[poky] [PATCH 1/3] openssl: disable execstack flag to prevent problems with SELinux
Paul Eggleton
paul.eggleton at intel.com
Tue Nov 23 03:00:00 PST 2010
On Monday 22 November 2010 19:22:55 Richard Purdie wrote:
> > CFLAG = "${@base_conditional('SITEINFO_ENDIANESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
> > - -DTERMIO ${FULL_OPTIMIZATION} -Wall"
> > + -DTERMIO ${FULL_OPTIMIZATION} -Wall -Wa,--noexecstack"
>
> Should this flag be used for both the -native and target versions or
> just the native one?
Well, we're trying to solve a native-only issue at this point, but it's conceivable that someone could want to use SELinux on the target, in which case assuming the same SELinux policies they would also need this fix. In any case leaving the execstack flag on doesn't really serve any purpose, since AFAICT the openssl libs don't actually need to execute the stack, the assembler just assumes they do since it hasn't been told otherwise and thus marks the binary as such.
If you'd prefer to apply it only to the native version however I wouldn't object.
Cheers,
Paul
---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
More information about the poky
mailing list