diff options
-rw-r--r-- | Rules.mak | 8 | ||||
-rw-r--r-- | extra/Configs/Config.in | 24 | ||||
-rw-r--r-- | ldso/ldso/Makefile | 3 |
3 files changed, 30 insertions, 5 deletions
@@ -89,10 +89,10 @@ ARFLAGS:=r OPTIMIZATION:= PICFLAG:=-fPIC + PIEFLAG:=$(call check_gcc,-fPIE,) ifeq ($(strip $(PIEFLAG)),-fPIE) -# should add check if ld supports -pie -LDPIEFLAG:=-Wl,-pie +LDPIEFLAG:=$(shell $(LD) --help | grep -q pie && echo "-Wl,-pie") endif # Some nice CPU specific optimizations @@ -286,6 +286,10 @@ ifeq ($(DOPIC),y) endif ASFLAGS = $(CFLAGS) +ifeq ($(UCLIBC_BUILD_NOEXECSTACK),y) +check_as_noexecstack=$(shell if $(LD) --help | grep -q "z noexecstack"; then echo "-Wa,--noexecstack"; fi) +ASFLAGS += $(check_as_noexecstack) +endif LIBGCC_CFLAGS ?= $(CFLAGS) $(CPU_CFLAGS-y) LIBGCC:=$(shell $(CC) $(LIBGCC_CFLAGS) -print-libgcc-file-name) diff --git a/extra/Configs/Config.in b/extra/Configs/Config.in index 509709b9e..c71fcf546 100644 --- a/extra/Configs/Config.in +++ b/extra/Configs/Config.in @@ -1089,12 +1089,17 @@ endmenu menu "uClibc security related options" +config UCLIBC_SECURITY + bool "Enable security options" + default n + config UCLIBC_BUILD_PIE bool "Build utilities as ET_DYN/PIE executables" + depends on UCLIBC_SECURITY depends on HAVE_SHARED depends on TARGET_i386 || TARGET_powerpc || TARGET_frv select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO - default n + default y help If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables. It requires gcc-3.4 and binutils-2.15 or later. @@ -1105,6 +1110,7 @@ config UCLIBC_BUILD_PIE config UCLIBC_HAS_SSP bool "Support for propolice stack protection" + depends on UCLIBC_SECURITY default n help Adds propolice protection to libc (__guard and __stack_smash_handler). @@ -1144,6 +1150,7 @@ endchoice config UCLIBC_BUILD_SSP bool "Build uClibc with propolice protection" + depends on UCLIBC_SECURITY depends on UCLIBC_HAS_SSP default n help @@ -1151,18 +1158,29 @@ config UCLIBC_BUILD_SSP config UCLIBC_BUILD_RELRO bool "Build uClibc with RELRO" + depends on UCLIBC_SECURITY depends on BUILD_UCLIBC_LDSO - default n + default y help Build all libraries and executables with -z relro. config UCLIBC_BUILD_NOW bool "Build uClibc with NOW" + depends on UCLIBC_SECURITY depends on BUILD_UCLIBC_LDSO - default n + default y help Build all libraries and executables with -z now. +config UCLIBC_BUILD_NOEXECSTACK + bool "Build uClibc with noexecstack marking" + depends on UCLIBC_SECURITY + default y + help + Mark all assembler files as noexecstack. This will result in marking + all libraries and executables built against uClibc not requiring + executable stack. + endmenu menu "uClibc development/debugging options" diff --git a/ldso/ldso/Makefile b/ldso/ldso/Makefile index 69990b772..2f90adedb 100644 --- a/ldso/ldso/Makefile +++ b/ldso/ldso/Makefile @@ -23,6 +23,9 @@ LDSO_FULLNAME=ld-uClibc-$(MAJOR_VERSION).$(MINOR_VERSION).$(SUBLEVEL).so # reset to initial (disabling predefined CFLAGS) ASFLAGS= +ifeq ($(UCLIBC_BUILD_NOEXECSTACK),y) +ASFLAGS+=$(check_as_noexecstack) +endif XXFLAGS=$(XWARNINGS) $(SSP_DISABLE_FLAGS) ifeq ($(DODEBUG),y) |