Message ID | 1457882222-22599-14-git-send-email-nix@esperi.org.uk |
---|---|
State | New |
Headers | show |
Why do anything special here at all?
On 04/05/2016 12:47 AM, Roland McGrath wrote:
> Why do anything special here at all?
I think historically, we selectively enabled stack-protector in these
places because we deemed them high-value targets.
I think it's fine to have this subject to the global flag once we have t
hat. Do you agree?
Thanks,
Florian
diff --git a/login/Makefile b/login/Makefile index 9ff36d6..1a6161c 100644 --- a/login/Makefile +++ b/login/Makefile @@ -58,7 +58,6 @@ CFLAGS-getpt.c = -fexceptions ifeq (yesyes,$(have-fpie)$(build-shared)) pt_chown-cflags += $(pie-ccflag) endif -pt_chown-cflags += $(stack-protector) ifeq (yes,$(have-libcap)) libcap = -lcap endif diff --git a/nscd/Makefile b/nscd/Makefile index 50bad32..bfd72d5 100644 --- a/nscd/Makefile +++ b/nscd/Makefile @@ -84,7 +84,6 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2 ifeq (yesyes,$(have-fpie)$(build-shared)) CFLAGS-nscd += $(pie-ccflag) endif -CFLAGS-nscd += $(stack-protector) ifeq (yesyes,$(have-fpie)$(build-shared)) LDFLAGS-nscd = -Wl,-z,now diff --git a/resolv/Makefile b/resolv/Makefile index 8be41d3..0395b1a 100644 --- a/resolv/Makefile +++ b/resolv/Makefile @@ -90,7 +90,6 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \ -Dgetnetbyname=res_getnetbyname \ -Dgetnetbyaddr=res_getnetbyaddr -CFLAGS-libresolv += $(stack-protector) CFLAGS-res_hconf.c = -fexceptions # The BIND code elicits some harmless warnings.
From: Nick Alcock <nick.alcock@oracle.com> This is probably a bad idea: maybe we want to stack-protect some parts of the system even when ! --enable-stack-protector. I can easily adjust the patch to do that (though it'll mean introducing a new variable analogous to $(stack-protector) but not controlled by the configure flag.) But if we wanted to value consistency over security, and use the same stack-protection configure flag to control everything, this is how we'd do it! ("Always include at least one patch with something obviously wrong with it.") * login/Makefile (pt_chown-cflags): Remove. * nscd/Makefile (CFLAGS-nscd): Likewise. * resolv/Makefile (CFLAGS-libresolv): Likewise. --- login/Makefile | 1 - nscd/Makefile | 1 - resolv/Makefile | 1 - 3 files changed, 3 deletions(-)