pygos
/
build
mirror of https://github.com/pygos/build.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Make toolchain and user space hardening configurable 

Signed-off-by: David Oberhollenzer <david.oberhollenzer@tele2.at>
This commit is contained in:
David Oberhollenzer 2018-10-19 13:02:06 +02:00
parent 69aa1d33e9
commit 8e5c6d3a2e
18 changed files with 113 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
layer/bsp-alix/TOOLCHAIN
View File

@ -11,3 +11,5 @@ LINUXPKG="linux"
LINUX_CPU="x86" LINUX_CPU="x86"
LINUX_TGT="bzImage modules" LINUX_TGT="bzImage modules"
OPENSSL_TARGET="linux-generic32 386" OPENSSL_TARGET="linux-generic32 386"
TC_HARDENING="no"

2
layer/bsp-qemu64/TOOLCHAIN
View File

@ -11,3 +11,5 @@ LINUXPKG="linux"
LINUX_CPU="x86_64" LINUX_CPU="x86_64"
LINUX_TGT="bzImage" LINUX_TGT="bzImage"
OPENSSL_TARGET="linux-x86_64" OPENSSL_TARGET="linux-x86_64"
TC_HARDENING="no"

2
layer/bsp-rpi3/TOOLCHAIN
View File

@ -11,3 +11,5 @@ LINUXPKG="linux-rpi3"
LINUX_CPU="arm" LINUX_CPU="arm"
LINUX_TGT="zImage" LINUX_TGT="zImage"
OPENSSL_TARGET="linux-generic32" OPENSSL_TARGET="linux-generic32"
TC_HARDENING="no"

1
layer/router-base/TOOLCHAIN Normal file
View File

@ -0,0 +1 @@
TC_HARDENING="yes"

9
pkg/bzip2/build
View File

@ -12,8 +12,13 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
make CFLAGS="-Wall -Winline -O2 -D_FILE_OFFSET_BITS=64 $cflags" \ make CFLAGS="-Wall -Winline -O2 -D_FILE_OFFSET_BITS=64 $cflags" \
LDFLAGS="$ldflags" CC=${TARGET}-gcc AR=${TARGET}-ar \ LDFLAGS="$ldflags" CC=${TARGET}-gcc AR=${TARGET}-ar \

9
pkg/dnsmasq/build
View File

@ -12,8 +12,13 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
CFLAGS="-O2 $cflags" \ CFLAGS="-O2 $cflags" \
LDFLAGS="$ldflags" \ LDFLAGS="$ldflags" \

9
pkg/hostapd/build
View File

@ -13,8 +13,13 @@ build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
cp "$SCRIPTDIR/pkg/$PKGNAME/config" "$PKGBUILDDIR/hostapd/.config" cp "$SCRIPTDIR/pkg/$PKGNAME/config" "$PKGBUILDDIR/hostapd/.config"
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" \ PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" \
CFLAGS="-MMD -O2 $cflags" \ CFLAGS="-MMD -O2 $cflags" \

9
pkg/iproute2/build
View File

@ -12,8 +12,13 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
make CCOPTS="-O2 $cflags" LDFLAGS="$ldflags" \ make CCOPTS="-O2 $cflags" LDFLAGS="$ldflags" \
HOSTCC="gcc" AR="${TARGET}-ar" LD="${TARGET}-ld" \ HOSTCC="gcc" AR="${TARGET}-ar" LD="${TARGET}-ld" \

9
pkg/iw/build
View File

@ -12,8 +12,13 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
CFLAGS="-O2 $cflags" \ CFLAGS="-O2 $cflags" \
LDFLAGS="$ldflags" \ LDFLAGS="$ldflags" \

9
pkg/musl/build
View File

@ -10,8 +10,13 @@ prepare() {
} }
build() { build() {
local cflags="-fPIE -fPIC -fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fPIE -fPIC -fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
CFLAGS="$cflags" LDFLAGS="$ldflags" \ CFLAGS="$cflags" LDFLAGS="$ldflags" \
CROSS_COMPILE="${TARGET}-" $1/configure --prefix=/ --target="$TARGET" CROSS_COMPILE="${TARGET}-" $1/configure --prefix=/ --target="$TARGET"

9
pkg/nginx/build
View File

@ -12,8 +12,13 @@ prepare() {
build() { build() {
cp -r ${1}/* ${PKGBUILDDIR} cp -r ${1}/* ${PKGBUILDDIR}
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
./configure --prefix="" --sbin-path=/bin/nginx \ ./configure --prefix="" --sbin-path=/bin/nginx \
--modules-path=/lib/nginx \ --modules-path=/lib/nginx \

9
pkg/openssl/build
View File

@ -10,8 +10,13 @@ prepare() {
} }
build() { build() {
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "yes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
$1/Configure --prefix=/ --cross-compile-prefix="${TARGET}-" \ $1/Configure --prefix=/ --cross-compile-prefix="${TARGET}-" \
--openssldir=/etc/ssl --libdir=/lib \ --openssldir=/etc/ssl --libdir=/lib \

8
pkg/tc-binutils/build
View File

@ -10,9 +10,15 @@ prepare() {
} }
build() { build() {
local extra=""
if [ "x$TC_HARDENING" = "xyes" ]; then
extra="--enable-libssp"
fi
$1/configure --prefix="$TCDIR" --target="$TARGET" --disable-nls \ $1/configure --prefix="$TCDIR" --target="$TARGET" --disable-nls \
--with-sysroot="$TCDIR/$TARGET" --disable-multilib \ --with-sysroot="$TCDIR/$TARGET" --disable-multilib \
--with-lib-path="$TCDIR/$TARGET/lib" --enable-libssp --with-lib-path="$TCDIR/$TARGET/lib" $extra
make configure-host make configure-host
make -j $NUMJOBS make -j $NUMJOBS

14
pkg/tc-gcc1/build
View File

@ -37,17 +37,25 @@ prepare() {
} }
build() { build() {
local extra=""
if [ "x$TC_HARDENING" = "xyes" ]; then
extra="--enable-libssp --enable-default-pie"
extra="$extra --enable-default-ssp"
else
extra="--disable-libssp"
fi
$1/configure --prefix="$TCDIR" --target="$TARGET" \ $1/configure --prefix="$TCDIR" --target="$TARGET" \
--build="$HOSTTUPLE" --host="$HOSTTUPLE" \ --build="$HOSTTUPLE" --host="$HOSTTUPLE" \
--with-sysroot="$TCDIR/$TARGET" \ --with-sysroot="$TCDIR/$TARGET" \
--disable-nls --disable-shared --without-headers \ --disable-nls --disable-shared --without-headers \
--disable-multilib --disable-decimal-float \ --disable-multilib --disable-decimal-float \
--disable-libgomp --disable-libmudflap \ --disable-libgomp --disable-libmudflap \
--enable-libssp --disable-libatomic \ --disable-libatomic \
--disable-libquadmath --disable-threads \ --disable-libquadmath --disable-threads \
--enable-languages=c --with-newlib \ --enable-languages=c --with-newlib \
--enable-default-pie --enable-default-ssp \ --with-arch="$GCC_CPU" $extra $GCC_EXTRACFG
--with-arch="$GCC_CPU" $GCC_EXTRACFG
make -j $NUMJOBS all-gcc all-target-libgcc make -j $NUMJOBS all-gcc all-target-libgcc
} }

21
pkg/tc-gcc2/build
View File

@ -3,16 +3,23 @@ source "$SCRIPTDIR/pkg/tc-gcc1/build"
DEPENDS="tc-gcc1 musl linux_headers" DEPENDS="tc-gcc1 musl linux_headers"
build() { build() {
local extra=""
if [ "x$TC_HARDENING" = "xyes" ]; then
extra="--enable-libssp --enable-default-pie"
extra="$extra --enable-default-ssp"
else
extra="--disable-libssp"
fi
$1/configure --prefix="$TCDIR" --target="$TARGET" \ $1/configure --prefix="$TCDIR" --target="$TARGET" \
--build="$HOSTTUPLE" --host="$HOSTTUPLE" \ --build="$HOSTTUPLE" --host="$HOSTTUPLE" \
--with-sysroot="$TCDIR/$TARGET" \ --with-sysroot="$TCDIR/$TARGET" \
--disable-nls --enable-languages=c,c++ \ --disable-nls --enable-languages=c,c++ \
--enable-c99 --enable-long-long \ --enable-c99 --enable-long-long \
--enable-libmudflap --disable-multilib \ --enable-libmudflap --disable-multilib \
--enable-libssp \
--disable-libsanitizer \ --disable-libsanitizer \
--enable-default-pie --enable-default-ssp \ --with-arch="$GCC_CPU" $extra $GCC_EXTRACFG \
--with-arch="$GCC_CPU" $GCC_EXTRACFG \
--with-native-system-header-dir="/include" --with-native-system-header-dir="/include"
make -j $NUMJOBS make -j $NUMJOBS
@ -46,4 +53,12 @@ deploy() {
mv ${TCDIR}/${TARGET}/{include,lib} "$DEPLOY" mv ${TCDIR}/${TARGET}/{include,lib} "$DEPLOY"
rm ${DEPLOY}/lib/*.la rm ${DEPLOY}/lib/*.la
cp "$SCRIPTDIR/pkg/$PKGNAME/rootfs_files.txt" "$DEPLOY" cp "$SCRIPTDIR/pkg/$PKGNAME/rootfs_files.txt" "$DEPLOY"
if [ "x$TC_HARDENING" = "xyes" ]; then
cat >> "$DEPLOY/rootfs_files.txt" <<_EOF
lib/libssp.so m 777 0 0
lib/libssp.so.0 m 777 0 0
lib/libssp.so.0.0.0 m 555 0 0
_EOF
fi
} }

3
pkg/tc-gcc2/rootfs_files.txt
View File

@ -9,9 +9,6 @@ lib/libgomp.so.1.0.0 m 555 0 0
lib/libitm.so m 777 0 0 lib/libitm.so m 777 0 0
lib/libitm.so.1 m 777 0 0 lib/libitm.so.1 m 777 0 0
lib/libitm.so.1.0.0 m 555 0 0 lib/libitm.so.1.0.0 m 555 0 0
lib/libssp.so m 777 0 0
lib/libssp.so.0 m 777 0 0
lib/libssp.so.0.0.0 m 555 0 0
lib/libstdc++.so m 777 0 0 lib/libstdc++.so m 777 0 0
lib/libstdc++.so.6 m 777 0 0 lib/libstdc++.so.6 m 777 0 0
lib/libstdc++.so.6.0.25 m 555 0 0 lib/libstdc++.so.6.0.25 m 555 0 0

9
pkg/zlib/build
View File

@ -10,8 +10,13 @@ prepare() {
} }
build() { build() {
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
CFLAGS="$cflags" LDFLAGS="$ldflags" \ CFLAGS="$cflags" LDFLAGS="$ldflags" \
cmake -DCMAKE_TOOLCHAIN_FILE="$CMAKETCFILE" \ cmake -DCMAKE_TOOLCHAIN_FILE="$CMAKETCFILE" \

9
util/autotools.sh
View File

@ -2,8 +2,13 @@ run_configure() {
local srcdir="$1" local srcdir="$1"
shift shift
local cflags="-fstack-protector-all" local cflags=""
local ldflags="-z noexecstack -z relro -z now" local ldflags=""
if [ "x$TC_HARDENING" = "xyes" ]; then
cflags="-fstack-protector-all"
ldflags="-z noexecstack -z relro -z now"
fi
ac_cv_func_malloc_0_nonnull=yes \ ac_cv_func_malloc_0_nonnull=yes \
ac_cv_func_realloc_0_nonnull=yes \ ac_cv_func_realloc_0_nonnull=yes \