From: Steven Barth Date: Sat, 20 Jun 2015 17:37:18 +0000 (+0000) Subject: buildroot: move hardening options into separate file X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=fc5f02410f27de8b2b97a8edccb859773094591e;p=openwrt%2Fstaging%2Frmilecki.git buildroot: move hardening options into separate file Signed-off-by: Steven Barth SVN-Revision: 46070 --- diff --git a/include/hardening.mk b/include/hardening.mk new file mode 100644 index 00000000000..8a24b3ca15e --- /dev/null +++ b/include/hardening.mk @@ -0,0 +1,55 @@ +# +# Copyright (C) 2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +PKG_CHECK_FORMAT_SECURITY ?= 1 +PKG_CC_STACKPROTECTOR_REGULAR ?= 1 +PKG_CC_STACKPROTECTOR_STRONG ?= 1 +PKG_FORTIFY_SOURCE_1 ?= 1 +PKG_FORTIFY_SOURCE_2 ?= 1 +PKG_RELRO_PARTIAL ?= 1 +PKG_RELRO_FULL ?= 1 + +ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY + ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1) + TARGET_CFLAGS += -Wformat -Werror=format-security + endif +endif +ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR + ifeq ($(strip $(PKG_CC_STACKPROTECTOR_REGULAR)),1) + TARGET_CFLAGS += -fstack-protector + TARGET_LDFLAGS += -fstack-protector + endif +endif +ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG + ifeq ($(strip $(PKG_CC_STACKPROTECTOR_STRONG)),1) + TARGET_CFLAGS += -fstack-protector-strong + TARGET_LDFLAGS += -fstack-protector-strong + endif +endif +ifdef CONFIG_PKG_FORTIFY_SOURCE_1 + ifeq ($(strip $(PKG_FORTIFY_SOURCE_1)),1) + TARGET_CFLAGS += -D_FORTIFY_SOURCE=1 + endif +endif +ifdef CONFIG_PKG_FORTIFY_SOURCE_2 + ifeq ($(strip $(PKG_FORTIFY_SOURCE_2)),1) + TARGET_CFLAGS += -D_FORTIFY_SOURCE=2 + endif +endif +ifdef CONFIG_PKG_RELRO_PARTIAL + ifeq ($(strip $(PKG_RELRO_PARTIAL)),1) + TARGET_CFLAGS += -Wl,-z,relro + TARGET_LDFLAGS += -zrelro + endif +endif +ifdef CONFIG_PKG_RELRO_FULL + ifeq ($(strip $(PKG_RELRO_FULL)),1) + TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro + TARGET_LDFLAGS += -znow -zrelro + endif +endif + diff --git a/include/package.mk b/include/package.mk index 7ba7401d44a..6538afe3e24 100644 --- a/include/package.mk +++ b/include/package.mk @@ -14,13 +14,6 @@ PKG_INSTALL_DIR ?= $(PKG_BUILD_DIR)/ipkg-install PKG_MD5SUM ?= unknown PKG_BUILD_PARALLEL ?= PKG_USE_MIPS16 ?= 1 -PKG_CHECK_FORMAT_SECURITY ?= 1 -PKG_CC_STACKPROTECTOR_REGULAR ?= 1 -PKG_CC_STACKPROTECTOR_STRONG ?= 1 -PKG_FORTIFY_SOURCE_1 ?= 1 -PKG_FORTIFY_SOURCE_2 ?= 1 -PKG_RELRO_PARTIAL ?= 1 -PKG_RELRO_FULL ?= 1 ifneq ($(CONFIG_PKG_BUILD_USE_JOBSERVER),) MAKE_J:=$(if $(MAKE_JOBSERVER),$(MAKE_JOBSERVER) -j) @@ -40,46 +33,8 @@ ifdef CONFIG_USE_MIPS16 TARGET_CFLAGS += -mips16 -minterlink-mips16 endif endif -ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY - ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1) - TARGET_CFLAGS += -Wformat -Werror=format-security - endif -endif -ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR - ifeq ($(strip $(PKG_CC_STACKPROTECTOR_REGULAR)),1) - TARGET_CFLAGS += -fstack-protector - TARGET_LDFLAGS += -fstack-protector - endif -endif -ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG - ifeq ($(strip $(PKG_CC_STACKPROTECTOR_STRONG)),1) - TARGET_CFLAGS += -fstack-protector-strong - TARGET_LDFLAGS += -fstack-protector-strong - endif -endif -ifdef CONFIG_PKG_FORTIFY_SOURCE_1 - ifeq ($(strip $(PKG_FORTIFY_SOURCE_1)),1) - TARGET_CFLAGS += -D_FORTIFY_SOURCE=1 - endif -endif -ifdef CONFIG_PKG_FORTIFY_SOURCE_2 - ifeq ($(strip $(PKG_FORTIFY_SOURCE_2)),1) - TARGET_CFLAGS += -D_FORTIFY_SOURCE=2 - endif -endif -ifdef CONFIG_PKG_RELRO_PARTIAL - ifeq ($(strip $(PKG_RELRO_PARTIAL)),1) - TARGET_CFLAGS += -Wl,-z,relro - TARGET_LDFLAGS += -Wl,-z,relro - endif -endif -ifdef CONFIG_PKG_RELRO_FULL - ifeq ($(strip $(PKG_RELRO_FULL)),1) - TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro - TARGET_LDFLAGS += -Wl,-z,now -Wl,-z,relro - endif -endif +include $(INCLUDE_DIR)/hardening.mk include $(INCLUDE_DIR)/prereq.mk include $(INCLUDE_DIR)/host.mk include $(INCLUDE_DIR)/unpack.mk