Add PIE、PIC、BIND_NOW、SP、NO Rpath/RunPath、FS、Ftrapv and Strip compilation option.
PIC(-fPIC): Generate position-Independent-Code and andomly load dynamic libraries. PIE(-fPIE -pie): Generate location-independent executables,which reduces the probability of fixed address attacks and buffer overflow attacks. BIND_NOW(-Wl,-z,relro,-z,now): GOT table redirects all read-only,which defends against ret2plt attacks. SP(-fstack-protector-strong/all): Determine whether an overflow attack occurs. Strip(-Wl,-s): Deleting symbol tables defends against hacker attacks and reduces the file size. FS(-D_FORTIFY_SOURCE=2 -O2): Provides access checks for fixed-size buffers at compile time and at run time. Ftrapv(-ftrapv): Detects integer overflow. NO Rpath/RunPath(hardcode_into_libs=no): Eliminates dynamic library search paths, which defense against attacks by replacing dynamic libraries with the same name.
Signed-off-by: Qi Tao taoqi10@huawei.com --- Makefile.am | 2 ++ conf.sh | 2 ++ 2 files changed, 4 insertions(+)
diff --git a/Makefile.am b/Makefile.am index d81e8cc..0eea8b8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,8 @@ ACLOCAL_AMFLAGS = -I m4 -I./include AUTOMAKE_OPTIONS = foreign subdir-objects AM_CFLAGS=-Wall -Werror -fno-strict-aliasing -I$(top_srcdir)/include +AM_CFLAGS += -fPIC -fPIE -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 \ +-O2 -ftrapv -Wl,-z,relro,-z,now -Wl,-s CLEANFILES =
if WITH_LOG_FILE diff --git a/conf.sh b/conf.sh index 59af821..aaa4187 100755 --- a/conf.sh +++ b/conf.sh @@ -18,3 +18,5 @@ ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes ./configure \ --target aarch64-linux-gnu \ --includedir=/usr/local/include/uadk \ $COMPILE_TYPE + +sed -i "s/hardcode_into_libs=yes/hardcode_into_libs=no/g" ./libtool \ No newline at end of file