From afa52a9837f1211845637401569912582ad83b11 Mon Sep 17 00:00:00 2001 From: "Kevin F. Quinn" Date: Wed, 14 Mar 2007 22:35:40 +0000 Subject: Alter glibc behaviour to build ok w/ USE=hardened but normal compiler. svn path=/; revision=194 --- .../branches/pieworld/sys-devel/gcc/Manifest | 8 ++-- .../pieworld/sys-devel/gcc/gcc-4.1.2-r1.ebuild | 3 +- .../branches/pieworld/sys-libs/glibc/Manifest | 16 ++++---- .../glibc/files/2.5/glibc-2.5-hardened-pie.patch | 8 ++-- .../pieworld/sys-libs/glibc/glibc-2.5-r1.ebuild | 48 ++++++++++++---------- 5 files changed, 44 insertions(+), 39 deletions(-) diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest b/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest index e3953bd..2a39916 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest @@ -168,10 +168,10 @@ EBUILD gcc-4.1.1-r3.ebuild 3621 RMD160 6680af1e737c03742241b9e52531d45822a66d49 MD5 beadc390569c05a5d7c0dfe2f73e43e3 gcc-4.1.1-r3.ebuild 3621 RMD160 6680af1e737c03742241b9e52531d45822a66d49 gcc-4.1.1-r3.ebuild 3621 SHA256 aadbf598501f69904bf605c1a1e9c1ad8a57d2a2734093381d04e09d4099f688 gcc-4.1.1-r3.ebuild 3621 -EBUILD gcc-4.1.2-r1.ebuild 3636 RMD160 c4297eb2d4314ea396bcac891ef7e9c6d7eff1d6 SHA1 7be5618cce173632613e443ca0bc1234322afbc6 SHA256 913d229f3020c4f6142959a3dd671a9e1355d126530124454881f6d7c121a78f -MD5 43b756c19f8fc9efd0f10c8dfae91a27 gcc-4.1.2-r1.ebuild 3636 -RMD160 c4297eb2d4314ea396bcac891ef7e9c6d7eff1d6 gcc-4.1.2-r1.ebuild 3636 -SHA256 913d229f3020c4f6142959a3dd671a9e1355d126530124454881f6d7c121a78f gcc-4.1.2-r1.ebuild 3636 +EBUILD gcc-4.1.2-r1.ebuild 3618 RMD160 565b714a4144b88e33e45efa3fae55ab3ca33a58 SHA1 d55783632d5526ca0edf224f3e26be77709dd947 SHA256 64d0b13824ceb2e8c11e85d1470c63cae75a35bb34fad59af2d4972ab45171b9 +MD5 3153385646f09e5ca9b907917497ec60 gcc-4.1.2-r1.ebuild 3618 +RMD160 565b714a4144b88e33e45efa3fae55ab3ca33a58 gcc-4.1.2-r1.ebuild 3618 +SHA256 64d0b13824ceb2e8c11e85d1470c63cae75a35bb34fad59af2d4972ab45171b9 gcc-4.1.2-r1.ebuild 3618 MD5 f2ae42150d118fee847851b13498c67d files/digest-gcc-3.4.6-r3 1623 RMD160 61cd90be115485be70bc0c6511848949fd86e3ff files/digest-gcc-3.4.6-r3 1623 SHA256 fb9bc05b7f310a0ce63c7538d07315a3432bced82fc26c656e9ec0d843df2468 files/digest-gcc-3.4.6-r3 1623 diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-4.1.2-r1.ebuild b/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-4.1.2-r1.ebuild index 73477ef..4e109e6 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-4.1.2-r1.ebuild +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-4.1.2-r1.ebuild @@ -95,6 +95,5 @@ src_unpack() { # Add the crtbeginTS.o file - used for "static PIE" links epatch "${FILESDIR}"/4.1.1/gcc-4.1.1-crtbeginTS.patch # Ensure crtfiles are built fno-PIC/fPIC as appropriate, not fPIE - use hardened && - epatch "${FILESDIR}"/4.1.1/gcc-4.1.1-nopie-crtstuff.patch + epatch "${FILESDIR}"/4.1.1/gcc-4.1.1-nopie-crtstuff.patch } diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest b/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest index d1cf552..c6b995a 100644 --- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest +++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest @@ -10,10 +10,10 @@ AUX 2.5/glibc-2.5-hardened-inittls-nosysenter.patch 9407 RMD160 352112bf4f2d8d58 MD5 310d9d273a19090287c44a38aba92753 files/2.5/glibc-2.5-hardened-inittls-nosysenter.patch 9407 RMD160 352112bf4f2d8d58471f22f623784350baf0bc86 files/2.5/glibc-2.5-hardened-inittls-nosysenter.patch 9407 SHA256 2a912e82445815ae32744d990c59d8758ec74e482b856bd274c292848b9af1fd files/2.5/glibc-2.5-hardened-inittls-nosysenter.patch 9407 -AUX 2.5/glibc-2.5-hardened-pie.patch 1548 RMD160 b33ce25195864ec4e8a63527f3f674aa5fb623da SHA1 0bb184451121d130be9e1888d081c556edcb88d3 SHA256 44e240987859e791095beddd2388fcea705195d1c86310fef4eea0097b9d2a00 -MD5 8d7eadd996eec8fa9939658404ee386d files/2.5/glibc-2.5-hardened-pie.patch 1548 -RMD160 b33ce25195864ec4e8a63527f3f674aa5fb623da files/2.5/glibc-2.5-hardened-pie.patch 1548 -SHA256 44e240987859e791095beddd2388fcea705195d1c86310fef4eea0097b9d2a00 files/2.5/glibc-2.5-hardened-pie.patch 1548 +AUX 2.5/glibc-2.5-hardened-pie.patch 1569 RMD160 35ae4308396d59e37d050a5bedb57dbf3ae50cb3 SHA1 b5d3084ec2351a813b4dece43318a4b9355f2fd3 SHA256 a00285f0a167aae0a31d29ad49a391896d55e04fc8e5fc7f725ced77c702d8cf +MD5 ae431c3e79196f5c5a92e3c2f0f07092 files/2.5/glibc-2.5-hardened-pie.patch 1569 +RMD160 35ae4308396d59e37d050a5bedb57dbf3ae50cb3 files/2.5/glibc-2.5-hardened-pie.patch 1569 +SHA256 a00285f0a167aae0a31d29ad49a391896d55e04fc8e5fc7f725ced77c702d8cf files/2.5/glibc-2.5-hardened-pie.patch 1569 AUX nscd 1621 RMD160 f6d20c4c3814f70d7741f3fa2e0b53ba32c37960 SHA1 5751fe798024c2021b7b3ed3e798618e2a38244a SHA256 6165db3a2fcb251d4f3655c0461e018ce9c92a37f7f22a8fd2b75178b5435bc8 MD5 d142c6e0b4fd508f485d0aa9c5d12a91 files/nscd 1621 RMD160 f6d20c4c3814f70d7741f3fa2e0b53ba32c37960 files/nscd 1621 @@ -31,10 +31,10 @@ DIST glibc-2.5.tar.bz2 15321839 RMD160 25a0a460c0db1e5b7c570e5087461696f2096fd2 DIST glibc-libidn-2.5.tar.bz2 102330 RMD160 e10e85e0ee7cdab2e5518a93978cb688ccabee88 SHA1 ee7e019e01aa338e28db1eeb34abb2cb09d2f30a SHA256 de77e49e0beee6061d4c6e480f322566ba25d4e5e018c456a18ea4a8da5c0ede DIST glibc-linuxthreads-2.5.tar.bz2 242445 RMD160 788484d035d53ac39aac18f6e3409a912eea1cfa SHA1 eb7765e5c0a14c7475f1c8b92cbe1f625a8fd76f SHA256 ee27aeba6124a8b351c720eb898917f0f8874d9a384cc2f17aa111a3d679bd2c DIST glibc-ports-2.5.tar.bz2 409372 RMD160 e7e29df135a5f0f72760d10e5ad46de038e40725 SHA1 7da6257e641759ed29c4d316700fce6f604bc812 SHA256 80c38a005325e7539012bd665fb8e06af9ee9bfc74efb236ebff121265bfd463 -EBUILD glibc-2.5-r1.ebuild 39299 RMD160 c0d85a895e0d6f83e02348af5f54060dfcbc54af SHA1 06079608991c99008091b9d1c824f541bb82ec9a SHA256 a4a0643cfc7cfdc8e3d946e71eb7d4df04d5f585d495ab87794ffdc983a005e5 -MD5 d96ad308c47b08eec3713cc1a7628edd glibc-2.5-r1.ebuild 39299 -RMD160 c0d85a895e0d6f83e02348af5f54060dfcbc54af glibc-2.5-r1.ebuild 39299 -SHA256 a4a0643cfc7cfdc8e3d946e71eb7d4df04d5f585d495ab87794ffdc983a005e5 glibc-2.5-r1.ebuild 39299 +EBUILD glibc-2.5-r1.ebuild 39497 RMD160 e49564aaf68500232949392b04be245c3a42a0d7 SHA1 ff6c0b18a7afe3269279b988cd1ffd39253c99b5 SHA256 1698515d5096e4e0f837556090bae93b81c93a6b976f60aa148020fcc18a5fbb +MD5 b8abfff842d21728e45f4ecb032e1530 glibc-2.5-r1.ebuild 39497 +RMD160 e49564aaf68500232949392b04be245c3a42a0d7 glibc-2.5-r1.ebuild 39497 +SHA256 1698515d5096e4e0f837556090bae93b81c93a6b976f60aa148020fcc18a5fbb glibc-2.5-r1.ebuild 39497 MD5 30fc9163b2a49cb4a083d02feace4918 files/digest-glibc-2.5-r1 1280 RMD160 74d079011c9a8d9155cd5f51591ca3a04cb9df26 files/digest-glibc-2.5-r1 1280 SHA256 b0af33330bd44dd7acd6f4aec9039d61b7fe9de005a8cf6edf63ee399cdeaa72 files/digest-glibc-2.5-r1 1280 diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.5/glibc-2.5-hardened-pie.patch b/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.5/glibc-2.5-hardened-pie.patch index 280d6e1..fe4e5a6 100644 --- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.5/glibc-2.5-hardened-pie.patch +++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.5/glibc-2.5-hardened-pie.patch @@ -4,20 +4,20 @@ Patch by Kevin F. Quinn --- Makeconfig +++ Makeconfig -@@ -415,10 +415,10 @@ +@@ -424,10 +424,10 @@ # Command for linking programs with the C library. ifndef +link -+link = $(CC) -nostdlib -nostartfiles -o $@ \ ++link = $(CC) -nostdlib -nostartfiles -fPIE -pie -o $@ \ $(sysdep-LDFLAGS) $(config-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ - $(combreloc-LDFLAGS) $(relro-LDFLAGS) \ + $(combreloc-LDFLAGS) $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \ - $(addprefix $(csu-objpfx),$(start-installed-name)) \ + $(addprefix $(csu-objpfx),S$(start-installed-name)) \ $(+preinit) $(+prector) \ $(filter-out $(addprefix $(csu-objpfx),start.o \ $(start-installed-name))\ -@@ -429,7 +429,7 @@ +@@ -439,7 +439,7 @@ ifndef +link-static +link-static = $(CC) -nostdlib -nostartfiles -static -o $@ \ $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ @@ -26,7 +26,7 @@ Patch by Kevin F. Quinn $(+preinit) $(+prector) \ $(filter-out $(addprefix $(csu-objpfx),start.o \ $(start-installed-name))\ -@@ -528,8 +528,8 @@ +@@ -537,8 +537,8 @@ ifeq ($(elf),yes) +preinit = $(addprefix $(csu-objpfx),crti.o) +postinit = $(addprefix $(csu-objpfx),crtn.o) diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5-r1.ebuild b/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5-r1.ebuild index 3c4d361..8de05e0 100644 --- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5-r1.ebuild +++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2007 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.5-r1.ebuild,v 1.1 2007/03/13 06:09:44 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.5-r1.ebuild,v 1.2 2007/03/13 08:23:22 vapier Exp $ # Here's how the cross-compile logic breaks down ... # CTARGET - machine that will target the binaries @@ -39,7 +39,7 @@ DESCRIPTION="GNU libc6 (also called glibc2) C library" HOMEPAGE="http://www.gnu.org/software/libc/libc.html" LICENSE="LGPL-2" -IUSE="nls build nptl nptlonly hardened multilib selinux glibc-omitfp profile glibc-compat20 debug" +IUSE="build debug nls nptl nptlonly hardened multilib selinux glibc-omitfp profile glibc-compat20" export CBUILD=${CBUILD:-${CHOST}} export CTARGET=${CTARGET:-${CHOST}} @@ -221,12 +221,12 @@ toolchain-glibc_src_unpack() { if use hardened ; then cd "${S}" einfo "Patching to get working PIE binaries on PIE (hardened) platforms" - epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch + gcc-specs-pie && epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-configure-picdefault.patch epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-inittls-nosysenter.patch einfo "Installing Hardened Gentoo SSP handler" - cp -f "${FILESDIR}"/2.5/glibc-2.4-gentoo-stack_chk_fail.c \ + cp -f "${FILESDIR}"/2.5/glibc-2.5-gentoo-stack_chk_fail.c \ debug/stack_chk_fail.c || die if use debug ; then @@ -245,16 +245,16 @@ toolchain-glibc_src_unpack() { nscd/Makefile \ || die "Failed to ensure nscd builds with ssp-all" - # Fixup use of PIC to choose PIC variants when built -fPIE. - # Prepends all files that have "#ifdef PIC" or similar, with - # preprocessor macros to define PIC if the compiler has - # defined __PIC__. - find ${S} -name '*.[h|S]' | \ - xargs grep -l '^[[:space:]]*#[[:space:]]*if.*\bPIC\b' | \ - xargs sed -i -e '1i#if defined __PIC__ && !defined PIC\ -# define PIC\ -#endif\ -' +# # Fixup use of PIC to choose PIC variants when built -fPIE. +# # Prepends all files that have "#ifdef PIC" or similar, with +# # preprocessor macros to define PIC if the compiler has +# # defined __PIC__. +# find ${S} -name '*.[h|S]' | \ +# xargs grep -l '^[[:space:]]*#[[:space:]]*if.*\bPIC\b' | \ +# xargs sed -i -e '1i#if defined __PIC__ && !defined PIC\ +## define PIC\ +##endif\ +#' fi @@ -310,7 +310,7 @@ toolchain-glibc_src_test() { cd "${WORKDIR}"/build-${ABI}-${CTARGET}-$1 || die "cd build-${ABI}-${CTARGET}-$1" unset LD_ASSUME_KERNEL make check && return 0 - einfo "make check failed - re-running with --keep-going to get the rest of the results." + einfo "make check failed - re-running with --keep-going to get the rest of the results" make -k check ewarn "make check failed for ${ABI}-${CTARGET}-$1" return 1 @@ -736,8 +736,16 @@ setup_flags() { # to the glibc build process. See bug #94325 filter-flags -fstack-protector - # Don't let the compiler automatically build PIEs unless USE=hardened. - use hardened || filter-flags -fPIE + if use hardened && gcc-specs-pie ; then + # Force PIC macro definition for all compilations, since they're all + # either -fPIC or -fPIE with the default-PIE compiler. + append-flags -DPIC + export ASFLAGS="${ASFLAGS} -DPIC" + else + # Don't build -fPIE without the default-PIE compiler and the + # hardened-pie patch + filter-flags -fPIE + fi } check_kheader_version() { @@ -1097,10 +1105,8 @@ pkg_setup() { die "install pax-utils" fi - if gcc-specs-pie && ! use hardened; then - eerror "USE=hardened must be set to build glibc with a hardened compiler" - die "set USE=hardened (or gcc-config to gcc-vanilla)" - fi + use hardened && ! gcc-specs-pie && \ + ewarn "PIE hardening not applied, as your compiler doesn't default to PIE" } src_unpack() { -- cgit v1.2.3-65-gdbad