security_flags: turn potential string format security issues into an error
Add "-Wformat -Wformat-security -Werror=format-security" to the default SECURITY_CFLAGS to catch potential security vulnerabilities due to the misuse of various string formatting functions. These flags are widely used in distributions such as Fedora and Ubuntu, however we have 15 recipes in OE-Core which fail to build with these flags included and thus the flags are removed for: - busybox - console-tools - cmake - expect - gcc - gettext - kexec-tools - leafpad - libuser - ltp - makedevs - oh-puzzles - stat - unzip - zip [YOCTO #9488] (From OE-Core rev: f335f8e744fb312b3eb599c331d08a9a6e5a8ff8) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
8fa797d73b
commit
30f9a5072d
|
@ -9,8 +9,11 @@
|
|||
# -O0 which then results in a compiler warning.
|
||||
lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
|
||||
|
||||
SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify}"
|
||||
SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify}"
|
||||
# Error on use of format strings that represent possible security problems
|
||||
SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
|
||||
|
||||
SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
|
||||
SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
|
||||
|
||||
SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
|
||||
SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
|
||||
|
@ -92,6 +95,23 @@ SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}"
|
|||
SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}"
|
||||
SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
|
||||
|
||||
# Recipes which fail to compile when elevating -Wformat-security to an error
|
||||
SECURITY_STRINGFORMAT_pn-busybox = ""
|
||||
SECURITY_STRINGFORMAT_pn-console-tools = ""
|
||||
SECURITY_STRINGFORMAT_pn-cmake = ""
|
||||
SECURITY_STRINGFORMAT_pn-expect = ""
|
||||
SECURITY_STRINGFORMAT_pn-gcc = ""
|
||||
SECURITY_STRINGFORMAT_pn-gettext = ""
|
||||
SECURITY_STRINGFORMAT_pn-kexec-tools = ""
|
||||
SECURITY_STRINGFORMAT_pn-leafpad = ""
|
||||
SECURITY_STRINGFORMAT_pn-libuser = ""
|
||||
SECURITY_STRINGFORMAT_pn-ltp = ""
|
||||
SECURITY_STRINGFORMAT_pn-makedevs = ""
|
||||
SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
|
||||
SECURITY_STRINGFORMAT_pn-stat = ""
|
||||
SECURITY_STRINGFORMAT_pn-unzip = ""
|
||||
SECURITY_STRINGFORMAT_pn-zip = ""
|
||||
|
||||
TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
|
||||
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
|
||||
|
||||
|
|
Loading…
Reference in New Issue