wallenstein/void-packages
1
0
Fork 0
mirror of https://github.com/void-linux/void-packages.git synced 2025-06-05 06:33:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

env/hardening: fix hardening on MIPS.

Browse source 
Thanks to @chneukirchen for finding the correct solution:

gcc sets -mno-shared by default when compiling non-PIC, and because
we are overriding the builtin specs, this internal rule set for gnu/mips
does not trigger:

gcc/config/mips/gnu-user.h:/* Default to -mno-shared for non-PIC.  */
gcc/config/mips/gnu-user.h:  " %{mshared|mno-shared|fpic|fPIC|fpie|fPIE:;:-mno-shared}"

So that we now use a specific specs file just for mips that sets -mshared for PIC.

This fixes building packages with hardening enabled for MIPS.
This commit is contained in:
Juan RP 2016-04-27 15:01:40 +02:00
parent 0e99e3b00d
commit 882f23cf98
2 changed files with 22 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
common/environment/configure/gccspecs/hardened-mips-cc1 Normal file
View file

@ -0,0 +1,8 @@
*cpp_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE -mshared}}}}}
*cc1_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE -mshared}}}}}
*asm_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-mshared}}}}}

29
common/environment/configure/hardening.sh
View file

@ -1,27 +1,26 @@
# Enable SSP and FORITFY_SOURCE=2 by default. # Enable SSP and FORITFY_SOURCE=2 by default.
CFLAGS=" -fstack-protector-strong -D_FORTIFY_SOURCE=2 $CFLAGS" _CFLAGS=" -fstack-protector-strong -D_FORTIFY_SOURCE=2 ${CFLAGS}"
CXXFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 $CXXFLAGS" _CXXFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 ${CXXFLAGS}"
# Enable as-needed and relro by default. # Enable as-needed and relro by default.
LDFLAGS="-Wl,--as-needed -Wl,-z,relro $LDFLAGS" _LDFLAGS="-Wl,--as-needed ${LDFLAGS}"
case "$XBPS_TARGET_MACHINE" in case "$XBPS_TARGET_MACHINE" in
i686-musl) # SSP currently broken (see https://github.com/voidlinux/void-packages/issues/2902) i686-musl) # SSP currently broken (see https://github.com/voidlinux/void-packages/issues/2902)
CFLAGS+=" -fno-stack-protector" _CFLAGS+=" -fno-stack-protector"
CXXFLAGS+=" -fno-stack-protector" _CXXFLAGS+=" -fno-stack-protector"
;; ;;
esac esac
if [ -z "$nopie" ]; then if [ -z "$nopie" ]; then
case "$XBPS_TARGET_MACHINE" in
mips*)
# XXX for some reason the gcc specs does not apply correctly
CFLAGS+=" -fPIE"
CXXFLAGS+=" -fPIE"
;;
esac
_GCCSPECSDIR=${XBPS_COMMONDIR}/environment/configure/gccspecs _GCCSPECSDIR=${XBPS_COMMONDIR}/environment/configure/gccspecs
CFLAGS="-specs=${_GCCSPECSDIR}/hardened-cc1 $CFLAGS" case "$XBPS_TARGET_MACHINE" in
CXXFLAGS="-specs=${_GCCSPECSDIR}/hardened-cc1 $CXXFLAGS" mips*) _GCCSPECSFILE=${_GCCSPECSDIR}/hardened-mips-cc1;;
*) _GCCSPECSFILE=${_GCCSPECSDIR}/hardened-cc1;;
esac
CFLAGS="-specs=${_GCCSPECSFILE} ${_CFLAGS}"
CXXFLAGS="-specs=${_GCCSPECSFILE} ${_CXXFLAGS}"
# We pass -z relro -z now here too, because libtool drops -specs... # We pass -z relro -z now here too, because libtool drops -specs...
LDFLAGS="-specs=${_GCCSPECSDIR}/hardened-ld -Wl,-z,relro -Wl,-z,now $LDFLAGS" LDFLAGS="-specs=${_GCCSPECSDIR}/hardened-ld -Wl,-z,relro -Wl,-z,now ${_LDFLAGS}"
fi fi
unset _CFLAGS _CXXFLAGS _LDFLAGS