[Buildroot] [PATCH v3 2/8] security hardening: add RELFO, FORTIFY options

Nicolas Cavallari Nicolas.Cavallari at green-communications.fr
Wed Jan 10 16:30:35 UTC 2018


On 10/01/2018 13:25, Matthew Weber wrote:
> Nicolas,
> 
> On Wed, Jan 10, 2018 at 3:41 AM, Nicolas Cavallari
> <Nicolas.Cavallari at green-communications.fr> wrote:
>> On 10/01/2018 05:15, Matt Weber wrote:
>>> +ifneq ($(BR2_OPTIMIZE_S)$(BR2_OPTIMIZE_0)$(BR2_OPTIMIZE_1)$(BR2_OPTIMIZE_2)$(BR2_OPTIMIZE_G),)
>>> +ifeq ($(BR2_FORTIFY_SOURCE_1),y)
>>> +TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
>>> +else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
>>> +TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
>>> +endif
>>> +else
>>> +$(error BR2_FORTIFY_SOURCE_# requires optimization level s/1/2/3/g)
>>> +endif
>>
>> This seems to test if the optimization level is s/0/1/2/g instead of
>> s/1/2/3/g
> 
> Good catch, will update in v4
> 
>>
>> Shouldn't this actually be expressed as a dependency in Config.in
>> instead ? (i.e. make BR2_FORTIFY_SOURCE_{1,2} depends on !BR2_OPTIMIZE_0)
> 
> I looked at a few ways of doing this and since those optimize
> variables are from a choice, I couldn't depend on them in Kconfig.

It should work fine.  What issue do you have ?

just adding "depends on !BR2_OPTIMIZE_0"
on the BR2_FORTIFY_SOURCE_1 and BR2_FORTIFY_SOURCE_2 definitions
should work.

if BR2_OPTIMIZE_0 is selected, then the choice will only have one
possible value.


More information about the buildroot mailing list