|
@@ -201,13 +201,14 @@ config FORCE_SHAREABLE_TEXT_SEGMENTS
|
|
|
config UCLIBC_PIE_SUPPORT
|
|
|
bool "Support ET_DYN in shared library loader"
|
|
|
select FORCE_SHAREABLE_TEXT_SEGMENTS
|
|
|
+ select UCLIBC_COMPLETELY_PIC
|
|
|
default n
|
|
|
help
|
|
|
If you answer Y here, the uClibc native shared library loader will
|
|
|
support ET_DYN/PIE executables.
|
|
|
It requires binutils-2.14.90.0.6 or later and the usage of the
|
|
|
-pie option.
|
|
|
- More about ET_DYN/PIE binaries on <http://pageexec.virtualave.net/> .
|
|
|
+ More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
|
|
|
WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
|
|
|
libraries have to be built with -fPIC or -fpic, and all assembler
|
|
|
functions must be written as position independent code (PIC).
|
|
@@ -251,6 +252,34 @@ config UCLIBC_PROPOLICE
|
|
|
gcc version, were __guard and __stack_smash_handler are removed from libgcc.
|
|
|
Most people will answer N.
|
|
|
|
|
|
+choice
|
|
|
+ prompt "Propolice protection blocking signal"
|
|
|
+ depends on UCLIBC_PROPOLICE
|
|
|
+ default PROPOLICE_BLOCK_ABRT if ! DODEBUG
|
|
|
+ default PROPOLICE_BLOCK_SEGV if DODEBUG
|
|
|
+ help
|
|
|
+ "abort" use SIGABRT to block offending programs.
|
|
|
+ This is the default implementation.
|
|
|
+
|
|
|
+ "segfault" use SIGSEGV to block offending programs.
|
|
|
+ Use this for debugging.
|
|
|
+
|
|
|
+ "kill" use SIGKILL to block offending programs.
|
|
|
+ Perhaps the best for security.
|
|
|
+
|
|
|
+ If unsure, answer "abort".
|
|
|
+
|
|
|
+config PROPOLICE_BLOCK_ABRT
|
|
|
+ bool "abort"
|
|
|
+
|
|
|
+config PROPOLICE_BLOCK_SEGV
|
|
|
+ bool "segfault"
|
|
|
+
|
|
|
+config PROPOLICE_BLOCK_KILL
|
|
|
+ bool "kill"
|
|
|
+
|
|
|
+endchoice
|
|
|
+
|
|
|
config HAS_NO_THREADS
|
|
|
bool
|
|
|
default n
|