buildroot: move hardening options into separate file

Signed-off-by: Steven Barth <steven@midlink.org>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@46070 3c298f89-4303-0410-b956-a3cf2f4a3e73

1 files changed, 55 insertions, 0 deletions

diff --git a/include/hardening.mk b/include/hardening.mk
new file mode 100644
index 0000000000..8a24b3ca15
--- /dev/null
+++ b/include/hardening.mk
@@ -0,0 +1,55 @@
+#
+# Copyright (C) 2015 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_CC_STACKPROTECTOR_REGULAR ?= 1
+PKG_CC_STACKPROTECTOR_STRONG ?= 1
+PKG_FORTIFY_SOURCE_1 ?= 1
+PKG_FORTIFY_SOURCE_2 ?= 1
+PKG_RELRO_PARTIAL ?= 1
+PKG_RELRO_FULL ?= 1
+
+ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
+  ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
+    TARGET_CFLAGS += -Wformat -Werror=format-security
+  endif
+endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
+  ifeq ($(strip $(PKG_CC_STACKPROTECTOR_REGULAR)),1)
+    TARGET_CFLAGS += -fstack-protector
+    TARGET_LDFLAGS += -fstack-protector
+  endif
+endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
+  ifeq ($(strip $(PKG_CC_STACKPROTECTOR_STRONG)),1)
+    TARGET_CFLAGS += -fstack-protector-strong
+    TARGET_LDFLAGS += -fstack-protector-strong
+  endif
+endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_1
+  ifeq ($(strip $(PKG_FORTIFY_SOURCE_1)),1)
+    TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
+  endif
+endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_2
+  ifeq ($(strip $(PKG_FORTIFY_SOURCE_2)),1)
+    TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
+  endif
+endif
+ifdef CONFIG_PKG_RELRO_PARTIAL
+  ifeq ($(strip $(PKG_RELRO_PARTIAL)),1)
+    TARGET_CFLAGS += -Wl,-z,relro
+    TARGET_LDFLAGS += -zrelro
+  endif
+endif
+ifdef CONFIG_PKG_RELRO_FULL
+  ifeq ($(strip $(PKG_RELRO_FULL)),1)
+    TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
+    TARGET_LDFLAGS += -znow -zrelro
+  endif
+endif
+