[uClibc] hardening uclibc

Joakim Tjernlund Joakim.Tjernlund at lumentis.se
Sat Oct 30 12:16:25 UTC 2004


> Hello
> 
> I have thought of following enhancements:
> 
> we change UCLIBC_PROPOLICE to UCLIBC_HAS_SSP (or HAS_PROPOLICE), this will 
> only add ssp.c, but should also check for libgcc_s not having __guard, 
> else we end up w/ double __guard.
> 
> remove UCLIBC_PIE_SUPPORT (and build Scrt1.o on all archs if present)
> 
> remove crt0.o, "this was only needed by the wrapper" citing Erik, so  
> "replacing" crt0.o w/ Scrt1.o does not add more files to the sources
> we add a config option
> 
> UCLIBC_SECURE_BUILD as generic security enhancement (only build related)
> and some options depending on the above
> 
> UCLIBC_BUILD_SSP build w/ -fstack-protector[-all] everything that is 
> possible (depends on UCLIBC_HAS_SSP too) and has to do the __guard check 
> too in libgcc_s not ending up w/ 2 __guard symbols.
> 
> UCLIBC_BUILD_PIE build ldd/iconv/readelf as PIE
> 
> UCLIBC_BUILD_RELRO build everything w/ -z relro
> 
> UCLIBC_BUILD_NOW build everything w/ -z now
> we could also add some optimization (add -O1 to ld) to compensate for 
> -z now "slowness"
> 
> Comments?

This sounds good to me.
Better keep the crt0 file(s) a while longer otherwise atleast one
person will be a bit grumpy :)

 Jocke



More information about the uClibc mailing list