diff mbox series

[1/6] package/Makefile.in: Do not use CPPFLAGS for hardening options

Message ID 20180711143113.11927-2-matthew.weber@rockwellcollins.com
State Accepted
Headers show
Series Hardening Flag Bugfix/Enhancement | expand

Commit Message

Matt Weber July 11, 2018, 2:31 p.m. UTC 
From: Stefan Sørensen <stefan.sorensen@spectralink.com>

The hardening options are compiler flags, not pure pre-processor flags, so
put them in CFLAGS, not CPPFLAGS.

This fixes build errors where -D_FORTIFY_SOURCE=2 whas put in CPPFLAGS and
then applied to configure tests which could fail since the required -O2 is
only in CFLAGS.

Originally submitted as
http://patchwork.ozlabs.org/patch/904057/

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/Makefile.in | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Comments

Arnout Vandecappelle July 11, 2018, 9:14 p.m. UTC | #1 
On 11-07-18 16:31, Matt Weber wrote:
> From: Stefan Sørensen <stefan.sorensen@spectralink.com>
> 
> The hardening options are compiler flags, not pure pre-processor flags, so
> put them in CFLAGS, not CPPFLAGS.
> 
> This fixes build errors where -D_FORTIFY_SOURCE=2 whas put in CPPFLAGS and
> then applied to configure tests which could fail since the required -O2 is
> only in CFLAGS.
> 
> Originally submitted as
> http://patchwork.ozlabs.org/patch/904057/
> 
> Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

 I was thinking: why introduce TARGET_HARDENED instead of just adding to
TARGET_CFLAGS directly. But it actually does look nicer this way. So

Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

> ---
>  package/Makefile.in | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/package/Makefile.in b/package/Makefile.in
> index f2962767cc..5e0ff8c841 100644
> --- a/package/Makefile.in
> +++ b/package/Makefile.in
> @@ -147,29 +147,29 @@ TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO)
>  TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
>  
>  ifeq ($(BR2_SSP_REGULAR),y)
> -TARGET_CPPFLAGS += -fstack-protector
> +TARGET_HARDENED += -fstack-protector
>  else ifeq ($(BR2_SSP_STRONG),y)
> -TARGET_CPPFLAGS += -fstack-protector-strong
> +TARGET_HARDENED += -fstack-protector-strong
>  else ifeq ($(BR2_SSP_ALL),y)
> -TARGET_CPPFLAGS += -fstack-protector-all
> +TARGET_HARDENED += -fstack-protector-all
>  endif
>  
>  ifeq ($(BR2_RELRO_PARTIAL),y)
> -TARGET_CPPFLAGS += $(TARGET_CFLAGS_RELRO)
> +TARGET_HARDENED += $(TARGET_CFLAGS_RELRO)
>  TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
>  else ifeq ($(BR2_RELRO_FULL),y)
> -TARGET_CPPFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
> +TARGET_HARDENED += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
>  TARGET_LDFLAGS += -pie
>  endif
>  
>  ifeq ($(BR2_FORTIFY_SOURCE_1),y)
> -TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
> +TARGET_HARDENED += -D_FORTIFY_SOURCE=1
>  else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
> -TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
> +TARGET_HARDENED += -D_FORTIFY_SOURCE=2
>  endif
>  
>  TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
> -TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
> +TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING) $(TARGET_HARDENED)

 The line is getting a bit long, but TARGET_DEBUGGING was already too much so
not for this patch :-)


 Regards,
 Arnout

>  TARGET_CXXFLAGS = $(TARGET_CFLAGS)
>  TARGET_FCFLAGS = $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
>  
>
Thomas Petazzoni Aug. 10, 2018, 8:31 p.m. UTC | #2 
Hello,

On Wed, 11 Jul 2018 09:31:08 -0500, Matt Weber wrote:
> From: Stefan Sørensen <stefan.sorensen@spectralink.com>
> 
> The hardening options are compiler flags, not pure pre-processor flags, so
> put them in CFLAGS, not CPPFLAGS.
> 
> This fixes build errors where -D_FORTIFY_SOURCE=2 whas put in CPPFLAGS and
> then applied to configure tests which could fail since the required -O2 is
> only in CFLAGS.
> 
> Originally submitted as
> http://patchwork.ozlabs.org/patch/904057/
> 
> Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
>  package/Makefile.in | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)

Applied to next, thanks.

Thomas
diff mbox series

Patch

diff --git a/package/Makefile.in b/package/Makefile.in
index f2962767cc..5e0ff8c841 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -147,29 +147,29 @@  TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO)
 TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
 
 ifeq ($(BR2_SSP_REGULAR),y)
-TARGET_CPPFLAGS += -fstack-protector
+TARGET_HARDENED += -fstack-protector
 else ifeq ($(BR2_SSP_STRONG),y)
-TARGET_CPPFLAGS += -fstack-protector-strong
+TARGET_HARDENED += -fstack-protector-strong
 else ifeq ($(BR2_SSP_ALL),y)
-TARGET_CPPFLAGS += -fstack-protector-all
+TARGET_HARDENED += -fstack-protector-all
 endif
 
 ifeq ($(BR2_RELRO_PARTIAL),y)
-TARGET_CPPFLAGS += $(TARGET_CFLAGS_RELRO)
+TARGET_HARDENED += $(TARGET_CFLAGS_RELRO)
 TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
 else ifeq ($(BR2_RELRO_FULL),y)
-TARGET_CPPFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
+TARGET_HARDENED += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
 TARGET_LDFLAGS += -pie
 endif
 
 ifeq ($(BR2_FORTIFY_SOURCE_1),y)
-TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
+TARGET_HARDENED += -D_FORTIFY_SOURCE=1
 else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
-TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
+TARGET_HARDENED += -D_FORTIFY_SOURCE=2
 endif
 
 TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
+TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING) $(TARGET_HARDENED)
 TARGET_CXXFLAGS = $(TARGET_CFLAGS)
 TARGET_FCFLAGS = $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)