | | | | | (From OE-Core rev: 146b1ea632294b2830e2cfe2d1258d48cd0c0e85) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* distro: TCLIBC now defines glibc instead of eglibcKhem Raj2014-09-011-2/+2
| | | | | | | | | Adjust naming conventions to reflect eglibc->glibc move (From OE-Core rev: ce3f296ec9021d207cb80cb2c697932b83fd0e81) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: Update to correctly link X modulesSaul Wold2014-03-051-0/+9
| | | | | | | | | | | Remove the -z,now flag from linking [YOCTO #5885] (From OE-Core rev: 545986bfbfe20f2b6e8a46e88e2cc3007ca344e6) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security-flags: Avoid lttng-tools issue on armRichard Purdie2014-02-261-0/+3
| | | | | | (From OE-Core rev: 010d5b437413156c3f4dc90a14698231bb195c2e) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security-flags: Deal with powerpc build issuesRichard Purdie2014-02-261-0/+8
| | | | | | | | | | Building powerpc machines with the standard security flags generated numerous build failures. Use a reduced set of flags for now to avoid linker issues and other compile failures. (From OE-Core rev: 4ef8f658874282ead0c46352474fdb03ad1f1038) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: disable PIE flags for cups buildsSaul Wold2014-02-261-0/+1
| | | | | | | (From OE-Core rev: c564bffe7a32470578a22b70e868e7bec2da0a69) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: db can't use pie flags from gcc for security buildSaul Wold2014-01-141-0/+1
| | | | | | | | | [YOCTO #5721] (From OE-Core rev: 0cfe254e7eafed27f512216cccfb7fee76fc0be7) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: add the rest of the grub-efi related packagesSaul Wold2014-01-061-0/+4
| | | | | | | | | [YOCTO #5515] (From OE-Core rev: 840fd855a47b0a557911ae0542ed24a047af6d7b) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: more relocation issuesSaul Wold2013-12-181-0/+6
| | | | | | | | | | | | These are similar relocation R_X86_64_PC32 issues that are solved by removing the -pie flags. [YOCTO #5515] (From OE-Core rev: cd94dd3d9bba32c3fd55959586128b236d1d4e34) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: Add entry for opensslSaul Wold2013-12-051-0/+1
| | | | | | | | | | | | | | | | | | | | | | It seems we might be stumbling over an obscure linkage issues possibly similar to http://marc.info/?l=openssl-dev&m=130132183118768&w=2 This issue appears for x86-64 systems with the PIE related compiler flags. libcrypto.a(cryptlib.o): relocation R_X86_64_PC32 against symbol `OPENSSL_showfatal' can not be used when making a shared object; recompile with -fPIC The error suggests recompiling with -fPIC, but it is already compiled that way. Disable the PIE flags makes it work for now, I have posted to openssl ML [YOCTO #5515] (From OE-Core rev: 55e1c0e66fd16612016b3e415cbfa4e3051e5a8f) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: grub-efi-natve does not build with flags enabledSaul Wold2013-11-241-0/+2
| | | | | | | | | [YOCTO #5505] (From OE-Core rev: db628ccad9db49d0e83fb534ddfb05a57132f2fa) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* mesa-gl: add GL-only Mesa recipeRoss Burton2013-09-171-0/+1
| | | | | | | | | | | | | | | | | Some machines have hardware-specific GL drivers that do EGL and GLES (many ARM boards). Others have their own EGL/GLES drivers and provide a Mesa DRI driver (EMGD). Previously adding Mesa, for software GL/GLX rendering in the first case and hardware GLX in the second, involved bbappends and changing Mesa to be machine-specific. By adding a just-GL Mesa the machine definition can combine it with the hardware drivers cleanly. (From OE-Core rev: f5a3a4bc33109181c741a2e66c13d0b45566e8fa) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: Add addition recipes to the non pie listSaul Wold2013-07-101-12/+33
| | | | | | | | | | Create a local SECURITY_NO_PIE_CFLAGS to cover the recipes that have issues with with pic and pie cflags set. (From OE-Core rev: 4f5009dcbbeb27bdf5dcaebb3b457fecef410ebe) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* security_flags: Add the compiler and linker flags that enhance securitySaul Wold2013-07-021-0/+26
These flags add addition checks at compile, link and runtime to prevent stack smashing, checking for buffer overflows, and link at program start to prevent call spoofing later. This needs to be explicitly enabled by adding the following line to your local.conf: require conf/distro/include/security_flags.inc [YOCTO #3868] (From OE-Core rev: ff0e863f2d345c42393a14a193f76d699745a2b9) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-28 00:20:05 +0000