[00/10] Rework GCC PIE and security flags (take 2)

Message ID cover.1498665211.git.raj.khem@gmail.com
Headers show
Series
  • Rework GCC PIE and security flags (take 2)
Related show

Message

Khem Raj June 28, 2017, 4:04 p.m.
* This patchset add a switch to configure gcc driver with PIE defaults
* Add support for generating static PIE in gcc
* Gets rid of lot of bandaids from distro security flags file
* Adjust recipes for new way of specifying pie

v1->v2:

* apply linking spec changes libssp_nonshared.a to musl alone
* icu/iptable/gstreamer1.0-plugins-bad fixes are done on top not really depend on pie rework

The following changes since commit 179b7ae2511974173ae4aa72dfb49384ff69c2e5:

  meta/conf/layer.conf: bump layer version for LSB changes (2017-06-28 15:52:00 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib kraj/hardening-fixes
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=kraj/hardening-fixes

Khem Raj (10):
  gcc: Introduce a knob to configure gcc to default to PIE
  security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS
  distutils,setuptools: Delete use of SECURITY_NO_PIE_CFLAGS
  gcc7: Enable static PIE
  gcc: Link libssp_nonshared.a only on musl targets
  libunwind: We set -fPIE in security flags now if gcc is not configured
    for default PIE
  valgrind: Remove -no-pie from cflags
  iptables: Apply 0001-fix-build-with-musl.patch unconditionally
  icu: Fix build with glibc 2.26
  gstreamer1.0-plugins-bad: Fix missing library with bcm egl

 meta/classes/distutils-common-base.bbclass         |  2 -
 meta/classes/setuptools.bbclass                    |  2 -
 meta/conf/distro/include/security_flags.inc        | 83 ++++++----------------
 meta/recipes-devtools/gcc/gcc-7.1.inc              |  3 +-
 ...shared-to-link-commandline-for-musl-targe.patch | 42 +++++++++++
 .../gcc/gcc-7.1/0040-ssp_nonshared.patch           | 28 --------
 .../gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch   | 37 ++++++++++
 meta/recipes-devtools/gcc/gcc-configure-common.inc |  3 +
 meta/recipes-devtools/valgrind/valgrind_3.12.0.bb  |  2 -
 meta/recipes-extended/iptables/iptables_1.6.1.bb   |  4 +-
 .../link-with-libvchostif.patch                    | 35 +++++++++
 .../gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb   |  1 +
 .../icu/icu/0001-i18n-Drop-include-xlocale.h.patch | 31 ++++++++
 meta/recipes-support/icu/icu_58.2.bb               |  3 +-
 meta/recipes-support/libunwind/libunwind_1.2.bb    |  4 --
 15 files changed, 177 insertions(+), 103 deletions(-)
 create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
 delete mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch
 create mode 100644 meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch

-- 
2.13.2

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core