1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
Apply Alpine Linux specific differences to Gentoo ESP configuration:
- default PIE and SSP by default without additional CFLAGS (to clean up APKBUILD)
- do not enable -fstack-check by default (caused failures in programs that setup
small stack in musl)
- enable -z relro by default
- enable -fstack-protector-strong instead of -fstack-protector-all by default
--- gcc-4.9.2/gcc/config/esp.h 2014-12-10 15:54:19.925060848 +0000
+++ gcc-4.9.2/gcc/config/esp.h 2014-12-10 15:59:16.793850060 +0000
@@ -4,7 +4,7 @@
#ifndef GCC_ESP_H
#define GCC_ESP_H
-/* This file will add -fstack-protector-all, -fstack-check, -fPIE, -pie and -z now
+/* This file will add -fstack-protector-strong, -fPIE, -pie, -z relro and -z now
as default if the defines and the spec allow it.
Added a hack for gcc-specs-* in toolchain-funcs.eclass and _filter-hardened in flag-o-matic.eclass
to support older hardened GCC patches and we don't need to change the code on gcc-specs-* and _filter-hardened.
@@ -16,11 +16,14 @@
ENABLE_CRTBEGINP add support for crtbeginP.o, build -static with -fPIE or -fpie.
*/
#ifdef ENABLE_ESP
+
+ /* Enable by default on Alpine */
+ #define EFAULT_PIE_SSP
/* Hack to support gcc-specs-* in toolchain-funcs.eclass and _filter-hardened in flag-o-matic.eclass */
#define ESP_CC1_SPEC " %(esp_cc1_ssp) %(esp_cc1_pie) %(esp_cc1_strict_overflow)"
#if defined ( EFAULT_SSP ) || defined ( EFAULT_PIE_SSP )
- #define ESP_CC1_SSP_SPEC "%{!fno-stack-protector: %{!fno-stack-protector-all: %{!fno-stack-check: }}}"
+ #define ESP_CC1_SSP_SPEC "%{!fno-stack-protector: %{!fno-stack-protector-all: }}"
#else
#define ESP_CC1_SSP_SPEC ""
#endif
@@ -34,20 +37,20 @@
/* ESP_LINK_SPEC is added to LINK_PIE_SPEC if esp is enable
-z now will be added if we don't have -vanilla spec. We do a -pie incompatible check
Don't remove the specs in the end */
- #define ESP_LINK_SPEC "%(esp_link_now) %(esp_link_pie_check) "
+ #define ESP_LINK_SPEC "%(esp_link_now) %(esp_link_relro) %(esp_link_pie_check) "
#define ESP_LINK_NOW_SPEC "%{!nonow:-z now}"
+ #define ESP_LINK_RELRO_SPEC "%{!norelro:-z relro}"
/* We use ESP_DRIVER_SELF_SPEC to add pie and ssp command-line options. */
#define ESP_DRIVER_SELF_SPEC "%{D__KERNEL__:;:%{!nopie:%(esp_options_pie) \
%(esp_link_pie)} %(esp_options_ssp) }"
- /* This will add -fstack-protector-all if we don't have -nostdlib -nodefaultlibs -fno-stack-protector -fstack-protector
+ /* This will add -fstack-protector-strong if we don't have -nostdlib -nodefaultlibs -fno-stack-protector -fstack-protector
-fstack-protector-all and we have EFAULT_SSP or EFAULT_PIE_SSP defined. */
#if defined ( EFAULT_SSP ) || defined ( EFAULT_PIE_SSP )
#define ESP_OPTIONS_SSP_SPEC \
"%{nostdlib|ffreestanding|fno-stack-protector|fstack-protector| \
- fstack-protector-all|fstack-protector-strong:;:-fstack-protector-all} \
- %{fstack-check|fstack-check=*:;: -fstack-check}"
+ fstack-protector-all|fstack-protector-strong:;:-fstack-protector-strong}"
#else
#define ESP_OPTIONS_SSP_SPEC ""
#endif
@@ -115,6 +118,7 @@
{ "esp_cc1_strict_overflow", ESP_CC1_STRICT_OVERFLOW_SPEC }, \
{ "esp_link", ESP_LINK_SPEC }, \
{ "esp_link_now", ESP_LINK_NOW_SPEC }, \
+ { "esp_link_relro", ESP_LINK_RELRO_SPEC }, \
{ "esp_link_pie", ESP_LINK_PIE_SPEC }, \
{ "esp_link_pie_check", ESP_LINK_PIE_CHECK_SPEC }, \
{ "esp_driver_self", ESP_DRIVER_SELF_SPEC }, \
|
