100acd1001
Enable the following compiler hardening flags: * -Wl,-z,relro * -Wl,-z,now * -fstack-protector relro / bind_now make the relro region read-only after linking, preventing certain attacks against ELF data structures. stack-protector adds stack canaries, which can detect exploits which overwrite parts of the stack. Explicitly not added in this change is FORTIFY_SOURCE=2. Adding that option turns on glibc's warn_unused_result attributes. This generates a huge number of new compile time warnings, and for the multiple makefiles which have -Werror in them, turns those warnings into errors. I'm not able to fix all the errors right away. Bug: 20558757 Change-Id: I86791177c6695f5325233d9dd9a5dd3ccc2b1a2f
58 lines
2.4 KiB
Makefile
58 lines
2.4 KiB
Makefile
#
|
|
# Copyright (C) 2006 The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
# Configuration for builds hosted on linux-x86.
|
|
# Included by combo/select.mk
|
|
|
|
ifeq ($(strip $($(combo_2nd_arch_prefix)HOST_TOOLCHAIN_PREFIX)),)
|
|
$(combo_2nd_arch_prefix)HOST_TOOLCHAIN_PREFIX := prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8/bin/x86_64-linux-
|
|
endif
|
|
$(combo_2nd_arch_prefix)HOST_CC := $($(combo_2nd_arch_prefix)HOST_TOOLCHAIN_PREFIX)gcc
|
|
$(combo_2nd_arch_prefix)HOST_CXX := $($(combo_2nd_arch_prefix)HOST_TOOLCHAIN_PREFIX)g++
|
|
$(combo_2nd_arch_prefix)HOST_AR := $($(combo_2nd_arch_prefix)HOST_TOOLCHAIN_PREFIX)ar
|
|
|
|
# gcc location for clang; to be updated when clang is updated
|
|
$(combo_2nd_arch_prefix)HOST_TOOLCHAIN_FOR_CLANG := prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8/
|
|
|
|
# We expect SSE3 floating point math.
|
|
$(combo_2nd_arch_prefix)HOST_GLOBAL_CFLAGS += -msse3 -mfpmath=sse -m32 -Wa,--noexecstack -march=prescott
|
|
$(combo_2nd_arch_prefix)HOST_GLOBAL_LDFLAGS += -m32 -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now
|
|
|
|
ifneq ($(strip $(BUILD_HOST_static)),)
|
|
# Statically-linked binaries are desirable for sandboxed environment
|
|
$(combo_2nd_arch_prefix)HOST_GLOBAL_LDFLAGS += -static
|
|
endif # BUILD_HOST_static
|
|
|
|
$(combo_2nd_arch_prefix)HOST_GLOBAL_CFLAGS += -fPIC \
|
|
-no-canonical-prefixes \
|
|
-include $(call select-android-config-h,linux-x86)
|
|
|
|
# TODO: Set _FORTIFY_SOURCE=2. Bug 20558757.
|
|
$(combo_2nd_arch_prefix)HOST_GLOBAL_CFLAGS += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0 -fstack-protector
|
|
|
|
# Workaround differences in inttypes.h between host and target.
|
|
# See bug 12708004.
|
|
$(combo_2nd_arch_prefix)HOST_GLOBAL_CFLAGS += -D__STDC_FORMAT_MACROS -D__STDC_CONSTANT_MACROS
|
|
|
|
$(combo_2nd_arch_prefix)HOST_NO_UNDEFINED_LDFLAGS := -Wl,--no-undefined
|
|
|
|
############################################################
|
|
## Macros after this line are shared by the 64-bit config.
|
|
|
|
# $(1): The file to check
|
|
define get-file-size
|
|
stat --format "%s" "$(1)" | tr -d '\n'
|
|
endef
|