[Buildroot] [PATCH 1/6] package/Makefile.in: Do not use CPPFLAGS for hardening options

Arnout Vandecappelle arnout at mind.be
Wed Jul 11 21:14:39 UTC 2018



On 11-07-18 16:31, Matt Weber wrote:
> From: Stefan Sørensen <stefan.sorensen at spectralink.com>
> 
> The hardening options are compiler flags, not pure pre-processor flags, so
> put them in CFLAGS, not CPPFLAGS.
> 
> This fixes build errors where -D_FORTIFY_SOURCE=2 whas put in CPPFLAGS and
> then applied to configure tests which could fail since the required -O2 is
> only in CFLAGS.
> 
> Originally submitted as
> http://patchwork.ozlabs.org/patch/904057/
> 
> Signed-off-by: Stefan Sørensen <stefan.sorensen at spectralink.com>
> Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>

 I was thinking: why introduce TARGET_HARDENED instead of just adding to
TARGET_CFLAGS directly. But it actually does look nicer this way. So

Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout at mind.be>

> ---
>  package/Makefile.in | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/package/Makefile.in b/package/Makefile.in
> index f2962767cc..5e0ff8c841 100644
> --- a/package/Makefile.in
> +++ b/package/Makefile.in
> @@ -147,29 +147,29 @@ TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO)
>  TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
>  
>  ifeq ($(BR2_SSP_REGULAR),y)
> -TARGET_CPPFLAGS += -fstack-protector
> +TARGET_HARDENED += -fstack-protector
>  else ifeq ($(BR2_SSP_STRONG),y)
> -TARGET_CPPFLAGS += -fstack-protector-strong
> +TARGET_HARDENED += -fstack-protector-strong
>  else ifeq ($(BR2_SSP_ALL),y)
> -TARGET_CPPFLAGS += -fstack-protector-all
> +TARGET_HARDENED += -fstack-protector-all
>  endif
>  
>  ifeq ($(BR2_RELRO_PARTIAL),y)
> -TARGET_CPPFLAGS += $(TARGET_CFLAGS_RELRO)
> +TARGET_HARDENED += $(TARGET_CFLAGS_RELRO)
>  TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
>  else ifeq ($(BR2_RELRO_FULL),y)
> -TARGET_CPPFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
> +TARGET_HARDENED += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
>  TARGET_LDFLAGS += -pie
>  endif
>  
>  ifeq ($(BR2_FORTIFY_SOURCE_1),y)
> -TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
> +TARGET_HARDENED += -D_FORTIFY_SOURCE=1
>  else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
> -TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
> +TARGET_HARDENED += -D_FORTIFY_SOURCE=2
>  endif
>  
>  TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
> -TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
> +TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING) $(TARGET_HARDENED)

 The line is getting a bit long, but TARGET_DEBUGGING was already too much so
not for this patch :-)


 Regards,
 Arnout

>  TARGET_CXXFLAGS = $(TARGET_CFLAGS)
>  TARGET_FCFLAGS = $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
>  
> 

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF


More information about the buildroot mailing list