[Buildroot] [PATCH/next 2/2] keepalived: enable hardening option
Fabrice Fontaine
fontaine.fabrice at gmail.com
Fri Nov 23 21:13:51 UTC 2018
Dear Thomas,
Le ven. 23 nov. 2018 à 22:00, Thomas Petazzoni
<thomas.petazzoni at bootlin.com> a écrit :
>
> Hello,
>
> On Wed, 21 Nov 2018 22:16:11 +0100, Fabrice Fontaine wrote:
> > Enable or disable hardening option depending on BR2_TOOLCHAIN_HAS_SSP
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> > ---
> > package/keepalived/keepalived.mk | 7 ++++++-
> > 1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/package/keepalived/keepalived.mk b/package/keepalived/keepalived.mk
> > index 584da6bb48..f9049bf391 100644
> > --- a/package/keepalived/keepalived.mk
> > +++ b/package/keepalived/keepalived.mk
> > @@ -9,7 +9,12 @@ KEEPALIVED_SITE = http://www.keepalived.org/software
> > KEEPALIVED_DEPENDENCIES = host-pkgconf openssl
> > KEEPALIVED_LICENSE = GPL-2.0+
> > KEEPALIVED_LICENSE_FILES = COPYING
> > -KEEPALIVED_CONF_OPTS = --disable-hardening
> > +
> > +ifeq ($(BR2_TOOLCHAIN_HAS_SSP),y)
> > +KEEPALIVED_CONF_OPTS += --enable-hardening
> > +else
> > +KEEPALIVED_CONF_OPTS += --disable-hardening
> > +endif
>
> I am not sure we want to do that. Indeed, Buildroot already has
> top-level options to enable/disable various hardening features. We
> don't want packages to randomly enable/disable such hardening features
> solely based on SSP availability.
Ok, it makes sense. I made this patch because I saw that this behavior
was implemented for tpm2-tools package. Should we update this package
to always disable hardening?
>
> So I think we should keep hardening disabled from the point of view of
> keepalived configure script, and let Buildroot pass the appropriate
> CFLAGS/LDFLAGS through the wrapper.
>
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,
Fabrice
More information about the buildroot
mailing list