summaryrefslogtreecommitdiff
path: root/extra
diff options
context:
space:
mode:
Diffstat (limited to 'extra')
-rw-r--r--extra/Configs/Config.in139
1 files changed, 79 insertions, 60 deletions
diff --git a/extra/Configs/Config.in b/extra/Configs/Config.in
index e372dbfd1..509709b9e 100644
--- a/extra/Configs/Config.in
+++ b/extra/Configs/Config.in
@@ -205,20 +205,6 @@ config FORCE_SHAREABLE_TEXT_SEGMENTS
little bit smaller and guarantee that no memory will be wasted by badly
coded shared libraries.
-config UCLIBC_BUILD_PIE
- bool "Build utilities as ET_DYN/PIE executables"
- depends on HAVE_SHARED
- depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
- select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
- default n
- help
- If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
- This requires gcc-3.4 and binutils-2.15 or later.
- More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
- WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
- libraries have to be built with -fPIC or -fpic, and all assembler
- functions must be written as position independent code (PIC).
-
config LDSO_LDD_SUPPORT
bool "Native shared library loader 'ldd' support"
depends on BUILD_UCLIBC_LDSO
@@ -283,52 +269,6 @@ config UCLIBC_CTOR_DTOR
or dtors and want your binaries to be as small as possible, then
answer N.
-config UCLIBC_HAS_SSP
- bool "Support for propolice stack protection"
- default n
- help
- Adds propolice protection to libc (__guard and __stack_smash_handler).
- More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
- To be able to use it, you'll also need a propolice patched gcc,
- supporting the -fstack-protector[-all] options. It is a specially patched
- gcc version, where __guard and __stack_smash_handler are removed from libgcc.
- Most people will answer N.
-
-choice
- prompt "Propolice protection blocking signal"
- depends on UCLIBC_HAS_SSP
- default PROPOLICE_BLOCK_ABRT if ! DODEBUG
- default PROPOLICE_BLOCK_SEGV if DODEBUG
- help
- "abort" use SIGABRT to block offending programs.
- This is the default implementation.
-
- "segfault" use SIGSEGV to block offending programs.
- Use this for debugging.
-
- "kill" use SIGKILL to block offending programs.
- Perhaps the best for security.
-
- If unsure, answer "abort".
-
-config PROPOLICE_BLOCK_ABRT
- bool "abort"
-
-config PROPOLICE_BLOCK_SEGV
- bool "segfault"
-
-config PROPOLICE_BLOCK_KILL
- bool "kill"
-
-endchoice
-
-config UCLIBC_BUILD_SSP
- bool "Build uClibc with propolice protection"
- depends on UCLIBC_HAS_SSP
- default n
- help
- Build all libraries and executables with propolice protection enabled.
-
config HAS_NO_THREADS
bool
default n
@@ -1146,6 +1086,85 @@ config DEVEL_PREFIX
endmenu
+
+menu "uClibc security related options"
+
+config UCLIBC_BUILD_PIE
+ bool "Build utilities as ET_DYN/PIE executables"
+ depends on HAVE_SHARED
+ depends on TARGET_i386 || TARGET_powerpc || TARGET_frv
+ select FORCE_SHAREABLE_TEXT_SEGMENTS if BUILD_UCLIBC_LDSO
+ default n
+ help
+ If you answer Y here, ldd and iconv are built as ET_DYN/PIE executables.
+ It requires gcc-3.4 and binutils-2.15 or later.
+ More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
+ WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
+ libraries have to be built with -fPIC or -fpic, and all assembler
+ functions must be written as position independent code (PIC).
+
+config UCLIBC_HAS_SSP
+ bool "Support for propolice stack protection"
+ default n
+ help
+ Adds propolice protection to libc (__guard and __stack_smash_handler).
+ More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
+ To be able to use it, you'll also need a propolice patched gcc,
+ supporting the -fstack-protector[-all] options. It is a specially patched
+ gcc version, where __guard and __stack_smash_handler are removed from libgcc.
+ Most people will answer N.
+
+choice
+ prompt "Propolice protection blocking signal"
+ depends on UCLIBC_HAS_SSP
+ default PROPOLICE_BLOCK_ABRT if ! DODEBUG
+ default PROPOLICE_BLOCK_SEGV if DODEBUG
+ help
+ "abort" use SIGABRT to block offending programs.
+ This is the default implementation.
+
+ "segfault" use SIGSEGV to block offending programs.
+ Use this for debugging.
+
+ "kill" use SIGKILL to block offending programs.
+ Perhaps the best for security.
+
+ If unsure, answer "abort".
+
+config PROPOLICE_BLOCK_ABRT
+ bool "abort"
+
+config PROPOLICE_BLOCK_SEGV
+ bool "segfault"
+
+config PROPOLICE_BLOCK_KILL
+ bool "kill"
+
+endchoice
+
+config UCLIBC_BUILD_SSP
+ bool "Build uClibc with propolice protection"
+ depends on UCLIBC_HAS_SSP
+ default n
+ help
+ Build all libraries and executables with propolice protection enabled.
+
+config UCLIBC_BUILD_RELRO
+ bool "Build uClibc with RELRO"
+ depends on BUILD_UCLIBC_LDSO
+ default n
+ help
+ Build all libraries and executables with -z relro.
+
+config UCLIBC_BUILD_NOW
+ bool "Build uClibc with NOW"
+ depends on BUILD_UCLIBC_LDSO
+ default n
+ help
+ Build all libraries and executables with -z now.
+
+endmenu
+
menu "uClibc development/debugging options"
config DODEBUG