[OpenWrt-Devel] [PATCH 0/6] buildsystem: Activate PIE ASLR for some packages
Petr Štetiar
ynezz at true.cz
Wed Jan 8 01:24:40 EST 2020
Hauke Mehrtens <hauke at hauke-m.de> [2020-01-07 23:21:19]:
Hi,
thanks for your work.
> > Hauke Mehrtens (6):
> > buildsystem: Make PIE ASLR option tristate
> > dnsmasq: Activate PIE by default
> > dropbear: Activate PIE by default
> > hostapd: Activate PIE by default
> > uhttpd: Activate PIE by default
> > lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
just wondering, if there is any particular reason for leaving odhcp6c and
odhcpd out as this are network exposed services and running in default
install.
Thinking about it now, we should probably consider ubus, procd, rpcd and
cgi-io (perhaps missed something) which might possibly process malicious
inputs as well.
BTW I'm wondering how does this work with the shared libraries, like musl
libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well
in order to get `TARGET_LDFLAGS += $(FPIC)
-specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ?
> I would like to apply these patches to master?
I don't know if you've something newer in your tree, just looked at your aslr
branch in your staging tree:
+ default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the
reason for !SDK? That way binary/library.
> Are there any objections to this? I already activated LTO to reduce the
> size for all these components and the lantiq patch is already applied.
I don't have any objections, I welcome this additional hardening. Which branch
can I use for runtime testing? I plan to test it and give you my Acked-by.
-- ynezz
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list