Message ID | 1465297576-10981-13-git-send-email-nix@esperi.org.uk |
---|---|
State | New |
Headers | show |
On 06/07/2016 01:06 PM, Nix wrote: > From: Nick Alcock <nick.alcock@oracle.com> > > This is probably a bad idea: maybe we want to stack-protect some parts > of the system even when ! --enable-stack-protector. I can easily adjust > the patch to do that (though it'll mean introducing a new variable > analogous to $(stack-protector) but not controlled by the configure > flag.) > > But if we wanted to value consistency over security, and use the same > stack-protection configure flag to control everything, this is how we'd > do it! > > ("Always include at least one patch with something obviously wrong with > it.") > > * login/Makefile (pt_chown-cflags): Remove. > * nscd/Makefile (CFLAGS-nscd): Likewise. > * resolv/Makefile (CFLAGS-libresolv): Likewise. I would like to see this go in. The existing logic is very misleading, particularly in resolv/Makefile, where nss_dns is *not* protected. Thanks, Florian
diff --git a/login/Makefile b/login/Makefile index 9ff36d6..1a6161c 100644 --- a/login/Makefile +++ b/login/Makefile @@ -58,7 +58,6 @@ CFLAGS-getpt.c = -fexceptions ifeq (yesyes,$(have-fpie)$(build-shared)) pt_chown-cflags += $(pie-ccflag) endif -pt_chown-cflags += $(stack-protector) ifeq (yes,$(have-libcap)) libcap = -lcap endif diff --git a/nscd/Makefile b/nscd/Makefile index 50bad32..bfd72d5 100644 --- a/nscd/Makefile +++ b/nscd/Makefile @@ -84,7 +84,6 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2 ifeq (yesyes,$(have-fpie)$(build-shared)) CFLAGS-nscd += $(pie-ccflag) endif -CFLAGS-nscd += $(stack-protector) ifeq (yesyes,$(have-fpie)$(build-shared)) LDFLAGS-nscd = -Wl,-z,now diff --git a/resolv/Makefile b/resolv/Makefile index 8be41d3..0395b1a 100644 --- a/resolv/Makefile +++ b/resolv/Makefile @@ -90,7 +90,6 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \ -Dgetnetbyname=res_getnetbyname \ -Dgetnetbyaddr=res_getnetbyaddr -CFLAGS-libresolv += $(stack-protector) CFLAGS-res_hconf.c = -fexceptions # The BIND code elicits some harmless warnings.
From: Nick Alcock <nick.alcock@oracle.com> This is probably a bad idea: maybe we want to stack-protect some parts of the system even when ! --enable-stack-protector. I can easily adjust the patch to do that (though it'll mean introducing a new variable analogous to $(stack-protector) but not controlled by the configure flag.) But if we wanted to value consistency over security, and use the same stack-protection configure flag to control everything, this is how we'd do it! ("Always include at least one patch with something obviously wrong with it.") * login/Makefile (pt_chown-cflags): Remove. * nscd/Makefile (CFLAGS-nscd): Likewise. * resolv/Makefile (CFLAGS-libresolv): Likewise. --- login/Makefile | 1 - nscd/Makefile | 1 - resolv/Makefile | 1 - 3 files changed, 3 deletions(-)