From 69aa1d33e96425d8f5f3c3c37b07ebe76fa295d3 Mon Sep 17 00:00:00 2001 From: David Oberhollenzer Date: Sun, 14 Oct 2018 18:47:20 +0200 Subject: [PATCH] Set hardening options for packages with custom build system Signed-off-by: David Oberhollenzer --- pkg/bzip2/build | 9 +++++++-- pkg/dnsmasq/build | 5 +++++ pkg/hostapd/build | 7 ++++++- pkg/iproute2/build | 9 +++++++-- pkg/iw/build | 7 ++++++- pkg/musl/build | 4 ++++ pkg/nginx/build | 4 ++++ pkg/openssl/build | 8 ++++++-- pkg/zlib/build | 6 +++++- 9 files changed, 50 insertions(+), 9 deletions(-) diff --git a/pkg/bzip2/build b/pkg/bzip2/build index 995a645..65e5b61 100755 --- a/pkg/bzip2/build +++ b/pkg/bzip2/build @@ -12,7 +12,12 @@ prepare() { build() { cp -r ${1}/* ${PKGBUILDDIR} - make CC=${TARGET}-gcc AR=${TARGET}-ar RANLIB=${TARGET}-ranlib -j $NUMJOBS libbz2.a bzip2 bzip2recover + local cflags="-fstack-protector-all" + local ldflags="-z noexecstack -z relro -z now" + + make CFLAGS="-Wall -Winline -O2 -D_FILE_OFFSET_BITS=64 $cflags" \ + LDFLAGS="$ldflags" CC=${TARGET}-gcc AR=${TARGET}-ar \ + RANLIB=${TARGET}-ranlib -j $NUMJOBS libbz2.a bzip2 bzip2recover } deploy() { @@ -32,4 +37,4 @@ deploy() { check_update() { return -} \ No newline at end of file +} diff --git a/pkg/dnsmasq/build b/pkg/dnsmasq/build index 52afd08..1d0ee30 100644 --- a/pkg/dnsmasq/build +++ b/pkg/dnsmasq/build @@ -12,6 +12,11 @@ prepare() { build() { cp -r ${1}/* ${PKGBUILDDIR} + local cflags="-fstack-protector-all" + local ldflags="-z noexecstack -z relro -z now" + + CFLAGS="-O2 $cflags" \ + LDFLAGS="$ldflags" \ make CC=${TARGET}-gcc PREFIX="/" BINDIR="/bin" -j $NUMJOBS } diff --git a/pkg/hostapd/build b/pkg/hostapd/build index e0f4130..9c41e02 100755 --- a/pkg/hostapd/build +++ b/pkg/hostapd/build @@ -13,7 +13,12 @@ build() { cp -r ${1}/* ${PKGBUILDDIR} cp "$SCRIPTDIR/pkg/$PKGNAME/config" "$PKGBUILDDIR/hostapd/.config" - export PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" + local cflags="-fstack-protector-all" + local ldflags="-z noexecstack -z relro -z now" + + PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" \ + CFLAGS="-MMD -O2 $cflags" \ + LDFLAGS="$ldflags" \ make CC=${TARGET}-gcc -C hostapd -j $NUMJOBS } diff --git a/pkg/iproute2/build b/pkg/iproute2/build index 6a2ce90..a593ddd 100755 --- a/pkg/iproute2/build +++ b/pkg/iproute2/build @@ -12,7 +12,12 @@ prepare() { build() { cp -r ${1}/* ${PKGBUILDDIR} - make HOSTCC="gcc" AR="${TARGET}-ar" LD="${TARGET}-ld" CC="${TARGET}-gcc" SYSROOT="$TCDIR/$TARGET" + local cflags="-fstack-protector-all" + local ldflags="-z noexecstack -z relro -z now" + + make CCOPTS="-O2 $cflags" LDFLAGS="$ldflags" \ + HOSTCC="gcc" AR="${TARGET}-ar" LD="${TARGET}-ld" \ + CC="${TARGET}-gcc" SYSROOT="$TCDIR/$TARGET" } deploy() { @@ -27,4 +32,4 @@ check_update() { curl --silent -L $URL | grep -o "iproute2-[0-9.]*tar.xz" | \ sed 's/iproute2-//g' | sed 's/.tar.xz//g' | \ verson_find_greatest "$VERSION" -} \ No newline at end of file +} diff --git a/pkg/iw/build b/pkg/iw/build index 4aaa44a..6bc335e 100755 --- a/pkg/iw/build +++ b/pkg/iw/build @@ -12,7 +12,12 @@ prepare() { build() { cp -r ${1}/* ${PKGBUILDDIR} - export PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" + local cflags="-fstack-protector-all" + local ldflags="-z noexecstack -z relro -z now" + + CFLAGS="-O2 $cflags" \ + LDFLAGS="$ldflags" \ + PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" \ make CC="${TARGET}-gcc" PKG_CONFIG="${TARGET}-pkg-config" PREFIX= \ SBINDIR=/bin DESTDIR="$2" -j $NUMJOBS } diff --git a/pkg/musl/build b/pkg/musl/build index 4461704..9914d62 100755 --- a/pkg/musl/build +++ b/pkg/musl/build @@ -10,6 +10,10 @@ prepare() { } build() { + local cflags="-fPIE -fPIC -fstack-protector-all" + local ldflags="-z noexecstack -z relro -z now" + + CFLAGS="$cflags" LDFLAGS="$ldflags" \ CROSS_COMPILE="${TARGET}-" $1/configure --prefix=/ --target="$TARGET" CROSS_COMPILE="${TARGET}-" make -j $NUMJOBS } diff --git a/pkg/nginx/build b/pkg/nginx/build index 62e43f1..f492ab1 100755 --- a/pkg/nginx/build +++ b/pkg/nginx/build @@ -12,6 +12,9 @@ prepare() { build() { cp -r ${1}/* ${PKGBUILDDIR} + local cflags="-fstack-protector-all" + local ldflags="-z noexecstack -z relro -z now" + ./configure --prefix="" --sbin-path=/bin/nginx \ --modules-path=/lib/nginx \ --conf-path=/etc/nginx/nginx.conf \ @@ -23,6 +26,7 @@ build() { --crossbuild=${TARGET} \ --with-cc=${TCDIR}/bin/${TARGET}-gcc \ --with-cpp=${TCDIR}/bin/${TARGET}-cpp \ + --with-cc-opt="$cflags" --with-ld-opt="$ldflags" \ --with-poll_module --without-select_module \ --with-threads --with-http_ssl_module \ --with-http_sub_module --with-http_gunzip_module \ diff --git a/pkg/openssl/build b/pkg/openssl/build index 0dcd5eb..f2e67ed 100755 --- a/pkg/openssl/build +++ b/pkg/openssl/build @@ -10,9 +10,13 @@ prepare() { } build() { + local cflags="-fstack-protector-all" + local ldflags="-z noexecstack -z relro -z now" + $1/Configure --prefix=/ --cross-compile-prefix="${TARGET}-" \ --openssldir=/etc/ssl --libdir=/lib \ - -DOPENSSL_NO_HEARTBEATS \ + CFLAGS="-DOPENSSL_NO_HEARTBEATS $cflags" \ + LDFLAGS="$ldflags" \ threads shared zlib-dynamic no-async $OPENSSL_TARGET make -j 1 @@ -33,4 +37,4 @@ check_update() { sed 's/>openssl-//g' | sed 's/.tar.gz