[gnome-continuous-yocto/gnomeostree-3.28-rocko: 6639/8267] gcc: Introduce a knob to configure gcc to default to PIE

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 6639/8267] gcc: Introduce a knob to configure gcc to default to PIE
Date: Sun, 17 Dec 2017 05:07:39 +0000 (UTC)

commit c91314ec160420a320007d552cec6c7da4d54833
Author: Khem Raj <raj khem gmail com>
Date:   Sat Jun 10 07:51:58 2017 -0700

    gcc: Introduce a knob to configure gcc to default to PIE
    
    GCCPIE flag which is empty by default adds "--enable-default-pie"
    configure option for harderned distros
    
    We do not require to add -fpie -pie flag externally anymore
    
    (From OE-Core rev: 1c7e195c94764d680a12a49b870f04cd58860f81)
    
    Signed-off-by: Khem Raj <raj khem gmail com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 meta/conf/distro/include/security_flags.inc        |    4 +++-
 meta/recipes-devtools/gcc/gcc-configure-common.inc |    3 +++
 2 files changed, 6 insertions(+), 1 deletions(-)
---
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 38164d0..f2eb224 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -5,6 +5,8 @@
 # From a Yocto Project perspective, this file is included and tested
 # in the DISTRO="poky-lsb" configuration.
 
+GCCPIE ?= "--enable-default-pie"
+
 # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
 # -O0 which then results in a compiler warning.
 lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
@@ -12,7 +14,7 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE
 # Error on use of format strings that represent possible security problems
 SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
 
-SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
+SECURITY_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
 SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
 
 SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc 
b/meta/recipes-devtools/gcc/gcc-configure-common.inc
index 63fa1d9..e2ce234 100644
--- a/meta/recipes-devtools/gcc/gcc-configure-common.inc
+++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc
@@ -22,6 +22,8 @@ EXTRA_OECONF_INITIAL ?= ""
 GCCMULTILIB ?= "--disable-multilib"
 GCCTHREADS ?= "posix"
 
+GCCPIE ??= ""
+
 EXTRA_OECONF = "\
     ${@['--enable-clocale=generic', ''][d.getVar('USE_NLS') != 'no']} \
     --with-gnu-ld \
@@ -29,6 +31,7 @@ EXTRA_OECONF = "\
     --enable-languages=${LANGUAGES} \
     --enable-threads=${GCCTHREADS} \
     ${GCCMULTILIB} \
+    ${GCCPIE} \
     --enable-c99 \
     --enable-long-long \
     --enable-symvers=gnu \

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]