Patch from Peter S. Mazinger:

Add UCLIBC_BUILD_NOEXECSTACK support.

Rules.mak

@@ -89,10 +89,10 @@ ARFLAGS:=r
 
 OPTIMIZATION:=
 PICFLAG:=-fPIC
+
 PIEFLAG:=$(call check_gcc,-fPIE,)
 ifeq ($(strip $(PIEFLAG)),-fPIE)
-# should add check if ld supports -pie
-LDPIEFLAG:=-Wl,-pie
+LDPIEFLAG:=$(shell $(LD) --help | grep -q pie && echo "-Wl,-pie")
 endif
 
 # Some nice CPU specific optimizations
@@ -286,6 +286,10 @@ ifeq ($(DOPIC),y)
 endif
 
 ASFLAGS = $(CFLAGS)
+ifeq ($(UCLIBC_BUILD_NOEXECSTACK),y)
+check_as_noexecstack=$(shell if $(LD) --help | grep -q "z noexecstack"; then echo "-Wa,--noexecstack"; fi)
+ASFLAGS += $(check_as_noexecstack)
+endif
 
 LIBGCC_CFLAGS ?= $(CFLAGS) $(CPU_CFLAGS-y)
 LIBGCC:=$(shell $(CC) $(LIBGCC_CFLAGS) -print-libgcc-file-name)

extra/Configs/Config.in

@@ -1089,12 +1089,17 @@ endmenu
 
 menu "uClibc security related options"
 
+config UCLIBC_SECURITY
+	bool "Enable security options"
+	default n
+
 config UCLIBC_BUILD_PIE
 	bool "Build utilities as ET_DYN/PIE executables"
+	depends on UCLIBC_SECURITY
 	depends on HAVE_SHARED
 	depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
 	select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
-	default n
+	default y
 	help
 	  If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
 	  It requires gcc-3.4 and binutils-2.15 or later.
@@ -1105,6 +1110,7 @@ config UCLIBC_BUILD_PIE
 
 config UCLIBC_HAS_SSP
 	bool "Support for propolice stack protection"
+	depends on UCLIBC_SECURITY
 	default n
 	help
 	  Adds propolice protection to libc (__guard and __stack_smash_handler).
@@ -1144,6 +1150,7 @@ endchoice
 
 config UCLIBC_BUILD_SSP
 	bool "Build uClibc with propolice protection"
+	depends on UCLIBC_SECURITY
 	depends on UCLIBC_HAS_SSP
 	default n
 	help
@@ -1151,18 +1158,29 @@ config UCLIBC_BUILD_SSP
 
 config UCLIBC_BUILD_RELRO
 	bool "Build uClibc with RELRO"
+	depends on UCLIBC_SECURITY
 	depends on BUILD_UCLIBC_LDSO
-	default n
+	default y
 	help
 	  Build all libraries and executables with -z relro.
 
 config UCLIBC_BUILD_NOW
 	bool "Build uClibc with NOW"
+	depends on UCLIBC_SECURITY
 	depends on BUILD_UCLIBC_LDSO
-	default n
+	default y
 	help
 	  Build all libraries and executables with -z now.
 
+config UCLIBC_BUILD_NOEXECSTACK
+	bool "Build uClibc with noexecstack marking"
+	depends on UCLIBC_SECURITY
+	default y
+	help
+	  Mark all assembler files as noexecstack. This will result in marking
+	  all libraries and executables built against uClibc not requiring
+	  executable stack.
+
 endmenu
 
 menu "uClibc development/debugging options"

ldso/ldso/Makefile

@@ -23,6 +23,9 @@ LDSO_FULLNAME=ld-uClibc-$(MAJOR_VERSION).$(MINOR_VERSION).$(SUBLEVEL).so
 
 # reset to initial (disabling predefined CFLAGS)
 ASFLAGS=
+ifeq ($(UCLIBC_BUILD_NOEXECSTACK),y)
+ASFLAGS+=$(check_as_noexecstack)
+endif
 
 XXFLAGS=$(XWARNINGS) $(SSP_DISABLE_FLAGS)
 ifeq ($(DODEBUG),y)