summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Rules.mak8
-rw-r--r--extra/Configs/Config.in139
-rw-r--r--ldso/ldso/Makefile3
-rw-r--r--libpthread/Makefile6
4 files changed, 96 insertions, 60 deletions
diff --git a/Rules.mak b/Rules.mak
index fa42c023c..4e2853807 100644
--- a/Rules.mak
+++ b/Rules.mak
@@ -254,6 +254,14 @@ else
LDFLAGS := $(CPU_LDFLAGS-y) -s -shared --warn-common --warn-once -z combreloc
endif
+ifeq ($(UCLIBC_BUILD_RELRO),y)
+LDFLAGS+=-z relro
+endif
+
+ifeq ($(UCLIBC_BUILD_NOW),y)
+LDFLAGS+=-z now
+endif
+
# Sigh, some stupid versions of gcc can't seem to cope with '-iwithprefix include'
#CFLAGS+=-iwithprefix include
CFLAGS+=-isystem $(shell $(CC) -print-file-name=include)
diff --git a/extra/Configs/Config.in b/extra/Configs/Config.in
index e372dbfd1..509709b9e 100644
--- a/extra/Configs/Config.in
+++ b/extra/Configs/Config.in
@@ -205,20 +205,6 @@ config FORCE_SHAREABLE_TEXT_SEGMENTS
little bit smaller and guarantee that no memory will be wasted by badly
coded shared libraries.
-config UCLIBC_BUILD_PIE
- bool "Build utilities as ET_DYN/PIE executables"
- depends on HAVE_SHARED
- depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
- select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
- default n
- help
- If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
- This requires gcc-3.4 and binutils-2.15 or later.
- More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
- WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
- libraries have to be built with -fPIC or -fpic, and all assembler
- functions must be written as position independent code (PIC).
-
config LDSO_LDD_SUPPORT
bool "Native shared library loader 'ldd' support"
depends on BUILD_UCLIBC_LDSO
@@ -283,52 +269,6 @@ config UCLIBC_CTOR_DTOR
or dtors and want your binaries to be as small as possible, then
answer N.
-config UCLIBC_HAS_SSP
- bool "Support for propolice stack protection"
- default n
- help
- Adds propolice protection to libc (__guard and __stack_smash_handler).
- More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
- To be able to use it, you'll also need a propolice patched gcc,
- supporting the -fstack-protector[-all] options. It is a specially patched
- gcc version, where __guard and __stack_smash_handler are removed from libgcc.
- Most people will answer N.
-
-choice
- prompt "Propolice protection blocking signal"
- depends on UCLIBC_HAS_SSP
- default PROPOLICE_BLOCK_ABRT if ! DODEBUG
- default PROPOLICE_BLOCK_SEGV if DODEBUG
- help
- "abort" use SIGABRT to block offending programs.
- This is the default implementation.
-
- "segfault" use SIGSEGV to block offending programs.
- Use this for debugging.
-
- "kill" use SIGKILL to block offending programs.
- Perhaps the best for security.
-
- If unsure, answer "abort".
-
-config PROPOLICE_BLOCK_ABRT
- bool "abort"
-
-config PROPOLICE_BLOCK_SEGV
- bool "segfault"
-
-config PROPOLICE_BLOCK_KILL
- bool "kill"
-
-endchoice
-
-config UCLIBC_BUILD_SSP
- bool "Build uClibc with propolice protection"
- depends on UCLIBC_HAS_SSP
- default n
- help
- Build all libraries and executables with propolice protection enabled.
-
config HAS_NO_THREADS
bool
default n
@@ -1146,6 +1086,85 @@ config DEVEL_PREFIX
endmenu
+
+menu "uClibc security related options"
+
+config UCLIBC_BUILD_PIE
+ bool "Build utilities as ET_DYN/PIE executables"
+ depends on HAVE_SHARED
+ depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
+ select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
+ default n
+ help
+ If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
+ It requires gcc-3.4 and binutils-2.15 or later.
+ More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
+ WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
+ libraries have to be built with -fPIC or -fpic, and all assembler
+ functions must be written as position independent code (PIC).
+
+config UCLIBC_HAS_SSP
+ bool "Support for propolice stack protection"
+ default n
+ help
+ Adds propolice protection to libc (__guard and __stack_smash_handler).
+ More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
+ To be able to use it, you'll also need a propolice patched gcc,
+ supporting the -fstack-protector[-all] options. It is a specially patched
+ gcc version, where __guard and __stack_smash_handler are removed from libgcc.
+ Most people will answer N.
+
+choice
+ prompt "Propolice protection blocking signal"
+ depends on UCLIBC_HAS_SSP
+ default PROPOLICE_BLOCK_ABRT if ! DODEBUG
+ default PROPOLICE_BLOCK_SEGV if DODEBUG
+ help
+ "abort" use SIGABRT to block offending programs.
+ This is the default implementation.
+
+ "segfault" use SIGSEGV to block offending programs.
+ Use this for debugging.
+
+ "kill" use SIGKILL to block offending programs.
+ Perhaps the best for security.
+
+ If unsure, answer "abort".
+
+config PROPOLICE_BLOCK_ABRT
+ bool "abort"
+
+config PROPOLICE_BLOCK_SEGV
+ bool "segfault"
+
+config PROPOLICE_BLOCK_KILL
+ bool "kill"
+
+endchoice
+
+config UCLIBC_BUILD_SSP
+ bool "Build uClibc with propolice protection"
+ depends on UCLIBC_HAS_SSP
+ default n
+ help
+ Build all libraries and executables with propolice protection enabled.
+
+config UCLIBC_BUILD_RELRO
+ bool "Build uClibc with RELRO"
+ depends on BUILD_UCLIBC_LDSO
+ default n
+ help
+ Build all libraries and executables with -z relro.
+
+config UCLIBC_BUILD_NOW
+ bool "Build uClibc with NOW"
+ depends on BUILD_UCLIBC_LDSO
+ default n
+ help
+ Build all libraries and executables with -z now.
+
+endmenu
+
menu "uClibc development/debugging options"
config DODEBUG
diff --git a/ldso/ldso/Makefile b/ldso/ldso/Makefile
index ef48e3358..69990b772 100644
--- a/ldso/ldso/Makefile
+++ b/ldso/ldso/Makefile
@@ -42,6 +42,9 @@ XXFLAGS:=$(XXFLAGS:-O0=-O1)
XXFLAGS+=-isystem $(shell $(CC) -print-file-name=include)
LDFLAGS=$(CPU_LDFLAGS-y) -z now -Bsymbolic -shared --warn-common --export-dynamic --sort-common \
-z combreloc --discard-locals --discard-all --no-undefined
+ifeq ($(UCLIBC_BUILD_RELRO),y)
+ LDFLAGS+=-z relro
+endif
CSRC= ldso.c
COBJS=$(patsubst %.c,%.o, $(CSRC))
diff --git a/libpthread/Makefile b/libpthread/Makefile
index 4a763ca78..6a3cc88d1 100644
--- a/libpthread/Makefile
+++ b/libpthread/Makefile
@@ -37,6 +37,12 @@ ifeq ($(strip $(UCLIBC_HAS_THREADS)),y)
ifeq ($(strip $(PTHREADS_DEBUG_SUPPORT)),y)
DIRS+=linuxthreads_db
LDFLAGS_THREAD_DB:= $(CPU_LDFLAGS-y) -shared --warn-common --warn-once -z combreloc
+ifeq ($(UCLIBC_BUILD_RELRO),y)
+ LDFLAGS_PTHREAD_DB+=-z relro
+endif
+ifeq ($(UCLIBC_BUILD_NOW),y)
+ LDFLAGS_PTHREAD_DB+=-z now
+endif
endif
ifeq ($(DODEBUG),n)
LDFLAGS_THREAD_DB+=-s