[poky] [PATCH 01/14] openssl-native: disable execstack flag to prevent problems with SELinux
Darren Hart
dvhart at linux.intel.com
Wed Dec 15 11:28:52 PST 2010
On 11/17/2010 03:37 AM, Paul Eggleton wrote:
> The execstack flag gets set on libcrypto.so by default which causes SELinux
> to prevent it from being loaded on systems using SELinux, which includes
> Fedora. This patch disables the execstack flag. (Note: Red Hat do this in
> their openssl packaging.)
>
> Signed-off-by: Paul Eggleton<paul.eggleton at linux.intel.com>
> ---
> meta/recipes-connectivity/openssl/openssl.inc | 6 +++++-
> .../recipes-connectivity/openssl/openssl_0.9.8o.bb | 2 +-
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index 11dd1e5..dc2ff3e 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -15,7 +15,11 @@ S = "${WORKDIR}/openssl-${PV}"
>
> AR_append = " r"
> CFLAG = "${@base_conditional('SITEINFO_ENDIANESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
> - -DTERMIO ${FULL_OPTIMIZATION} -Wall"
> + -DTERMIO ${FULL_OPTIMIZATION}"
Why do we need to remove -Wall? Doesn't that reduce our visibility into
potential issues?
> +
> +# Avoid binaries being marked as requiring an executable stack (which causes
> +# issues with SELinux on the host)
> +CFLAG_append_virtclass-native = " -Wa,--noexecstack"
>
> # -02 does not work on mipsel: ssh hangs when it tries to read /dev/urandom
> CFLAG_mtx-1 := "${@'${CFLAG}'.replace('-O2', '')}"
> diff --git a/meta/recipes-connectivity/openssl/openssl_0.9.8o.bb b/meta/recipes-connectivity/openssl/openssl_0.9.8o.bb
> index 31c5568..aa11cdf 100644
> --- a/meta/recipes-connectivity/openssl/openssl_0.9.8o.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_0.9.8o.bb
> @@ -1,6 +1,6 @@
> require openssl.inc
>
> -PR = "r0"
> +PR = "r1"
> SRC_URI += "file://debian/ca.patch \
> file://debian/config-hurd.patch;apply=no \
> file://debian/debian-targets.patch \
--
Darren Hart
Yocto Linux Kernel
More information about the poky
mailing list