# of a binary that uses undefined symbols.
#
ifneq ($(LOCAL_ALLOW_UNDEFINED_SYMBOLS),true)
- LOCAL_LDFLAGS := $(LOCAL_LDFLAGS) $($(my)NO_UNDEFINED_LDFLAGS)
+ LOCAL_LDFLAGS += $(LOCAL_LDFLAGS) $($(my)NO_UNDEFINED_LDFLAGS)
+endif
+
+# If LOCAL_DISABLE_NO_EXECUTE is not true, we disable generated code from running from
+# the heap and stack by default.
+#
+ifndef ($(LOCAL_DISABLE_NO_EXECUTE),true)
+ LOCAL_CFLAGS += $($(my)NO_EXECUTE_CFLAGS)
+ LOCAL_LDFLAGS += $($(my)NO_EXECUTE_LDFLAGS)
endif
#
LOCAL_ALLOW_UNDEFINED_SYMBOLS \
LOCAL_ARM_MODE \
LOCAL_ARM_NEON \
+ LOCAL_DISABLE_NO_EXECUTE \
$(call clear-src-tags)
$(call clear-vars, $(NDK_LOCAL_VARS))
# flags.
TARGET_NO_UNDEFINED_LDFLAGS := -Wl,--no-undefined
+# These flags are used to enfore the NX (no execute) security feature in the
+# generated machine code. This adds a special section to the generated shared
+# libraries that instruct the Linux kernel to disable code execution from
+# the stack and the heap.
+TARGET_NO_EXECUTE_CFLAGS := -Wa,--noexecstack
+TARGET_NO_EXECUTE_LDFLAGS := -Wl,-z,noexecstack
+
# The ABI-specific sub-directory that the SDK tools recognize for
# this toolchain's generated binaries
TARGET_ABI_SUBDIR := armeabi
# flags.
TARGET_NO_UNDEFINED_LDFLAGS := -Wl,--no-undefined
+# These flags are used to enfore the NX (no execute) security feature in the
+# generated machine code. This adds a special section to the generated shared
+# libraries that instruct the Linux kernel to disable code execution from
+# the stack and the heap.
+TARGET_NO_EXECUTE_CFLAGS := -Wa,--noexecstack
+TARGET_NO_EXECUTE_LDFLAGS := -Wl,-z,noexecstack
+
# NOTE: Ensure that TARGET_LIBGCC is placed after all private objects
# and static libraries, but before any other library in the link
# command line when generating shared libraries and executables.
Note that the '.neon' suffix must appear after the '.arm' suffix
if you use both (i.e. foo.c.arm.neon works, but not foo.c.neon.arm !)
+
+LOCAL_DISABLE_NO_EXECUTE
+ Android NDK r4 added support for the "NX bit" security feature.
+ It is enabled by default, but you can disable it if you *really*
+ need to by setting this variable to 'true'.
+
+ NOTE: This feature does not modify the ABI and is only enabled on
+ kernels targetting ARMv6+ CPU devices. Machine code generated
+ with this feature enabled will run unmodified on devices
+ running earlier CPU architectures.
+
+ For more information, see:
+
+ http://en.wikipedia.org/wiki/NX_bit
+ http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
and the new samble program under 'samples/bitmap-plasma' for details
and usage example.
+- Support the NX (No Execute) security feature, where special sections
+ are added to the generated shared libraries to instruct the kernel
+ that code shall not be executed from the heap and stack by default.
+
+ See docs/ANDROID-MK.TXT to see how to disable this, plus reference
+ links for more information.
+
OTHER FIXES & CHANGES:
- support the .s extension for raw assembly sources (.S is already supported