From patchwork Tue Mar 8 13:51:00 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nix X-Patchwork-Id: 11263 Received: (qmail 34976 invoked by alias); 8 Mar 2016 13:54:46 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 34905 invoked by uid 89); 8 Mar 2016 13:54:45 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.0 required=5.0 tests=AWL, BAYES_40, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=no version=3.3.2 spammy=906, 90, 6, Hx-spam-relays-external:sk:mail.es, HX-HELO:sk:mail.es X-HELO: mail.esperi.org.uk From: Nix To: libc-alpha@sourceware.org Subject: [PATCH 14/18] Drop explicit stack-protection of pieces of the system. Date: Tue, 8 Mar 2016 13:51:00 +0000 Message-Id: <1457445064-7107-15-git-send-email-nix@esperi.org.uk> In-Reply-To: <1457445064-7107-1-git-send-email-nix@esperi.org.uk> References: <1457445064-7107-1-git-send-email-nix@esperi.org.uk> X-DCC--Metrics: spindle 1282; Body=2 Fuz1=2 Fuz2=2 From: Nick Alcock This is probably a bad idea: maybe we want to stack-protect some parts of the system even when ! --enable-stack-protector. I can easily adjust the patch to do that (though it'll mean introducing a new variable analogous to $(stack-protector) but not controlled by the configure flag.) But if we wanted to value consistency over security, and use the same stack-protection configure flag to control everything, this is how we'd do it! ("Always include at least one patch with something obviously wrong with it.") * login/Makefile (pt_chown-cflags): Remove. * nscd/Makefile (CFLAGS-nscd): Likewise. * resolv/Makefile (CFLAGS-libresolv): Likewise. --- login/Makefile | 1 - nscd/Makefile | 1 - resolv/Makefile | 1 - 3 files changed, 3 deletions(-) diff --git a/login/Makefile b/login/Makefile index 9ff36d6..1a6161c 100644 --- a/login/Makefile +++ b/login/Makefile @@ -58,7 +58,6 @@ CFLAGS-getpt.c = -fexceptions ifeq (yesyes,$(have-fpie)$(build-shared)) pt_chown-cflags += $(pie-ccflag) endif -pt_chown-cflags += $(stack-protector) ifeq (yes,$(have-libcap)) libcap = -lcap endif diff --git a/nscd/Makefile b/nscd/Makefile index 50bad32..bfd72d5 100644 --- a/nscd/Makefile +++ b/nscd/Makefile @@ -84,7 +84,6 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2 ifeq (yesyes,$(have-fpie)$(build-shared)) CFLAGS-nscd += $(pie-ccflag) endif -CFLAGS-nscd += $(stack-protector) ifeq (yesyes,$(have-fpie)$(build-shared)) LDFLAGS-nscd = -Wl,-z,now diff --git a/resolv/Makefile b/resolv/Makefile index 8be41d3..0395b1a 100644 --- a/resolv/Makefile +++ b/resolv/Makefile @@ -90,7 +90,6 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \ -Dgetnetbyname=res_getnetbyname \ -Dgetnetbyaddr=res_getnetbyaddr -CFLAGS-libresolv += $(stack-protector) CFLAGS-res_hconf.c = -fexceptions # The BIND code elicits some harmless warnings.