Patch from Peter S. Mazinger:

Seperate out security features into a separate menu

1 files changed, 79 insertions, 60 deletions

diff --git a/extra/Configs/Config.in b/extra/Configs/Config.in
index e372dbfd1..509709b9e 100644
--- a/extra/Configs/Config.in
+++ b/extra/Configs/Config.in
@@ -205,20 +205,6 @@ config FORCE_SHAREABLE_TEXT_SEGMENTS
 	  little bit smaller and guarantee that no memory will be wasted by badly
 	  coded shared libraries.
 
-config UCLIBC_BUILD_PIE
-	bool "Build utilities as ET_DYN/PIE executables"
-	depends on HAVE_SHARED
-	depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
-	select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
-	default n
-	help
-	  If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
-	  This requires gcc-3.4 and binutils-2.15 or later.
-	  More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
-	  WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
-		libraries have to be built with -fPIC or -fpic, and all assembler
-		functions must be written as position independent code (PIC).
-
 config LDSO_LDD_SUPPORT
 	bool "Native shared library loader 'ldd' support"
 	depends on BUILD_UCLIBC_LDSO
@@ -283,52 +269,6 @@ config UCLIBC_CTOR_DTOR
 	  or dtors and want your binaries to be as small as possible, then
 	  answer N.
 
-config UCLIBC_HAS_SSP
-	bool "Support for propolice stack protection"
-	default n
-	help
-	  Adds propolice protection to libc (__guard and __stack_smash_handler).
-	  More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
-	  To be able to use it, you'll also need a propolice patched gcc,
-	  supporting the -fstack-protector[-all] options. It is a specially patched
-	  gcc version, where __guard and __stack_smash_handler are removed from libgcc.
-	  Most people will answer N.
-
-choice
-	prompt "Propolice protection blocking signal"
-	depends on UCLIBC_HAS_SSP
-	default PROPOLICE_BLOCK_ABRT if ! DODEBUG
-	default PROPOLICE_BLOCK_SEGV if DODEBUG
-	help
-	  "abort" use SIGABRT to block offending programs.
-	  This is the default implementation.
-
-	  "segfault" use SIGSEGV to block offending programs.
-	  Use this for debugging.
-
-	  "kill" use SIGKILL to block offending programs.
-	  Perhaps the best for security.
-
-	  If unsure, answer "abort".
-
-config PROPOLICE_BLOCK_ABRT
-	bool "abort"
-
-config PROPOLICE_BLOCK_SEGV
-	bool "segfault"
-
-config PROPOLICE_BLOCK_KILL
-	bool "kill"
-
-endchoice
-
-config UCLIBC_BUILD_SSP
-	bool "Build uClibc with propolice protection"
-	depends on UCLIBC_HAS_SSP
-	default n
-	help
-	  Build all libraries and executables with propolice protection enabled.
-
 config HAS_NO_THREADS
 	bool
 	default n
@@ -1146,6 +1086,85 @@ config DEVEL_PREFIX
 
 endmenu
 
+
+menu "uClibc security related options"
+
+config UCLIBC_BUILD_PIE
+	bool "Build utilities as ET_DYN/PIE executables"
+	depends on HAVE_SHARED
+	depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
+	select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
+	default n
+	help
+	  If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
+	  It requires gcc-3.4 and binutils-2.15 or later.
+	  More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
+	  WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
+		libraries have to be built with -fPIC or -fpic, and all assembler
+		functions must be written as position independent code (PIC).
+
+config UCLIBC_HAS_SSP
+	bool "Support for propolice stack protection"
+	default n
+	help
+	  Adds propolice protection to libc (__guard and __stack_smash_handler).
+	  More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
+	  To be able to use it, you'll also need a propolice patched gcc,
+	  supporting the -fstack-protector[-all] options. It is a specially patched
+	  gcc version, where __guard and __stack_smash_handler are removed from libgcc.
+	  Most people will answer N.
+
+choice
+	prompt "Propolice protection blocking signal"
+	depends on UCLIBC_HAS_SSP
+	default PROPOLICE_BLOCK_ABRT if ! DODEBUG
+	default PROPOLICE_BLOCK_SEGV if DODEBUG
+	help
+	  "abort" use SIGABRT to block offending programs.
+	  This is the default implementation.
+
+	  "segfault" use SIGSEGV to block offending programs.
+	  Use this for debugging.
+
+	  "kill" use SIGKILL to block offending programs.
+	  Perhaps the best for security.
+
+	  If unsure, answer "abort".
+
+config PROPOLICE_BLOCK_ABRT
+	bool "abort"
+
+config PROPOLICE_BLOCK_SEGV
+	bool "segfault"
+
+config PROPOLICE_BLOCK_KILL
+	bool "kill"
+
+endchoice
+
+config UCLIBC_BUILD_SSP
+	bool "Build uClibc with propolice protection"
+	depends on UCLIBC_HAS_SSP
+	default n
+	help
+	  Build all libraries and executables with propolice protection enabled.
+
+config UCLIBC_BUILD_RELRO
+	bool "Build uClibc with RELRO"
+	depends on BUILD_UCLIBC_LDSO
+	default n
+	help
+	  Build all libraries and executables with -z relro.
+
+config UCLIBC_BUILD_NOW
+	bool "Build uClibc with NOW"
+	depends on BUILD_UCLIBC_LDSO
+	default n
+	help
+	  Build all libraries and executables with -z now.
+
+endmenu
+
 menu "uClibc development/debugging options"
 
 config DODEBUG