From patchwork Sat Feb 20 10:23:45 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nix X-Patchwork-Id: 10961 Received: (qmail 17543 invoked by alias); 20 Feb 2016 10:24:49 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 17485 invoked by uid 89); 20 Feb 2016 10:24:48 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=AWL, BAYES_00, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=no version=3.3.2 spammy=84, 7, 586, 58, 6, 587 X-HELO: mail.esperi.org.uk From: Nix To: libc-alpha@sourceware.org Cc: carlos@redhat.com Subject: [PATCH 11/12] Drop explicit stack-protection of pieces of the system. Date: Sat, 20 Feb 2016 10:23:45 +0000 Message-Id: <1455963826-21885-12-git-send-email-nix@esperi.org.uk> In-Reply-To: <1455963826-21885-1-git-send-email-nix@esperi.org.uk> References: <1455963826-21885-1-git-send-email-nix@esperi.org.uk> From: Nick Alcock This is probably a bad idea: maybe we want to stack-protect some parts of the system even when ! --enable-stack-protector. I can easily adjust the patch to do that (though it'll mean introducing a new variable analogous to $(stack-protector) but not ocntrolled by the configure flag.) But if we wanted to value consistency over security, and use the same stack-protection configure flag to control everything, this is how we'd do it! ("Always include at least one patch with something obviously wrong with it.") --- login/Makefile | 1 - nscd/Makefile | 1 - resolv/Makefile | 1 - 3 files changed, 3 deletions(-) diff --git a/login/Makefile b/login/Makefile index 9ff36d6..1a6161c 100644 --- a/login/Makefile +++ b/login/Makefile @@ -58,7 +58,6 @@ CFLAGS-getpt.c = -fexceptions ifeq (yesyes,$(have-fpie)$(build-shared)) pt_chown-cflags += $(pie-ccflag) endif -pt_chown-cflags += $(stack-protector) ifeq (yes,$(have-libcap)) libcap = -lcap endif diff --git a/nscd/Makefile b/nscd/Makefile index 50bad32..bfd72d5 100644 --- a/nscd/Makefile +++ b/nscd/Makefile @@ -84,7 +84,6 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2 ifeq (yesyes,$(have-fpie)$(build-shared)) CFLAGS-nscd += $(pie-ccflag) endif -CFLAGS-nscd += $(stack-protector) ifeq (yesyes,$(have-fpie)$(build-shared)) LDFLAGS-nscd = -Wl,-z,now diff --git a/resolv/Makefile b/resolv/Makefile index 8be41d3..0395b1a 100644 --- a/resolv/Makefile +++ b/resolv/Makefile @@ -90,7 +90,6 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \ -Dgetnetbyname=res_getnetbyname \ -Dgetnetbyaddr=res_getnetbyaddr -CFLAGS-libresolv += $(stack-protector) CFLAGS-res_hconf.c = -fexceptions # The BIND code elicits some harmless warnings.