From 156d61e20f96cc12b842b6aae12cf5b99c937402 Mon Sep 17 00:00:00 2001
From: wenshelx <wenshengx.wang@intel.com>
Date: Sun, 11 Feb 2018 15:51:35 +0800
Subject: [PATCH] security: enable stack protector

Enable stack-proctector-strong option for gcc emiting
extra code to check buffer overflow.

Enable noexecstack option for marking the object as not
requiring executable stack.

Tracked-On: 224003
Signed-off-by: wenshelx <wenshengx.wang@intel.com>
---
 devicemodel/Makefile | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/devicemodel/Makefile b/devicemodel/Makefile
index 696867c99..bb7cf31a7 100644
--- a/devicemodel/Makefile
+++ b/devicemodel/Makefile
@@ -21,6 +21,26 @@ CFLAGS += -Werror
 CFLAGS += -I$(BASEDIR)/include
 CFLAGS += -I$(BASEDIR)/include/public
 
+GCC_MAJOR=$(shell echo __GNUC__ | $(CC) -E -x c - | tail -n 1)
+GCC_MINOR=$(shell echo __GNUC_MINOR__ | $(CC) -E -x c - | tail -n 1)
+
+#enable stack overflow check
+STACK_PROTECTOR := 1
+
+ifdef STACK_PROTECTOR
+ifeq (true, $(shell [ $(GCC_MAJOR) -gt 4 ] && echo true))
+CFLAGS += -fstack-protector-strong
+else
+ifeq (true, $(shell [ $(GCC_MAJOR) -eq 4 ] && [ $(GCC_MINOR) -ge 9 ] && echo true))
+CFLAGS += -fstack-protector-strong
+else
+CFLAGS += -fstack-protector
+endif
+endif
+endif
+
+LDFLAGS += -Wl,-z,noexecstack
+
 LIBS = -lrt
 LIBS += -lpthread
 LIBS += -lcrypto