Make toolchain and user space hardening configurable

Signed-off-by: David Oberhollenzer <david.oberhollenzer@tele2.at>
This commit is contained in:
David Oberhollenzer 2018-10-19 13:02:06 +02:00
parent 69aa1d33e9
commit 8e5c6d3a2e
18 changed files with 113 additions and 30 deletions

View File

@ -11,3 +11,5 @@ LINUXPKG="linux"
LINUX_CPU="x86"
LINUX_TGT="bzImage modules"
OPENSSL_TARGET="linux-generic32 386"
TC_HARDENING="no"

View File

@ -11,3 +11,5 @@ LINUXPKG="linux"
LINUX_CPU="x86_64"
LINUX_TGT="bzImage"
OPENSSL_TARGET="linux-x86_64"
TC_HARDENING="no"

View File

@ -11,3 +11,5 @@ LINUXPKG="linux-rpi3"
LINUX_CPU="arm"
LINUX_TGT="zImage"
OPENSSL_TARGET="linux-generic32"
TC_HARDENING="no"

View File

@ -0,0 +1 @@
TC_HARDENING="yes"

View File

@ -12,8 +12,13 @@ prepare() {
build() {
cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
make CFLAGS="-Wall -Winline -O2 -D_FILE_OFFSET_BITS=64 $cflags" \
LDFLAGS="$ldflags" CC=${TARGET}-gcc AR=${TARGET}-ar \

View File

@ -12,8 +12,13 @@ prepare() {
build() {
cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
CFLAGS="-O2 $cflags" \
LDFLAGS="$ldflags" \

View File

@ -13,8 +13,13 @@ build() {
cp -r ${1}/* ${PKGBUILDDIR}
cp "$SCRIPTDIR/pkg/$PKGNAME/config" "$PKGBUILDDIR/hostapd/.config"
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" \
CFLAGS="-MMD -O2 $cflags" \

View File

@ -12,8 +12,13 @@ prepare() {
build() {
cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
make CCOPTS="-O2 $cflags" LDFLAGS="$ldflags" \
HOSTCC="gcc" AR="${TARGET}-ar" LD="${TARGET}-ld" \

View File

@ -12,8 +12,13 @@ prepare() {
build() {
cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
CFLAGS="-O2 $cflags" \
LDFLAGS="$ldflags" \

View File

@ -10,8 +10,13 @@ prepare() {
}
build() {
local cflags="-fPIE -fPIC -fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fPIE -fPIC -fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
CFLAGS="$cflags" LDFLAGS="$ldflags" \
CROSS_COMPILE="${TARGET}-" $1/configure --prefix=/ --target="$TARGET"

View File

@ -12,8 +12,13 @@ prepare() {
build() {
cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
./configure --prefix="" --sbin-path=/bin/nginx \
--modules-path=/lib/nginx \

View File

@ -10,8 +10,13 @@ prepare() {
}
build() {
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "yes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
$1/Configure --prefix=/ --cross-compile-prefix="${TARGET}-" \
--openssldir=/etc/ssl --libdir=/lib \

View File

@ -10,9 +10,15 @@ prepare() {
}
build() {
local extra=""
if [ "x$TC_HARDENING" = "xyes" ]; then
extra="--enable-libssp"
fi
$1/configure --prefix="$TCDIR" --target="$TARGET" --disable-nls \
--with-sysroot="$TCDIR/$TARGET" --disable-multilib \
--with-lib-path="$TCDIR/$TARGET/lib" --enable-libssp
--with-lib-path="$TCDIR/$TARGET/lib" $extra
make configure-host
make -j $NUMJOBS

View File

@ -37,17 +37,25 @@ prepare() {
}
build() {
local extra=""
if [ "x$TC_HARDENING" = "xyes" ]; then
extra="--enable-libssp --enable-default-pie"
extra="$extra --enable-default-ssp"
else
extra="--disable-libssp"
fi
$1/configure --prefix="$TCDIR" --target="$TARGET" \
--build="$HOSTTUPLE" --host="$HOSTTUPLE" \
--with-sysroot="$TCDIR/$TARGET" \
--disable-nls --disable-shared --without-headers \
--disable-multilib --disable-decimal-float \
--disable-libgomp --disable-libmudflap \
--enable-libssp --disable-libatomic \
--disable-libatomic \
--disable-libquadmath --disable-threads \
--enable-languages=c --with-newlib \
--enable-default-pie --enable-default-ssp \
--with-arch="$GCC_CPU" $GCC_EXTRACFG
--with-arch="$GCC_CPU" $extra $GCC_EXTRACFG
make -j $NUMJOBS all-gcc all-target-libgcc
}

View File

@ -3,16 +3,23 @@ source "$SCRIPTDIR/pkg/tc-gcc1/build"
DEPENDS="tc-gcc1 musl linux_headers"
build() {
local extra=""
if [ "x$TC_HARDENING" = "xyes" ]; then
extra="--enable-libssp --enable-default-pie"
extra="$extra --enable-default-ssp"
else
extra="--disable-libssp"
fi
$1/configure --prefix="$TCDIR" --target="$TARGET" \
--build="$HOSTTUPLE" --host="$HOSTTUPLE" \
--with-sysroot="$TCDIR/$TARGET" \
--disable-nls --enable-languages=c,c++ \
--enable-c99 --enable-long-long \
--enable-libmudflap --disable-multilib \
--enable-libssp \
--disable-libsanitizer \
--enable-default-pie --enable-default-ssp \
--with-arch="$GCC_CPU" $GCC_EXTRACFG \
--with-arch="$GCC_CPU" $extra $GCC_EXTRACFG \
--with-native-system-header-dir="/include"
make -j $NUMJOBS
@ -46,4 +53,12 @@ deploy() {
mv ${TCDIR}/${TARGET}/{include,lib} "$DEPLOY"
rm ${DEPLOY}/lib/*.la
cp "$SCRIPTDIR/pkg/$PKGNAME/rootfs_files.txt" "$DEPLOY"
if [ "x$TC_HARDENING" = "xyes" ]; then
cat >> "$DEPLOY/rootfs_files.txt" <<_EOF
lib/libssp.so m 777 0 0
lib/libssp.so.0 m 777 0 0
lib/libssp.so.0.0.0 m 555 0 0
_EOF
fi
}

View File

@ -9,9 +9,6 @@ lib/libgomp.so.1.0.0 m 555 0 0
lib/libitm.so m 777 0 0
lib/libitm.so.1 m 777 0 0
lib/libitm.so.1.0.0 m 555 0 0
lib/libssp.so m 777 0 0
lib/libssp.so.0 m 777 0 0
lib/libssp.so.0.0.0 m 555 0 0
lib/libstdc++.so m 777 0 0
lib/libstdc++.so.6 m 777 0 0
lib/libstdc++.so.6.0.25 m 555 0 0

View File

@ -10,8 +10,13 @@ prepare() {
}
build() {
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
CFLAGS="$cflags" LDFLAGS="$ldflags" \
cmake -DCMAKE_TOOLCHAIN_FILE="$CMAKETCFILE" \

View File

@ -2,8 +2,13 @@ run_configure() {
local srcdir="$1"
shift
local cflags="-fstack-protector-all"
local ldflags="-z noexecstack -z relro -z now"
local cflags=""
local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
ac_cv_func_malloc_0_nonnull=yes \
ac_cv_func_realloc_0_nonnull=yes \