The curl configure script contains sanity checks for unexpected
options being passed via CFLAGS, LDFLAGS, etc. environment variables.
These sanity checks catch -Dxxx options in CFLAGS, which clashes with
OE's approach of using CFLAGS to pass -D_FORTIFY_SOURCE (curl's
configure script suggests, quite correctly, that -Dxxx options should
be passed via CPPFLAGS instead).
These sanity checks previously generated fatal errors, but have been
downgraded to warnings since curl v7.32. Therefore the workaround of
avoiding -D_FORTIFY_SOURCE for curl is obsolete and can be removed.
5d3cbde72e
(From OE-Core rev: d0dfd7bf9b2d6fb269f4d9b62263fd7ccc805fde)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Valgrind (v3.11.0) expects to build with stack protection disabled
and includes -fno-stack-protector in its default CFLAGS. However, the
CFLAGS provided by OE are included on the compiler command line after
the defaults so any -fstack-protector-all / -fstack-protector-strong
option provided by security_flags.inc will cause problems.
| .../build-bcm97425vms/tmp/work/mips32el-rdk-linux/valgrind/3.11.0-r0/valgrind-3.11.0/coregrind/m_mallocfree.c:892: undefined reference to `__stack_chk_guard'
| .../build-bcm97425vms/tmp/work/mips32el-rdk-linux/valgrind/3.11.0-r0/valgrind-3.11.0/coregrind/m_mallocfree.c:947: undefined reference to `__stack_chk_fail'
(From OE-Core rev: ff4f46700a4810fcb49c58978b17af4f52fa9925)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
webkitgtk 2.8.3 is provided instead and midori browser is replaced by epiphany in
separate commits.
(From OE-Core rev: 1a72dc9c44c7806c869c3b3afcd5d31bcf2da979)
(From OE-Core rev: 68a1e346751c4d644a14035b0d7acf01d212f38c)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If security_flags.inc is 'required' to the image, -pie and -fpie options
are added to CFLAGS. These are not compatible with -shared GCC option.
The result is several errors of following form and missing Python3
modules in the image:
*.o In function `_start': *.S undefined reference to `main'
collect2: error: ld returned 1 exit status
(From OE-Core rev: 94818c5240b793464700945d0cf057bffb9e1008)
Signed-off-by: Topi Kuutela <topi.kuutela@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With gcc 5, we need to disable the PIE flags for more recipes in order
to have successful builds.
(From OE-Core rev: ec2f1b5af102ab6a8fcc23bf115c8f0451ab7eb8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If -D_FORTIFY_SOURCE=2 is included in CFLAGS for debug builds,
many warnings will be generated and some packages will fail to
build. So, only conditionally include it.
(From OE-Core rev: 1b576012a6a2b2ebc2c507cdaebd62174810b191)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The following over-rides were both defined twice:
SECURITY_CFLAGS_pn-grub-efi-x86-64-native
SECURITY_CFLAGS_pn-ltp
(From OE-Core rev: dfae10889ab0fce2bae94294a78f4ea0aaf1b81e)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It was pointed out that people couldn't easily see who used this or
why so add some comments about that.
(From OE-Core rev: 67f09e9086b8fb1c0c8a1dd19419afb1a5af8daf)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With poky-lsb (security flags enabled), python-numpy doesn't build
with pie flags.
(From OE-Core rev: d4694ac5e18db1d0db314d0d8b1104c073037a60)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The error messages look like this:
R_ARM_TLS_LE32 relocation not permitted in shared object
(From OE-Core rev: a915adfd1eaad9a0d65dffe9da92811284e491c8)
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These recipes both fail to build with "relocation R_X86_64_PC32 against
undefined hidden symbol `__init_array_start' can not be used when making a
shared object" when using PIE.
(From OE-Core rev: 37e6e62f0faae3fa16421b051599aea0e03a5825)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Disable PIE in expect as otherwise it tries to link the shared library as an
executable.
(From OE-Core rev: fe1f5c90eede593100fe57630d39cf329e59ef8f)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
AddressSanitizer is a fast memory error detector.
ThreadSanitizer detects data races.
UBSanitizer detectes undefined behaviour.
All consist of compiler instrumentation and a run-time library.
The compiler instrumentation was already enabled, this builds
the run-time library component.
(From OE-Core rev: 1709bf0c3a84bb04bc52e9104ad8e09fba6c6f91)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libaio when built with pie and fpie does not link correctly with blktrace or ltp
so we need to disable those flags until a better solution comes along.
(From OE-Core rev: 4fbf13a6c28fc1170a4defbf50032546a14eaa59)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Building powerpc machines with the standard security flags generated numerous
build failures. Use a reduced set of flags for now to avoid linker issues
and other compile failures.
(From OE-Core rev: 4ef8f658874282ead0c46352474fdb03ad1f1038)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These are similar relocation R_X86_64_PC32 issues that are solved by
removing the -pie flags.
[YOCTO #5515]
(From OE-Core rev: cd94dd3d9bba32c3fd55959586128b236d1d4e34)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It seems we might be stumbling over an obscure linkage issues possibly
similar to http://marc.info/?l=openssl-dev&m=130132183118768&w=2
This issue appears for x86-64 systems with the PIE related compiler flags.
libcrypto.a(cryptlib.o): relocation R_X86_64_PC32 against symbol
`OPENSSL_showfatal' can not be used when making a shared object; recompile with -fPIC
The error suggests recompiling with -fPIC, but it is already compiled that
way.
Disable the PIE flags makes it work for now, I have posted to openssl ML
[YOCTO #5515]
(From OE-Core rev: 55e1c0e66fd16612016b3e415cbfa4e3051e5a8f)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some machines have hardware-specific GL drivers that do EGL and GLES (many ARM
boards). Others have their own EGL/GLES drivers and provide a Mesa DRI driver
(EMGD). Previously adding Mesa, for software GL/GLX rendering in the first case
and hardware GLX in the second, involved bbappends and changing Mesa to be
machine-specific.
By adding a just-GL Mesa the machine definition can combine it with the hardware
drivers cleanly.
(From OE-Core rev: f5a3a4bc33109181c741a2e66c13d0b45566e8fa)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Create a local SECURITY_NO_PIE_CFLAGS to cover the recipes that have
issues with with pic and pie cflags set.
(From OE-Core rev: 4f5009dcbbeb27bdf5dcaebb3b457fecef410ebe)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These flags add addition checks at compile, link and runtime to prevent
stack smashing, checking for buffer overflows, and link at program start
to prevent call spoofing later.
This needs to be explicitly enabled by adding the following line to your
local.conf:
require conf/distro/include/security_flags.inc
[YOCTO #3868]
(From OE-Core rev: ff0e863f2d345c42393a14a193f76d699745a2b9)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
