[uClibc] hardening uclibc
Joakim Tjernlund
Joakim.Tjernlund at lumentis.se
Sat Oct 30 12:16:25 UTC 2004
> Hello
>
> I have thought of following enhancements:
>
> we change UCLIBC_PROPOLICE to UCLIBC_HAS_SSP (or HAS_PROPOLICE), this will
> only add ssp.c, but should also check for libgcc_s not having __guard,
> else we end up w/ double __guard.
>
> remove UCLIBC_PIE_SUPPORT (and build Scrt1.o on all archs if present)
>
> remove crt0.o, "this was only needed by the wrapper" citing Erik, so
> "replacing" crt0.o w/ Scrt1.o does not add more files to the sources
> we add a config option
>
> UCLIBC_SECURE_BUILD as generic security enhancement (only build related)
> and some options depending on the above
>
> UCLIBC_BUILD_SSP build w/ -fstack-protector[-all] everything that is
> possible (depends on UCLIBC_HAS_SSP too) and has to do the __guard check
> too in libgcc_s not ending up w/ 2 __guard symbols.
>
> UCLIBC_BUILD_PIE build ldd/iconv/readelf as PIE
>
> UCLIBC_BUILD_RELRO build everything w/ -z relro
>
> UCLIBC_BUILD_NOW build everything w/ -z now
> we could also add some optimization (add -O1 to ld) to compensate for
> -z now "slowness"
>
> Comments?
This sounds good to me.
Better keep the crt0 file(s) a while longer otherwise atleast one
person will be a bit grumpy :)
Jocke
More information about the uClibc
mailing list