Home Explore Help
Sign In
oss
/
uclibc-ng
4
1
Fork 0
Files Issues 3 Pull Requests 0 Wiki
Browse Source

Patch from Peter S. Mazinger:
Seperate out security features into a separate menu

Eric Andersen 19 years ago
parent
433ccbdd22
commit
6ae64d2583
4 changed files with 96 additions and 60 deletions
Unified View Show Diff Stats
  1. 8 0
      Rules.mak
  2. 79 60
      extra/Configs/Config.in
  3. 3 0
      ldso/ldso/Makefile
  4. 6 0
      libpthread/Makefile

+ 8 - 0
Rules.mak
View File 

@@ -254,6 +254,14 @@ else
 
     LDFLAGS := $(CPU_LDFLAGS-y) -s -shared --warn-common --warn-once -z combreloc
 
     LDFLAGS := $(CPU_LDFLAGS-y) -s -shared --warn-common --warn-once -z combreloc
 
 endif
 
 endif
 
 
 
+ifeq ($(UCLIBC_BUILD_RELRO),y)
 
+LDFLAGS+=-z relro
 
+endif
 
+
 
+ifeq ($(UCLIBC_BUILD_NOW),y)
 
+LDFLAGS+=-z now
 
+endif
 
+
 
 # Sigh, some stupid versions of gcc can't seem to cope with '-iwithprefix include'
 
 # Sigh, some stupid versions of gcc can't seem to cope with '-iwithprefix include'
 
 #CFLAGS+=-iwithprefix include
 
 #CFLAGS+=-iwithprefix include
 
 CFLAGS+=-isystem $(shell $(CC) -print-file-name=include)
 
 CFLAGS+=-isystem $(shell $(CC) -print-file-name=include)

+ 79 - 60
extra/Configs/Config.in
View File 

@@ -205,20 +205,6 @@ config FORCE_SHAREABLE_TEXT_SEGMENTS
 
 	  little bit smaller and guarantee that no memory will be wasted by badly
 
 	  little bit smaller and guarantee that no memory will be wasted by badly
 
 	  coded shared libraries.
 
 	  coded shared libraries.
 
 
 
-config UCLIBC_BUILD_PIE
 
-	bool "Build utilities as ET_DYN/PIE executables"
 
-	depends on HAVE_SHARED
 
-	depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
 
-	select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
 
-	default n
 
-	help
 
-	  If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
 
-	  This requires gcc-3.4 and binutils-2.15 or later.
 
-	  More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
 
-	  WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
 
-		libraries have to be built with -fPIC or -fpic, and all assembler
 
-		functions must be written as position independent code (PIC).
 
-
 
 config LDSO_LDD_SUPPORT
 
 config LDSO_LDD_SUPPORT
 
 	bool "Native shared library loader 'ldd' support"
 
 	bool "Native shared library loader 'ldd' support"
 
 	depends on BUILD_UCLIBC_LDSO
 
 	depends on BUILD_UCLIBC_LDSO
 
@@ -283,52 +269,6 @@ config UCLIBC_CTOR_DTOR
 
 	  or dtors and want your binaries to be as small as possible, then
 
 	  or dtors and want your binaries to be as small as possible, then
 
 	  answer N.
 
 	  answer N.
 
 
 
-config UCLIBC_HAS_SSP
 
-	bool "Support for propolice stack protection"
 
-	default n
 
-	help
 
-	  Adds propolice protection to libc (__guard and __stack_smash_handler).
 
-	  More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
 
-	  To be able to use it, you'll also need a propolice patched gcc,
 
-	  supporting the -fstack-protector[-all] options. It is a specially patched
 
-	  gcc version, where __guard and __stack_smash_handler are removed from libgcc.
 
-	  Most people will answer N.
 
-
 
-choice
 
-	prompt "Propolice protection blocking signal"
 
-	depends on UCLIBC_HAS_SSP
 
-	default PROPOLICE_BLOCK_ABRT if ! DODEBUG
 
-	default PROPOLICE_BLOCK_SEGV if DODEBUG
 
-	help
 
-	  "abort" use SIGABRT to block offending programs.
 
-	  This is the default implementation.
 
-
 
-	  "segfault" use SIGSEGV to block offending programs.
 
-	  Use this for debugging.
 
-
 
-	  "kill" use SIGKILL to block offending programs.
 
-	  Perhaps the best for security.
 
-
 
-	  If unsure, answer "abort".
 
-
 
-config PROPOLICE_BLOCK_ABRT
 
-	bool "abort"
 
-
 
-config PROPOLICE_BLOCK_SEGV
 
-	bool "segfault"
 
-
 
-config PROPOLICE_BLOCK_KILL
 
-	bool "kill"
 
-
 
-endchoice
 
-
 
-config UCLIBC_BUILD_SSP
 
-	bool "Build uClibc with propolice protection"
 
-	depends on UCLIBC_HAS_SSP
 
-	default n
 
-	help
 
-	  Build all libraries and executables with propolice protection enabled.
 
-
 
 config HAS_NO_THREADS
 
 config HAS_NO_THREADS
 
 	bool
 
 	bool
 
 	default n
 
 	default n
 
@@ -1146,6 +1086,85 @@ config DEVEL_PREFIX
 
 
 
 endmenu
 
 endmenu
 
 
 
+
 
+menu "uClibc security related options"
 
+
 
+config UCLIBC_BUILD_PIE
 
+	bool "Build utilities as ET_DYN/PIE executables"
 
+	depends on HAVE_SHARED
 
+	depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
 
+	select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
 
+	default n
 
+	help
 
+	  If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
 
+	  It requires gcc-3.4 and binutils-2.15 or later.
 
+	  More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
 
+	  WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
 
+		libraries have to be built with -fPIC or -fpic, and all assembler
 
+		functions must be written as position independent code (PIC).
 
+
 
+config UCLIBC_HAS_SSP
 
+	bool "Support for propolice stack protection"
 
+	default n
 
+	help
 
+	  Adds propolice protection to libc (__guard and __stack_smash_handler).
 
+	  More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
 
+	  To be able to use it, you'll also need a propolice patched gcc,
 
+	  supporting the -fstack-protector[-all] options. It is a specially patched
 
+	  gcc version, where __guard and __stack_smash_handler are removed from libgcc.
 
+	  Most people will answer N.
 
+
 
+choice
 
+	prompt "Propolice protection blocking signal"
 
+	depends on UCLIBC_HAS_SSP
 
+	default PROPOLICE_BLOCK_ABRT if ! DODEBUG
 
+	default PROPOLICE_BLOCK_SEGV if DODEBUG
 
+	help
 
+	  "abort" use SIGABRT to block offending programs.
 
+	  This is the default implementation.
 
+
 
+	  "segfault" use SIGSEGV to block offending programs.
 
+	  Use this for debugging.
 
+
 
+	  "kill" use SIGKILL to block offending programs.
 
+	  Perhaps the best for security.
 
+
 
+	  If unsure, answer "abort".
 
+
 
+config PROPOLICE_BLOCK_ABRT
 
+	bool "abort"
 
+
 
+config PROPOLICE_BLOCK_SEGV
 
+	bool "segfault"
 
+
 
+config PROPOLICE_BLOCK_KILL
 
+	bool "kill"
 
+
 
+endchoice
 
+
 
+config UCLIBC_BUILD_SSP
 
+	bool "Build uClibc with propolice protection"
 
+	depends on UCLIBC_HAS_SSP
 
+	default n
 
+	help
 
+	  Build all libraries and executables with propolice protection enabled.
 
+
 
+config UCLIBC_BUILD_RELRO
 
+	bool "Build uClibc with RELRO"
 
+	depends on BUILD_UCLIBC_LDSO
 
+	default n
 
+	help
 
+	  Build all libraries and executables with -z relro.
 
+
 
+config UCLIBC_BUILD_NOW
 
+	bool "Build uClibc with NOW"
 
+	depends on BUILD_UCLIBC_LDSO
 
+	default n
 
+	help
 
+	  Build all libraries and executables with -z now.
 
+
 
+endmenu
 
+
 
 menu "uClibc development/debugging options"
 
 menu "uClibc development/debugging options"
 
 
 
 config DODEBUG
 
 config DODEBUG

+ 3 - 0
ldso/ldso/Makefile
View File 

@@ -42,6 +42,9 @@ XXFLAGS:=$(XXFLAGS:-O0=-O1)
 
 XXFLAGS+=-isystem $(shell $(CC) -print-file-name=include)
 
 XXFLAGS+=-isystem $(shell $(CC) -print-file-name=include)
 
 LDFLAGS=$(CPU_LDFLAGS-y) -z now -Bsymbolic -shared --warn-common --export-dynamic --sort-common \
 
 LDFLAGS=$(CPU_LDFLAGS-y) -z now -Bsymbolic -shared --warn-common --export-dynamic --sort-common \
 
 	-z combreloc --discard-locals --discard-all --no-undefined
 
 	-z combreloc --discard-locals --discard-all --no-undefined
 
+ifeq ($(UCLIBC_BUILD_RELRO),y)
 
+	LDFLAGS+=-z relro
 
+endif
 
 
 
 CSRC= ldso.c
 
 CSRC= ldso.c
 
 COBJS=$(patsubst %.c,%.o, $(CSRC))
 
 COBJS=$(patsubst %.c,%.o, $(CSRC))

+ 6 - 0
libpthread/Makefile
View File 

@@ -37,6 +37,12 @@ ifeq ($(strip $(UCLIBC_HAS_THREADS)),y)
 
 ifeq ($(strip $(PTHREADS_DEBUG_SUPPORT)),y)
 
 ifeq ($(strip $(PTHREADS_DEBUG_SUPPORT)),y)
 
 	DIRS+=linuxthreads_db
 
 	DIRS+=linuxthreads_db
 
 	LDFLAGS_THREAD_DB:= $(CPU_LDFLAGS-y) -shared --warn-common --warn-once -z combreloc
 
 	LDFLAGS_THREAD_DB:= $(CPU_LDFLAGS-y) -shared --warn-common --warn-once -z combreloc
 
+ifeq ($(UCLIBC_BUILD_RELRO),y)
 
+	LDFLAGS_PTHREAD_DB+=-z relro
 
+endif
 
+ifeq ($(UCLIBC_BUILD_NOW),y)
 
+	LDFLAGS_PTHREAD_DB+=-z now
 
+endif
 
 endif
 
 endif
 
 ifeq ($(DODEBUG),n)
 
 ifeq ($(DODEBUG),n)
 
 	LDFLAGS_THREAD_DB+=-s
 
 	LDFLAGS_THREAD_DB+=-s