summaryrefslogtreecommitdiff
path: root/extra/Configs/Config.in
diff options
context:
space:
mode:
Diffstat (limited to 'extra/Configs/Config.in')
-rw-r--r--extra/Configs/Config.in31
1 files changed, 30 insertions, 1 deletions
diff --git a/extra/Configs/Config.in b/extra/Configs/Config.in
index be80a3a7d..02eba213a 100644
--- a/extra/Configs/Config.in
+++ b/extra/Configs/Config.in
@@ -201,13 +201,14 @@ config FORCE_SHAREABLE_TEXT_SEGMENTS
config UCLIBC_PIE_SUPPORT
bool "Support ET_DYN in shared library loader"
select FORCE_SHAREABLE_TEXT_SEGMENTS
+ select UCLIBC_COMPLETELY_PIC
default n
help
If you answer Y here, the uClibc native shared library loader will
support ET_DYN/PIE executables.
It requires binutils-2.14.90.0.6 or later and the usage of the
-pie option.
- More about ET_DYN/PIE binaries on <http://pageexec.virtualave.net/> .
+ More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
libraries have to be built with -fPIC or -fpic, and all assembler
functions must be written as position independent code (PIC).
@@ -251,6 +252,34 @@ config UCLIBC_PROPOLICE
gcc version, were __guard and __stack_smash_handler are removed from libgcc.
Most people will answer N.
+choice
+ prompt "Propolice protection blocking signal"
+ depends on UCLIBC_PROPOLICE
+ default PROPOLICE_BLOCK_ABRT if ! DODEBUG
+ default PROPOLICE_BLOCK_SEGV if DODEBUG
+ help
+ "abort" use SIGABRT to block offending programs.
+ This is the default implementation.
+
+ "segfault" use SIGSEGV to block offending programs.
+ Use this for debugging.
+
+ "kill" use SIGKILL to block offending programs.
+ Perhaps the best for security.
+
+ If unsure, answer "abort".
+
+config PROPOLICE_BLOCK_ABRT
+ bool "abort"
+
+config PROPOLICE_BLOCK_SEGV
+ bool "segfault"
+
+config PROPOLICE_BLOCK_KILL
+ bool "kill"
+
+endchoice
+
config HAS_NO_THREADS
bool
default n