KumiSystems/openwrtv4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

buildroot: move hardening options into separate file

Browse source 
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46070
This commit is contained in:
Steven Barth 2015-06-20 17:37:18 +00:00
parent 7b4d039e00
commit fc5f02410f
2 changed files with 56 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
include/hardening.mk Normal file
View file

@ -0,0 +1,55 @@
#
# Copyright (C) 2015 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
PKG_CHECK_FORMAT_SECURITY ?= 1
PKG_CC_STACKPROTECTOR_REGULAR ?= 1
PKG_CC_STACKPROTECTOR_STRONG ?= 1
PKG_FORTIFY_SOURCE_1 ?= 1
PKG_FORTIFY_SOURCE_2 ?= 1
PKG_RELRO_PARTIAL ?= 1
PKG_RELRO_FULL ?= 1
ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
TARGET_CFLAGS += -Wformat -Werror=format-security
endif
endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
ifeq ($(strip $(PKG_CC_STACKPROTECTOR_REGULAR)),1)
TARGET_CFLAGS += -fstack-protector
TARGET_LDFLAGS += -fstack-protector
endif
endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
ifeq ($(strip $(PKG_CC_STACKPROTECTOR_STRONG)),1)
TARGET_CFLAGS += -fstack-protector-strong
TARGET_LDFLAGS += -fstack-protector-strong
endif
endif
ifdef CONFIG_PKG_FORTIFY_SOURCE_1
ifeq ($(strip $(PKG_FORTIFY_SOURCE_1)),1)
TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
endif
endif
ifdef CONFIG_PKG_FORTIFY_SOURCE_2
ifeq ($(strip $(PKG_FORTIFY_SOURCE_2)),1)
TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
endif
endif
ifdef CONFIG_PKG_RELRO_PARTIAL
ifeq ($(strip $(PKG_RELRO_PARTIAL)),1)
TARGET_CFLAGS += -Wl,-z,relro
TARGET_LDFLAGS += -zrelro
endif
endif
ifdef CONFIG_PKG_RELRO_FULL
ifeq ($(strip $(PKG_RELRO_FULL)),1)
TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
TARGET_LDFLAGS += -znow -zrelro
endif
endif

47
include/package.mk
View file

@ -14,13 +14,6 @@ PKG_INSTALL_DIR ?= $(PKG_BUILD_DIR)/ipkg-install
PKG_MD5SUM ?= unknown PKG_MD5SUM ?= unknown
PKG_BUILD_PARALLEL ?= PKG_BUILD_PARALLEL ?=
PKG_USE_MIPS16 ?= 1 PKG_USE_MIPS16 ?= 1
PKG_CHECK_FORMAT_SECURITY ?= 1
PKG_CC_STACKPROTECTOR_REGULAR ?= 1
PKG_CC_STACKPROTECTOR_STRONG ?= 1
PKG_FORTIFY_SOURCE_1 ?= 1
PKG_FORTIFY_SOURCE_2 ?= 1
PKG_RELRO_PARTIAL ?= 1
PKG_RELRO_FULL ?= 1
ifneq ($(CONFIG_PKG_BUILD_USE_JOBSERVER),) ifneq ($(CONFIG_PKG_BUILD_USE_JOBSERVER),)
MAKE_J:=$(if $(MAKE_JOBSERVER),$(MAKE_JOBSERVER) -j) MAKE_J:=$(if $(MAKE_JOBSERVER),$(MAKE_JOBSERVER) -j)
@ -40,46 +33,8 @@ ifdef CONFIG_USE_MIPS16
TARGET_CFLAGS += -mips16 -minterlink-mips16 TARGET_CFLAGS += -mips16 -minterlink-mips16
endif endif
endif endif
ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
TARGET_CFLAGS += -Wformat -Werror=format-security
endif
endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
ifeq ($(strip $(PKG_CC_STACKPROTECTOR_REGULAR)),1)
TARGET_CFLAGS += -fstack-protector
TARGET_LDFLAGS += -fstack-protector
endif
endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
ifeq ($(strip $(PKG_CC_STACKPROTECTOR_STRONG)),1)
TARGET_CFLAGS += -fstack-protector-strong
TARGET_LDFLAGS += -fstack-protector-strong
endif
endif
ifdef CONFIG_PKG_FORTIFY_SOURCE_1
ifeq ($(strip $(PKG_FORTIFY_SOURCE_1)),1)
TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
endif
endif
ifdef CONFIG_PKG_FORTIFY_SOURCE_2
ifeq ($(strip $(PKG_FORTIFY_SOURCE_2)),1)
TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
endif
endif
ifdef CONFIG_PKG_RELRO_PARTIAL
ifeq ($(strip $(PKG_RELRO_PARTIAL)),1)
TARGET_CFLAGS += -Wl,-z,relro
TARGET_LDFLAGS += -Wl,-z,relro
endif
endif
ifdef CONFIG_PKG_RELRO_FULL
ifeq ($(strip $(PKG_RELRO_FULL)),1)
TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
TARGET_LDFLAGS += -Wl,-z,now -Wl,-z,relro
endif
endif
include $(INCLUDE_DIR)/hardening.mk
include $(INCLUDE_DIR)/prereq.mk include $(INCLUDE_DIR)/prereq.mk
include $(INCLUDE_DIR)/host.mk include $(INCLUDE_DIR)/host.mk
include $(INCLUDE_DIR)/unpack.mk include $(INCLUDE_DIR)/unpack.mk