summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config/Config-build.in88
-rw-r--r--include/package.mk36
-rw-r--r--package/network/services/hostapd/Makefile2
-rw-r--r--toolchain/uClibc/common.mk1
4 files changed, 117 insertions, 10 deletions
diff --git a/config/Config-build.in b/config/Config-build.in
index 89cf964..280f719 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -97,15 +97,6 @@ menu "Global build settings"
If you are unsure, select N.
- config PKG_CHECK_FORMAT_SECURITY
- bool
- prompt "Enable gcc format-security"
- default n
- help
- Add -Wformat -Werror=format-security to the CFLAGS. You can disable
- this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
- Makefile.
-
config PKG_BUILD_USE_JOBSERVER
bool
prompt "Use top-level make jobserver for packages"
@@ -216,4 +207,83 @@ menu "Global build settings"
bool "libstdc++"
endchoice
+ comment "Hardening build options"
+
+ config PKG_CHECK_FORMAT_SECURITY
+ bool
+ prompt "Enable gcc format-security"
+ default n
+ help
+ Add -Wformat -Werror=format-security to the CFLAGS. You can disable
+ this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
+ Makefile.
+
+ choice
+ prompt "User space Stack-Smashing Protection"
+ default PKG_CC_STACKPROTECTOR_NONE
+ help
+ Enable GCC Stack Smashing Protection (SSP) for userspace applications
+ config PKG_CC_STACKPROTECTOR_NONE
+ bool "None"
+ config PKG_CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ select SSP_SUPPORT
+ depends on KERNEL_CC_STACKPROTECTOR_REGULAR
+ config PKG_CC_STACKPROTECTOR_STRONG
+ bool "Strong"
+ select SSP_SUPPORT
+ depends on GCC_VERSION_4_9_LINARO
+ depends on KERNEL_CC_STACKPROTECTOR_STRONG
+ endchoice
+
+ choice
+ prompt "Kernel space Stack-Smashing Protection"
+ default KERNEL_CC_STACKPROTECTOR_NONE
+ help
+ Enable GCC Stack-Smashing Protection (SSP) for the kernel
+ config KERNEL_CC_STACKPROTECTOR_NONE
+ bool "None"
+ config KERNEL_CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ config KERNEL_CC_STACKPROTECTOR_STRONG
+ depends on GCC_VERSION_4_9_LINARO
+ bool "Strong"
+ endchoice
+
+ choice
+ prompt "Enable buffer-overflows detction (FORTIFY_SOURCE)"
+ help
+ Enable the _FORTIFY_SOURCE macro which introduces additional
+ checks to detect buffer-overflows in the following standard library
+ functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
+ strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
+ gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
+ checks that sholdn't change the behavior of conforming programs,
+ while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
+ added, but some conforming programs might fail.
+ config PKG_FORTIFY_SOURCE_NONE
+ bool "None"
+ config PKG_FORTIFY_SOURCE_1
+ bool "Conservative"
+ config PKG_FORTIFY_SOURCE_2
+ bool "Aggressive"
+ endchoice
+
+ choice
+ prompt "Enable RELRO protection"
+ help
+ Enable a link-time protection know as RELRO (Relocation Read Only)
+ which helps to protect from certain type of exploitation techniques
+ altering the content of some ELF sections. "Partial" RELRO makes the
+ .dynamic section not writeable after initialization, introducing
+ almost no performance penalty, while "full" RELRO also marks the GOT
+ as read-only at the cost of initializing all of it at startup.
+ config PKG_RELRO_NONE
+ bool "None"
+ config PKG_RELRO_PARTIAL
+ bool "Partial"
+ config PKG_RELRO_FULL
+ bool "Full"
+ endchoice
+
endmenu
diff --git a/include/package.mk b/include/package.mk
index a1b90da..2c34a58 100644
--- a/include/package.mk
+++ b/include/package.mk
@@ -15,6 +15,12 @@ PKG_MD5SUM ?= unknown
PKG_BUILD_PARALLEL ?=
PKG_USE_MIPS16 ?= 1
PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_CC_STACKPROTECTOR_REGULAR ?= 1
+PKG_CC_STACKPROTECTOR_STRONG ?= 1
+PKG_FORTIFY_SOURCE_1 ?= 1
+PKG_FORTIFY_SOURCE_2 ?= 1
+PKG_RELRO_PARTIAL ?= 1
+PKG_RELRO_FULL ?= 1
ifneq ($(CONFIG_PKG_BUILD_USE_JOBSERVER),)
MAKE_J:=$(if $(MAKE_JOBSERVER),$(MAKE_JOBSERVER) -j)
@@ -39,6 +45,36 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
TARGET_CFLAGS += -Wformat -Werror=format-security
endif
endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
+ ifeq ($(strip $(PKG_CC_STACKPROTECTOR_REGULAR)),1)
+ TARGET_CFLAGS += -fstack-protector
+ endif
+endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
+ ifeq ($(strip $(PKG_CC_STACKPROTECTOR_STRONG)),1)
+ TARGET_CFLAGS += -fstack-protector-strong
+ endif
+endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_1
+ ifeq ($(strip $(PKG_FORTIFY_SOURCE_1)),1)
+ TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
+ endif
+endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_2
+ ifeq ($(strip $(PKG_FORTIFY_SOURCE_2)),1)
+ TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
+ endif
+endif
+ifdef CONFIG_PKG_RELRO_PARTIAL
+ ifeq ($(strip $(PKG_RELRO_PARTIAL)),1)
+ TARGET_CFLAGS += -Wl,-z,relro
+ endif
+endif
+ifdef CONFIG_PKG_RELRO_FULL
+ ifeq ($(strip $(PKG_RELRO_FULL)),1)
+ TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
+ endif
+endif
include $(INCLUDE_DIR)/prereq.mk
include $(INCLUDE_DIR)/host.mk
diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile
index 19d536e..6bdf534 100644
--- a/package/network/services/hostapd/Makefile
+++ b/package/network/services/hostapd/Makefile
@@ -294,7 +294,7 @@ define Build/Compile/wpad
echo ` \
$(call Build/RunMake,hostapd,-s MULTICALL=1 dump_cflags); \
$(call Build/RunMake,wpa_supplicant,-s MULTICALL=1 dump_cflags) | \
- sed -e 's,-n ,,g' -e 's,$(TARGET_CFLAGS),,' \
+ sed -e 's,-n ,,g' -e 's^$(TARGET_CFLAGS)^^' \
` > $(PKG_BUILD_DIR)/.cflags
+$(call Build/RunMake,hostapd, \
CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \
diff --git a/toolchain/uClibc/common.mk b/toolchain/uClibc/common.mk
index e507dc6..435e4c2 100644
--- a/toolchain/uClibc/common.mk
+++ b/toolchain/uClibc/common.mk
@@ -80,6 +80,7 @@ define Host/Configure
-e 's,^.*UCLIBC_HAS_SHADOW.*,UCLIBC_HAS_SHADOW=$(if $(CONFIG_SHADOW_PASSWORDS),y,n),g' \
-e 's,^.*UCLIBC_HAS_LOCALE.*,UCLIBC_HAS_LOCALE=$(if $(CONFIG_BUILD_NLS),y,n),g' \
-e 's,^.*UCLIBC_BUILD_ALL_LOCALE.*,UCLIBC_BUILD_ALL_LOCALE=$(if $(CONFIG_BUILD_NLS),y,n),g' \
+ -e 's,^.*UCLIBC_HAS_SSP.*,UCLIBC_HAS_SSP=$(if $(or $(CONFIG_PKG_CC_STACKPROTECTOR_REGULAR),$(CONFIG_PKG_CC_STACKPROTECTOR_STRONG)),y,n),g' \
$(HOST_BUILD_DIR)/.config.new
cmp -s $(HOST_BUILD_DIR)/.config.new $(HOST_BUILD_DIR)/.config.last || { \
cp $(HOST_BUILD_DIR)/.config.new $(HOST_BUILD_DIR)/.config && \