Description Kevin F. Quinn (RETIRED) 2005-06-16 11:22:54 UTC

Problem:

Currently we have has_hardened(), has_pic(), has_ssp(), has_ssp_all()
and has_pie() in flag-o-matic.eclass, which are intended to provide
ebuilds with a way of working out what hardened stuff is on in the
compiler.  However, has_hardened() only says whether the USE=hardened
was set when the compiler was emerged, has_pie() simply doesn't work,
has_pic() isn't particularly accurate as it doesn't take account of fPIE
(indeed since the hardened specs only ever switch on PIE automatically,
has_pic's very existence is misleading), and the has_ssp() functions
depend on the compiler setting the __SSP__/__SSP_ALL__ macros, which his
broken in the current stable x86 compiler (see bug #93011).


We need a reliable method of finding out what stuff the compiler is
configured to do that is different from a standard vanilla compiler.

First, it seems the best place to provide ways of determining the
compiler state is toolchain-funcs rather than flag-o-matic.

The method of checking compiler macro definitions isn't useful. 
The only reliable way to check what the compiler is up to, is to check
the active compiler specs.  To be attached is a diff to
toolchain-funcs.eclass which adds a few functions:

gcc-specs()
  a support function to determine the name of the active SPECS file
gcc-specs-pie()
  return TRUE if the active specs build PIEs by default
gcc-specs-ssp()
  return TRUE if the active specs build SSP by default
gcc-specs-hard()
  return TRUE if the active specs set relro/now.

The method used in my suggestion is to look for the '{!<disableflag>:'
string in the active specs file; somewhat rough but it works.  As the
toolchain changes, toolchain-funcs.eclass obviously tracks to maintain
compatibility.  The active specs file is obtained from 'gcc -v', using
the last specs file reported (note; when GCC_SPECS is set, 'gcc -v'
reports two specs files and it's the last one that is actually active).
This method is independent of how GCC_SPECS is managed (i.e. it's
independent of bug #96162).  I did look at just doing 'gcc -dumpspecs'
but that always returns the contents of the default .../specs file, not
the one actually in action at the time.

Another method could be to check the /etc/env.d/gcc/config{-<target>}
and friends.  Personally I prefer to rely on as little other stuff as
possible, and 'gcc -v' leads to all the necessary information.

Note; these do absolutely nothing with CFLAGS (unlike the
has_pic/pie/ssp functions).  Such flag stuff is the domain of
flag-o-matic.  Ultimately, if this is agreeable, the misleading
and unreliable has_hardened/pic/pie/ssp/ssp_all() functions can be
deprecated, ebuilds updated to use the above functions and normal
flag-o-matic CFLAGS editing.