On Tue, 18 Jan 2022 00:12:02 +0200 Martin Radev <martin.b.radev@xxxxxxxxx> wrote: > This patch modifies CFLAGS to mark the stack explicitly > as not executable. > > Signed-off-by: Martin Radev <martin.b.radev@xxxxxxxxx> Reviewed-by: Andre Przywara <andre.przywara@xxxxxxx> Cheers, Andre > --- > Makefile | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/Makefile b/Makefile > index f251147..09ef282 100644 > --- a/Makefile > +++ b/Makefile > @@ -380,8 +380,11 @@ DEFINES += -D_GNU_SOURCE > DEFINES += -DKVMTOOLS_VERSION='"$(KVMTOOLS_VERSION)"' > DEFINES += -DBUILD_ARCH='"$(ARCH)"' > > +# The stack doesn't need to be executable > +SECURITY_HARDENINGS := -z noexecstack > + > KVM_INCLUDE := include > -CFLAGS += $(CPPFLAGS) $(DEFINES) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g > +CFLAGS += $(CPPFLAGS) $(DEFINES) $(SECURITY_HARDENINGS) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g > > WARNINGS += -Wall > WARNINGS += -Wformat=2 > @@ -582,4 +585,4 @@ ifneq ($(MAKECMDGOALS),clean) > > KVMTOOLS-VERSION-FILE: > @$(SHELL_PATH) util/KVMTOOLS-VERSION-GEN $(OUTPUT) > -endif > \ No newline at end of file > +endif
