build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
This commit is contained in:
Julien Dusser
committed by
Hauke Mehrtens
Hauke Mehrtens
parent
ca7e8627db
commit
df0bd42fde
@@ -6,6 +6,7 @@
|
||||
#
|
||||
|
||||
PKG_CHECK_FORMAT_SECURITY ?= 1
|
||||
PKG_ASLR_PIE ?= 1
|
||||
PKG_SSP ?= 1
|
||||
PKG_FORTIFY_SOURCE ?= 1
|
||||
PKG_RELRO ?= 1
|
||||
@@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
|
||||
TARGET_CFLAGS += -Wformat -Werror=format-security
|
||||
endif
|
||||
endif
|
||||
ifdef CONFIG_PKG_ASLR_PIE
|
||||
ifeq ($(strip $(PKG_ASLR_PIE)),1)
|
||||
TARGET_CFLAGS += -fPIC
|
||||
TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
|
||||
endif
|
||||
endif
|
||||
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
|
||||
ifeq ($(strip $(PKG_SSP)),1)
|
||||
TARGET_CFLAGS += -fstack-protector
|
||||
|
||||
Reference in New Issue
Block a user