[uClibc] PATCH: noexecstack marking patch

Peter S. Mazinger ps.m at gmx.net
Sat Nov 6 21:19:21 UTC 2004


Hello!

A followup of the previous patch tarball is the attached one.
1. Adds support for noexecstack marking of all assembler files, so that 
any libs/execs built against this uClibc have only RW in the GNU_STACK 
header (w/o E). This is implemented as a separate security option.
2. Adds the earlier proposed generic security option 
(UCLIBC_SECURITY), that enables/disables at once all the security related 
options.
3. Adds an ld check if the -pie option is supported.

Peter

-- 
Peter S. Mazinger <ps dot m at gmx dot net>           ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08  BB6E C389 975E A5F0 59F2
-------------- next part --------------
--- uClibc-0.9.26/extra/Configs/Config.in.noexecstack~	2004-11-06 21:55:06.000000000 +0100
+++ uClibc-0.9.26/extra/Configs/Config.in	2004-11-06 21:55:06.000000000 +0100
@@ -1171,12 +1171,17 @@
 
 menu "uClibc security related options"
 
+config UCLIBC_SECURITY
+	bool "Enable security options"
+	default n
+
 config UCLIBC_BUILD_PIE
 	bool "Build utilities as ET_DYN/PIE executables"
+	depends on UCLIBC_SECURITY
 	depends on HAVE_SHARED
 	depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
 	select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
-	default n
+	default y
 	help
 	  If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
 	  It requires gcc-3.4 and binutils-2.15 or later.
@@ -1187,6 +1192,7 @@
 
 config UCLIBC_HAS_SSP
 	bool "Support for propolice stack protection"
+	depends on UCLIBC_SECURITY
 	default n
 	help
 	  Adds propolice protection to libc (__guard and __stack_smash_handler).
@@ -1226,6 +1232,7 @@
 
 config UCLIBC_BUILD_SSP
 	bool "Build uClibc with propolice protection"
+	depends on UCLIBC_SECURITY
 	depends on UCLIBC_HAS_SSP
 	default n
 	help
@@ -1233,16 +1240,27 @@
 
 config UCLIBC_BUILD_RELRO
 	bool "Build uClibc with RELRO"
+	depends on UCLIBC_SECURITY
 	depends on BUILD_UCLIBC_LDSO
-	default n
+	default y
 	help
 	  Build all libraries and executables with -z relro.
 
 config UCLIBC_BUILD_NOW
 	bool "Build uClibc with NOW"
+	depends on UCLIBC_SECURITY
 	depends on BUILD_UCLIBC_LDSO
-	default n
+	default y
 	help
 	  Build all libraries and executables with -z now.
 
+config UCLIBC_BUILD_NOEXECSTACK
+	bool "Build uClibc with noexecstack marking"
+	depends on UCLIBC_SECURITY
+	default y
+	help
+	  Mark all assembler files as noexecstack. This will result in marking
+	  all libraries and executables built against uClibc not requiring
+	  executable stack.
+
 endmenu
--- uClibc-0.9.26/ldso/ldso/Makefile.noexecstack~	2004-11-06 21:55:06.000000000 +0100
+++ uClibc-0.9.26/ldso/ldso/Makefile	2004-11-06 22:08:03.000000000 +0100
@@ -23,6 +23,9 @@
 
 # reset to initial (disabling predefined CFLAGS)
 ASFLAGS=
+ifeq ($(UCLIBC_BUILD_NOEXECSTACK),y)
+ASFLAGS+=$(check_as_noexecstack)
+endif
 
 XXFLAGS=$(XWARNINGS) $(SSP_DISABLE_FLAGS)
 ifeq ($(DODEBUG),y)
--- uClibc-0.9.26/Rules.mak.noexecstack~	2004-11-06 21:55:06.000000000 +0100
+++ uClibc-0.9.26/Rules.mak	2004-11-06 22:06:52.000000000 +0100
@@ -89,10 +89,10 @@
 
 OPTIMIZATION:=
 PICFLAG:=-fPIC
+
 PIEFLAG:=$(call check_gcc,-fPIE,)
 ifeq ($(strip $(PIEFLAG)),-fPIE)
-# should add check if ld supports -pie
-LDPIEFLAG:=-Wl,-pie
+LDPIEFLAG:=$(shell if $(LD) --help | grep -q pie; then echo "-Wl,-pie"; fi)
 endif
 
 # Some nice CPU specific optimizations
@@ -285,6 +285,10 @@
 endif
 
 ASFLAGS = $(CFLAGS)
+ifeq ($(UCLIBC_BUILD_NOEXECSTACK),y)
+check_as_noexecstack=$(shell if $(LD) --help | grep -q "z noexecstack"; then echo "-Wa,--noexecstack"; fi)
+ASFLAGS += $(check_as_noexecstack)
+endif
 
 LIBGCC_CFLAGS ?= $(CFLAGS) $(CPU_CFLAGS-y)
 LIBGCC:=$(shell $(CC) $(LIBGCC_CFLAGS) -print-libgcc-file-name)


More information about the uClibc mailing list