diff --git a/config/Config-build.in b/config/Config-build.in index 89cf964a8e..280f71923b 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -97,15 +97,6 @@ menu "Global build settings" If you are unsure, select N. - config PKG_CHECK_FORMAT_SECURITY - bool - prompt "Enable gcc format-security" - default n - help - Add -Wformat -Werror=format-security to the CFLAGS. You can disable - this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package - Makefile. - config PKG_BUILD_USE_JOBSERVER bool prompt "Use top-level make jobserver for packages" @@ -216,4 +207,83 @@ menu "Global build settings" bool "libstdc++" endchoice + comment "Hardening build options" + + config PKG_CHECK_FORMAT_SECURITY + bool + prompt "Enable gcc format-security" + default n + help + Add -Wformat -Werror=format-security to the CFLAGS. You can disable + this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package + Makefile. + + choice + prompt "User space Stack-Smashing Protection" + default PKG_CC_STACKPROTECTOR_NONE + help + Enable GCC Stack Smashing Protection (SSP) for userspace applications + config PKG_CC_STACKPROTECTOR_NONE + bool "None" + config PKG_CC_STACKPROTECTOR_REGULAR + bool "Regular" + select SSP_SUPPORT + depends on KERNEL_CC_STACKPROTECTOR_REGULAR + config PKG_CC_STACKPROTECTOR_STRONG + bool "Strong" + select SSP_SUPPORT + depends on GCC_VERSION_4_9_LINARO + depends on KERNEL_CC_STACKPROTECTOR_STRONG + endchoice + + choice + prompt "Kernel space Stack-Smashing Protection" + default KERNEL_CC_STACKPROTECTOR_NONE + help + Enable GCC Stack-Smashing Protection (SSP) for the kernel + config KERNEL_CC_STACKPROTECTOR_NONE + bool "None" + config KERNEL_CC_STACKPROTECTOR_REGULAR + bool "Regular" + config KERNEL_CC_STACKPROTECTOR_STRONG + depends on GCC_VERSION_4_9_LINARO + bool "Strong" + endchoice + + choice + prompt "Enable buffer-overflows detction (FORTIFY_SOURCE)" + help + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard library + functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, + strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, + gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces + checks that sholdn't change the behavior of conforming programs, + while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is + added, but some conforming programs might fail. + config PKG_FORTIFY_SOURCE_NONE + bool "None" + config PKG_FORTIFY_SOURCE_1 + bool "Conservative" + config PKG_FORTIFY_SOURCE_2 + bool "Aggressive" + endchoice + + choice + prompt "Enable RELRO protection" + help + Enable a link-time protection know as RELRO (Relocation Read Only) + which helps to protect from certain type of exploitation techniques + altering the content of some ELF sections. "Partial" RELRO makes the + .dynamic section not writeable after initialization, introducing + almost no performance penalty, while "full" RELRO also marks the GOT + as read-only at the cost of initializing all of it at startup. + config PKG_RELRO_NONE + bool "None" + config PKG_RELRO_PARTIAL + bool "Partial" + config PKG_RELRO_FULL + bool "Full" + endchoice + endmenu diff --git a/include/package.mk b/include/package.mk index a1b90da38a..2c34a5850c 100644 --- a/include/package.mk +++ b/include/package.mk @@ -15,6 +15,12 @@ PKG_MD5SUM ?= unknown PKG_BUILD_PARALLEL ?= PKG_USE_MIPS16 ?= 1 PKG_CHECK_FORMAT_SECURITY ?= 1 +PKG_CC_STACKPROTECTOR_REGULAR ?= 1 +PKG_CC_STACKPROTECTOR_STRONG ?= 1 +PKG_FORTIFY_SOURCE_1 ?= 1 +PKG_FORTIFY_SOURCE_2 ?= 1 +PKG_RELRO_PARTIAL ?= 1 +PKG_RELRO_FULL ?= 1 ifneq ($(CONFIG_PKG_BUILD_USE_JOBSERVER),) MAKE_J:=$(if $(MAKE_JOBSERVER),$(MAKE_JOBSERVER) -j) @@ -39,6 +45,36 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY TARGET_CFLAGS += -Wformat -Werror=format-security endif endif +ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR + ifeq ($(strip $(PKG_CC_STACKPROTECTOR_REGULAR)),1) + TARGET_CFLAGS += -fstack-protector + endif +endif +ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG + ifeq ($(strip $(PKG_CC_STACKPROTECTOR_STRONG)),1) + TARGET_CFLAGS += -fstack-protector-strong + endif +endif +ifdef CONFIG_PKG_FORTIFY_SOURCE_1 + ifeq ($(strip $(PKG_FORTIFY_SOURCE_1)),1) + TARGET_CFLAGS += -D_FORTIFY_SOURCE=1 + endif +endif +ifdef CONFIG_PKG_FORTIFY_SOURCE_2 + ifeq ($(strip $(PKG_FORTIFY_SOURCE_2)),1) + TARGET_CFLAGS += -D_FORTIFY_SOURCE=2 + endif +endif +ifdef CONFIG_PKG_RELRO_PARTIAL + ifeq ($(strip $(PKG_RELRO_PARTIAL)),1) + TARGET_CFLAGS += -Wl,-z,relro + endif +endif +ifdef CONFIG_PKG_RELRO_FULL + ifeq ($(strip $(PKG_RELRO_FULL)),1) + TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro + endif +endif include $(INCLUDE_DIR)/prereq.mk include $(INCLUDE_DIR)/host.mk diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index 19d536ecc0..6bdf5341e0 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -294,7 +294,7 @@ define Build/Compile/wpad echo ` \ $(call Build/RunMake,hostapd,-s MULTICALL=1 dump_cflags); \ $(call Build/RunMake,wpa_supplicant,-s MULTICALL=1 dump_cflags) | \ - sed -e 's,-n ,,g' -e 's,$(TARGET_CFLAGS),,' \ + sed -e 's,-n ,,g' -e 's^$(TARGET_CFLAGS)^^' \ ` > $(PKG_BUILD_DIR)/.cflags +$(call Build/RunMake,hostapd, \ CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \ diff --git a/toolchain/uClibc/common.mk b/toolchain/uClibc/common.mk index e507dc6fb0..435e4c2511 100644 --- a/toolchain/uClibc/common.mk +++ b/toolchain/uClibc/common.mk @@ -80,6 +80,7 @@ define Host/Configure -e 's,^.*UCLIBC_HAS_SHADOW.*,UCLIBC_HAS_SHADOW=$(if $(CONFIG_SHADOW_PASSWORDS),y,n),g' \ -e 's,^.*UCLIBC_HAS_LOCALE.*,UCLIBC_HAS_LOCALE=$(if $(CONFIG_BUILD_NLS),y,n),g' \ -e 's,^.*UCLIBC_BUILD_ALL_LOCALE.*,UCLIBC_BUILD_ALL_LOCALE=$(if $(CONFIG_BUILD_NLS),y,n),g' \ + -e 's,^.*UCLIBC_HAS_SSP.*,UCLIBC_HAS_SSP=$(if $(or $(CONFIG_PKG_CC_STACKPROTECTOR_REGULAR),$(CONFIG_PKG_CC_STACKPROTECTOR_STRONG)),y,n),g' \ $(HOST_BUILD_DIR)/.config.new cmp -s $(HOST_BUILD_DIR)/.config.new $(HOST_BUILD_DIR)/.config.last || { \ cp $(HOST_BUILD_DIR)/.config.new $(HOST_BUILD_DIR)/.config && \