Hmmm, I am having some trouble repeating my original result. Yesterday I am sure I had no NX on binaries produced by uClibc. Today now even after rebuilding my cross compiler I have a bizarre situation where I have UCLIBC_BUILD_NOEXECSTACK _unset_ and backed out my other changes, and yet the new binaries _still_ report as having NX on the ELF file.
Things are complicated because I am trying to debug the uClibc build from within the OpenWRT build, and each pass takes quite while *sigh* I definitely had a condition where I had UCLIBC_BUILD_NOEXECSTACK but not having the designed effect, but perhaps it was a spurious or caching condition. In fact I just found another older build directory which definitely has some of the uClibc so files without the NX flag. So I wasn't seeing things. So I am going to bite the bullet and revert back to the trunk in a fresh working copy and wait for a very long time for that to build. And try and work out what is going on. In the meantime I hope I didn't cause anyone too much grief, security can be a fraught topic. I'll post back when I can reliably work out what is going on with my build. --Andrew --- http://blog.oldcomputerjunk.net On 25/08/14 10:36, b...@andrewmcdonnell.net wrote: > Hi, > > I have been playing with uClibc on some embedded Linux systems, and trying out > some hardening techniques. > > When I tested the .so files built by uClibc (using the checksec.sh tool from > http://www.trapkit.de/tools/checksec.html, which is basically a wrapper around > readelf), the files do not exhibit the GNU_STACK flag. > > What I would like to do is actually build with the linker option > '-Wl,-z,noexecstack' as per > http://www.win.tue.nl/~aeb/linux/hh/protection.html or > http://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart (for just two > examples) I eventually managed to do this by using and patching Config.in > (0.9.33.2) to recognise UCLIBC_LDFLAGS_EXTRA , after which the .so files had > the relevant flag. (I can post that patch to enable UCLIBC_LDFLAGS_EXTRA > separately) > > One thing I noticed is that uClibc has a Config setting > UCLIBC_BUILD_NOEXECSTACK but all this seems to do is pass the relevant flag to > the assembler and not to the linker. The gentoo hardening guide applies the > flag to both assembler and linker stage. > > According to Config.in help: "Mark all assembler files as noexecstack. This > will result in marking > all libraries and executables built against uClibc not requiring > executable stack." > > I guess the gap in my knowledge is how uClibc, by only applying to assembler > files, meets "marking all libraries and executables" when the GNU_STACK flag > is missing from the ELF images? Note it has been a very long time since I > coded in anger (as opposed to disassembled) any assembly language, so I could > well be misunderstanding something! > > thanks, > Andrew > > --- > > http://blog.oldcomputerjunk.net > _______________________________________________ > uClibc mailing list > uClibc@uclibc.org > http://lists.busybox.net/mailman/listinfo/uclibc _______________________________________________ uClibc mailing list uClibc@uclibc.org http://lists.busybox.net/mailman/listinfo/uclibc
