[uClibc] PATCH: noexecstack marking patch
Peter S. Mazinger
ps.m at gmx.net
Sat Nov 6 21:19:21 UTC 2004
Hello!
A followup of the previous patch tarball is the attached one.
1. Adds support for noexecstack marking of all assembler files, so that
any libs/execs built against this uClibc have only RW in the GNU_STACK
header (w/o E). This is implemented as a separate security option.
2. Adds the earlier proposed generic security option
(UCLIBC_SECURITY), that enables/disables at once all the security related
options.
3. Adds an ld check if the -pie option is supported.
Peter
--
Peter S. Mazinger <ps dot m at gmx dot net> ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2
-------------- next part --------------
--- uClibc-0.9.26/extra/Configs/Config.in.noexecstack~ 2004-11-06 21:55:06.000000000 +0100
+++ uClibc-0.9.26/extra/Configs/Config.in 2004-11-06 21:55:06.000000000 +0100
@@ -1171,12 +1171,17 @@
menu "uClibc security related options"
+config UCLIBC_SECURITY
+ bool "Enable security options"
+ default n
+
config UCLIBC_BUILD_PIE
bool "Build utilities as ET_DYN/PIE executables"
+ depends on UCLIBC_SECURITY
depends on HAVE_SHARED
depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
- default n
+ default y
help
If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
It requires gcc-3.4 and binutils-2.15 or later.
@@ -1187,6 +1192,7 @@
config UCLIBC_HAS_SSP
bool "Support for propolice stack protection"
+ depends on UCLIBC_SECURITY
default n
help
Adds propolice protection to libc (__guard and __stack_smash_handler).
@@ -1226,6 +1232,7 @@
config UCLIBC_BUILD_SSP
bool "Build uClibc with propolice protection"
+ depends on UCLIBC_SECURITY
depends on UCLIBC_HAS_SSP
default n
help
@@ -1233,16 +1240,27 @@
config UCLIBC_BUILD_RELRO
bool "Build uClibc with RELRO"
+ depends on UCLIBC_SECURITY
depends on BUILD_UCLIBC_LDSO
- default n
+ default y
help
Build all libraries and executables with -z relro.
config UCLIBC_BUILD_NOW
bool "Build uClibc with NOW"
+ depends on UCLIBC_SECURITY
depends on BUILD_UCLIBC_LDSO
- default n
+ default y
help
Build all libraries and executables with -z now.
+config UCLIBC_BUILD_NOEXECSTACK
+ bool "Build uClibc with noexecstack marking"
+ depends on UCLIBC_SECURITY
+ default y
+ help
+ Mark all assembler files as noexecstack. This will result in marking
+ all libraries and executables built against uClibc not requiring
+ executable stack.
+
endmenu
--- uClibc-0.9.26/ldso/ldso/Makefile.noexecstack~ 2004-11-06 21:55:06.000000000 +0100
+++ uClibc-0.9.26/ldso/ldso/Makefile 2004-11-06 22:08:03.000000000 +0100
@@ -23,6 +23,9 @@
# reset to initial (disabling predefined CFLAGS)
ASFLAGS=
+ifeq ($(UCLIBC_BUILD_NOEXECSTACK),y)
+ASFLAGS+=$(check_as_noexecstack)
+endif
XXFLAGS=$(XWARNINGS) $(SSP_DISABLE_FLAGS)
ifeq ($(DODEBUG),y)
--- uClibc-0.9.26/Rules.mak.noexecstack~ 2004-11-06 21:55:06.000000000 +0100
+++ uClibc-0.9.26/Rules.mak 2004-11-06 22:06:52.000000000 +0100
@@ -89,10 +89,10 @@
OPTIMIZATION:=
PICFLAG:=-fPIC
+
PIEFLAG:=$(call check_gcc,-fPIE,)
ifeq ($(strip $(PIEFLAG)),-fPIE)
-# should add check if ld supports -pie
-LDPIEFLAG:=-Wl,-pie
+LDPIEFLAG:=$(shell if $(LD) --help | grep -q pie; then echo "-Wl,-pie"; fi)
endif
# Some nice CPU specific optimizations
@@ -285,6 +285,10 @@
endif
ASFLAGS = $(CFLAGS)
+ifeq ($(UCLIBC_BUILD_NOEXECSTACK),y)
+check_as_noexecstack=$(shell if $(LD) --help | grep -q "z noexecstack"; then echo "-Wa,--noexecstack"; fi)
+ASFLAGS += $(check_as_noexecstack)
+endif
LIBGCC_CFLAGS ?= $(CFLAGS) $(CPU_CFLAGS-y)
LIBGCC:=$(shell $(CC) $(LIBGCC_CFLAGS) -print-libgcc-file-name)
More information about the uClibc
mailing list