00-README.conf | 2 +-
Makefile.common | 4 ++--
README | 16 ++++++++++++----
configure.ac | 18 ++++++++++++++++++
tools/cluster_sim_uml/README | 2 +-
5 files changed, 34 insertions(+), 8 deletions(-)
By default, build with the extra hardening flags "-D_FORTIFY_SOURCE=2
-fstack-protector" for improved security and enhanced run-time error
detection. The flags can be overridden by setting the environment variable
OSAF_HARDEN_FLAGS when building OpenSAF.
Note that -D_FORTIFY_SOURCE=2 is only enabled in optimized builds. To reduce the
risk that a user accidentally builds without optimization by overriding the
default CFLAGS and/or CXXFLAGS, the README files have been updated to recommend
passing preprocessor definitions using CPPFLAGS instead of CFLAGS.
diff --git a/00-README.conf b/00-README.conf
--- a/00-README.conf
+++ b/00-README.conf
@@ -85,7 +85,7 @@ file does not have to be changed unless:
- OpenSAF should run as a different UNIX group and user than the default
'opensaf'
group/user.
- If OpenSAF was built with the flags "CFLAGS=-DRUNASROOT", then
+ If OpenSAF was built with the flags "CPPFLAGS=-DRUNASROOT", then
change OPENSAF_GROUP and OPENSAF_USER to root i.e. for old (<4.2)
behaviour.
For any other user, change OPENSAF_GROUP and OPENSAF_USER accordingly
diff --git a/Makefile.common b/Makefile.common
--- a/Makefile.common
+++ b/Makefile.common
@@ -12,8 +12,8 @@ AM_CPPFLAGS = \
$(CORE_INCLUDES) \
$(all_includes)
-AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC
-AM_CXXFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC -D__STDC_FORMAT_MACROS
+AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC @OSAF_HARDEN_FLAGS@
+AM_CXXFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC -D__STDC_FORMAT_MACROS
@OSAF_HARDEN_FLAGS@
AM_LDFLAGS = -ldl -lrt -lpthread
#
diff --git a/README b/README
--- a/README
+++ b/README
@@ -293,7 +293,7 @@ 1.1.1, 1.1.2 etc.
To re-enable the old (pre 4.3) non flat addressing, configure the constant
MDS_USE_SUBSLOT_ID=1 at configure time as in:
- % ./configure CFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..."
+ % ./configure CPPFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..."
In the non flat scheme, the slot ID is shifted up 4 bits and subslot ID is
added in the 4 LSB. The consequence of this is reduced number of
@@ -308,7 +308,7 @@ 2) Run as root (optional)
If the old (<4.2) behaviour of running all processes as root is desired, use
the following configure command:
- % ./configure CFLAGS=-DRUNASROOT
+ % ./configure CPPFLAGS=-DRUNASROOT
3) Configure TIPC importance (optional)
@@ -317,13 +317,21 @@ The default TIPC importance is LOW for a
In some cases the default importance must be changed if e.g. an application
starves the LOW importance communication level.
To change the default importance, use the following configure command
- % ./configure CFLAGS=-DTIPCIMPORTANCE=level
+ % ./configure CPPFLAGS=-DTIPCIMPORTANCE=level
where level is any of TIPC_LOW_IMPORTANCE, TIPC_MEDIUM_IMPORTANCE or
TIPC_HIGH_IMPORTANCE
- e.g. configure CFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE
+ e.g. configure CPPFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE
Note: Giving same importance to AVND & all other Opensaf models is not
preferred option. The behavior is unsupported.
+4) Configure GCC hardening options (optional)
+
+By default, the options "-fstack-protector -D_FORTIFY_SOURCE=2" are passed to
+GCC for improved security. You can override these options by setting the
+OSAF_HARDEN_FLAGS when configuring OpenSAF. For example:
+
+ % ./configure OSAF_HARDEN_FLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2"
+
If you are using a released archive (dist tarball) follow the simple common
steps:
diff --git a/configure.ac b/configure.ac
--- a/configure.ac
+++ b/configure.ac
@@ -545,6 +545,22 @@ if test "$enable_imm_pbe" = yes; then
PKG_CHECK_MODULES([SQLITE3], [sqlite3])
fi
+if test -z "$OSAF_HARDEN_FLAGS"; then
+ # _FORTIFY_SOURCE requires optimization, so only enable it in optimized
+ # builds, i.e. when -O is present in both CFLAGS and CXXFLAGS.
+ if echo "${CFLAGS}" | grep -q -- -O; then
+ if echo "${CXXFLAGS}" | grep -q -- -O; then
+ OSAF_HARDEN_FLAGS="-D_FORTIFY_SOURCE=2"
+ fi
+ fi
+ # Also check for -O0 (which explicitly disables optimisation)
+ if echo "${CFLAGS} ${CXXFLAGS}" | grep -q -- -O0; then
+ OSAF_HARDEN_FLAGS=""
+ fi
+ OSAF_HARDEN_FLAGS="${OSAF_HARDEN_FLAGS} -fstack-protector"
+fi
+AC_SUBST(OSAF_HARDEN_FLAGS)
+
#############################################
# Checks for header files.
#############################################
@@ -925,8 +941,10 @@ echo ""
echo " Compiling Options:"
echo "${ECHO_T} C Compiler: ${CC}"
echo "${ECHO_T} C++ Compiler: ${CXX}"
+echo "${ECHO_T} CPPFLAGS: ${CPPFLAGS} ${AM_CPPFLAGS}"
echo "${ECHO_T} CFLAGS: ${CFLAGS} ${AM_CFLAGS}"
echo "${ECHO_T} CXXFLAGS: ${CXXFLAGS} ${AM_CXXFLAGS}"
+echo "${ECHO_T} OSAF_HARDEN_FLAGS: ${OSAF_HARDEN_FLAGS}"
echo "${ECHO_T} LDFLAGS: ${LDFLAGS}"
echo "${ECHO_T} Enable RPATH: ${enable_rpath}"
diff --git a/tools/cluster_sim_uml/README b/tools/cluster_sim_uml/README
--- a/tools/cluster_sim_uml/README
+++ b/tools/cluster_sim_uml/README
@@ -77,7 +77,7 @@ When the UML root file system is generat
DESTDIR set to the UML root file system. Make sure you have a default
configured Opensaf like this:
-$ ./configure CFLAGS=-DRUNASROOT
+$ ./configure CPPFLAGS=-DRUNASROOT
- Execute './build_uml'.
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel
