diff options
Diffstat (limited to 'extra/Configs/Config.in')
-rw-r--r-- | extra/Configs/Config.in | 139 |
1 files changed, 79 insertions, 60 deletions
diff --git a/extra/Configs/Config.in b/extra/Configs/Config.in index e372dbfd1..509709b9e 100644 --- a/extra/Configs/Config.in +++ b/extra/Configs/Config.in @@ -205,20 +205,6 @@ config FORCE_SHAREABLE_TEXT_SEGMENTS little bit smaller and guarantee that no memory will be wasted by badly coded shared libraries. -config UCLIBC_BUILD_PIE - bool "Build utilities as ET_DYN/PIE executables" - depends on HAVE_SHARED - depends on TARGET_i386 || TARGET_powerpc || TARGET_frv - select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO - default n - help - If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables. - This requires gcc-3.4 and binutils-2.15 or later. - More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> . - WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all - libraries have to be built with -fPIC or -fpic, and all assembler - functions must be written as position independent code (PIC). - config LDSO_LDD_SUPPORT bool "Native shared library loader 'ldd' support" depends on BUILD_UCLIBC_LDSO @@ -283,52 +269,6 @@ config UCLIBC_CTOR_DTOR or dtors and want your binaries to be as small as possible, then answer N. -config UCLIBC_HAS_SSP - bool "Support for propolice stack protection" - default n - help - Adds propolice protection to libc (__guard and __stack_smash_handler). - More about it on <http://www.research.ibm.com/trl/projects/security/ssp> . - To be able to use it, you'll also need a propolice patched gcc, - supporting the -fstack-protector[-all] options. It is a specially patched - gcc version, where __guard and __stack_smash_handler are removed from libgcc. - Most people will answer N. - -choice - prompt "Propolice protection blocking signal" - depends on UCLIBC_HAS_SSP - default PROPOLICE_BLOCK_ABRT if ! DODEBUG - default PROPOLICE_BLOCK_SEGV if DODEBUG - help - "abort" use SIGABRT to block offending programs. - This is the default implementation. - - "segfault" use SIGSEGV to block offending programs. - Use this for debugging. - - "kill" use SIGKILL to block offending programs. - Perhaps the best for security. - - If unsure, answer "abort". - -config PROPOLICE_BLOCK_ABRT - bool "abort" - -config PROPOLICE_BLOCK_SEGV - bool "segfault" - -config PROPOLICE_BLOCK_KILL - bool "kill" - -endchoice - -config UCLIBC_BUILD_SSP - bool "Build uClibc with propolice protection" - depends on UCLIBC_HAS_SSP - default n - help - Build all libraries and executables with propolice protection enabled. - config HAS_NO_THREADS bool default n @@ -1146,6 +1086,85 @@ config DEVEL_PREFIX endmenu + +menu "uClibc security related options" + +config UCLIBC_BUILD_PIE + bool "Build utilities as ET_DYN/PIE executables" + depends on HAVE_SHARED + depends on TARGET_i386 || TARGET_powerpc || TARGET_frv + select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO + default n + help + If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables. + It requires gcc-3.4 and binutils-2.15 or later. + More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> . + WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all + libraries have to be built with -fPIC or -fpic, and all assembler + functions must be written as position independent code (PIC). + +config UCLIBC_HAS_SSP + bool "Support for propolice stack protection" + default n + help + Adds propolice protection to libc (__guard and __stack_smash_handler). + More about it on <http://www.research.ibm.com/trl/projects/security/ssp> . + To be able to use it, you'll also need a propolice patched gcc, + supporting the -fstack-protector[-all] options. It is a specially patched + gcc version, where __guard and __stack_smash_handler are removed from libgcc. + Most people will answer N. + +choice + prompt "Propolice protection blocking signal" + depends on UCLIBC_HAS_SSP + default PROPOLICE_BLOCK_ABRT if ! DODEBUG + default PROPOLICE_BLOCK_SEGV if DODEBUG + help + "abort" use SIGABRT to block offending programs. + This is the default implementation. + + "segfault" use SIGSEGV to block offending programs. + Use this for debugging. + + "kill" use SIGKILL to block offending programs. + Perhaps the best for security. + + If unsure, answer "abort". + +config PROPOLICE_BLOCK_ABRT + bool "abort" + +config PROPOLICE_BLOCK_SEGV + bool "segfault" + +config PROPOLICE_BLOCK_KILL + bool "kill" + +endchoice + +config UCLIBC_BUILD_SSP + bool "Build uClibc with propolice protection" + depends on UCLIBC_HAS_SSP + default n + help + Build all libraries and executables with propolice protection enabled. + +config UCLIBC_BUILD_RELRO + bool "Build uClibc with RELRO" + depends on BUILD_UCLIBC_LDSO + default n + help + Build all libraries and executables with -z relro. + +config UCLIBC_BUILD_NOW + bool "Build uClibc with NOW" + depends on BUILD_UCLIBC_LDSO + default n + help + Build all libraries and executables with -z now. + +endmenu + menu "uClibc development/debugging options" config DODEBUG |