Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 233053 Details for
Bug 318171
[TRACKER] Merge SSP and >=gcc 4.4 hardened to the tree.
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Needed change for >=gcc 4.4 and SSP hardened support.
toolchain.eclass.patch (text/plain), 9.75 KB, created by
Magnus Granberg
on 2010-05-26 21:24:09 UTC
(
hide
)
Description:
Needed change for >=gcc 4.4 and SSP hardened support.
Filename:
MIME Type:
Creator:
Magnus Granberg
Created:
2010-05-26 21:24:09 UTC
Size:
9.75 KB
patch
obsolete
>2010-05-25 Magnus Granberg <zorry@gentoo.org> > > * eclass/toolchain.eclass > SLOT+IUSE logic: Add USE nossp if SPECS_VER defined > get_gcc_src_uri(): Add info to SPECS_VER Add zorry to devspec Move PIE_CORE Remove nopie > hardened_gcc_works(): Add nopie check if >=gcc 4.3.2 Add [[ -n ${SPECS_VER} ]] to check PP_VER line > Add nossp check if >=gcc 4.3.2 > want_pie(): Add check for (PIE_VER && SPECS_VER) and (-hardened && nopie && PIE_VER) if >=gcc 4.3.2 > want_minispecs(): Add check for (use nopie && use nossp), use vanilla, ! want_pie, > (! hardened_gcc_works pie && ! hardened_gcc_works ssp) and print a warnings. > setup_minispecs_gcc_build_specs(): Add support for SSP > copy_minispecs_gcc_specs(): Add create_gcc_env_entry for want_minispecs > gcc_pkg_setup(): Call want_minispecs so we get hardened warings before unpack > gcc-compiler_src_unpack(): Call make_gcc_hard() on want_minispecs to > gcc-compiler-configure(): add --enable-esp to configure command line > gcc_src_compile(): setup_minispecs_gcc_build_specs() depend on <=gcc 4.4.3 and want_minispecs > gcc-compiler_src_install(): Move copy_minispecs_gcc_specs to hardened create_gcc_env_entry part > Move the want_minispecs create_gcc_env_entry to copy_minispecs_gcc_specs > >--- a/eclass/toolchain.eclass 2010-04-25 17:47:56.000000000 +0200 >+++ b/eclass/toolchain.eclass 2010-04-29 00:29:27.000000000 +0200 >@@ -143,6 +143,7 @@ > IUSE="${IUSE} altivec build fortran nls nocxx" > [[ -n ${PIE_VER} ]] && IUSE="${IUSE} nopie" > [[ -n ${PP_VER} ]] && IUSE="${IUSE} nossp" >+ [[ -n ${SPECS_VER} ]] && IUSE="${IUSE} nossp" > [[ -n ${HTB_VER} ]] && IUSE="${IUSE} boundschecking" > [[ -n ${D_VER} ]] && IUSE="${IUSE} d" > >@@ -243,6 +244,14 @@ > # SPECS_VER > # SPECS_GCC_VER > # This is for the minispecs files included in the hardened gcc-4.x >+# The specs files for hardenedno*, vanilla and for building the "specs" file. >+# SPECS_VER is expected to be the version of this patch, SPECS_GCC_VER >+# the gcc version of the patch. >+# An example: >+# SPECS_VER="8.7.6.5" >+# SPECS_GCC_VER="3.4.0" >+# The resulting filename of this tarball will be: >+# gcc-${SPECS_GCC_VER:-${GCC_RELEASE_VER}}-specs-${SPECS_VER}.tar.bz2 > # > # PP_VER > # PP_GCC_VER >@@ -278,7 +279,7 @@ > # > gentoo_urls() { > local devspace="HTTP~lv/GCC/URI HTTP~eradicator/gcc/URI HTTP~vapier/dist/URI >- HTTP~halcy0n/patches/URI" >+ HTTP~halcy0n/patches/URI HTTP~zorry/patches/gcc/URI" > devspace=${devspace//HTTP/http:\/\/dev.gentoo.org\/} > echo mirror://gentoo/$1 ${devspace//URI/$1} > } >@@ -290,9 +291,6 @@ > export HTB_GCC_VER=${HTB_GCC_VER:-${GCC_RELEASE_VER}} > export SPECS_GCC_VER=${SPECS_GCC_VER:-${GCC_RELEASE_VER}} > >- [[ -n ${PIE_VER} ]] && \ >- PIE_CORE=${PIE_CORE:-gcc-${PIE_GCC_VER}-piepatches-v${PIE_VER}.tar.bz2} >- > # Set where to download gcc itself depending on whether we're using a > # prerelease, snapshot, or release tarball. > if [[ -n ${PRERELEASE} ]] ; then >@@ -334,11 +332,12 @@ > > # strawberry pie, Cappuccino and a Gauloises (it's a good thing) > [[ -n ${PIE_VER} ]] && \ >- GCC_SRC_URI="${GCC_SRC_URI} !nopie? ( $(gentoo_urls ${PIE_CORE}) )" >- >+ PIE_CORE=${PIE_CORE:-gcc-${PIE_GCC_VER}-piepatches-v${PIE_VER}.tar.bz2} && \ >+ GCC_SRC_URI="${GCC_SRC_URI} $(gentoo_urls ${PIE_CORE})" >+ > # gcc minispec for the hardened gcc 4 compiler > [[ -n ${SPECS_VER} ]] && \ >- GCC_SRC_URI="${GCC_SRC_URI} !nopie? ( $(gentoo_urls gcc-${SPECS_GCC_VER}-specs-${SPECS_VER}.tar.bz2) )" >+ GCC_SRC_URI="${GCC_SRC_URI} $(gentoo_urls gcc-${SPECS_GCC_VER}-specs-${SPECS_VER}.tar.bz2)" > > # gcc bounds checking patch > if [[ -n ${HTB_VER} ]] ; then >@@ -392,6 +393,7 @@ > [[ ${CTARGET} == *-freebsd* ]] && return 1 > > want_pie || return 1 >+ tc_version_is_at_least 4.3.2 && use nopie && return 1 > hardened_gcc_is_stable pie && return 0 > if has "~$(tc-arch)" ${ACCEPT_KEYWORDS} ; then > hardened_gcc_check_unsupported pie && return 1 >@@ -400,7 +400,8 @@ > fi > return 1 > elif [[ $1 == "ssp" ]] ; then >- [[ -z ${PP_VER} ]] && return 1 >+ [[ -n ${PP_VER} ]] || [[ -n ${SPECS_VER} ]] || return 1 >+ tc_version_is_at_least 4.3.2 && use nossp && return 1 > hardened_gcc_is_stable ssp && return 0 > if has "~$(tc-arch)" ${ACCEPT_KEYWORDS} ; then > hardened_gcc_check_unsupported ssp && return 1 >@@ -490,7 +490,12 @@ > return 1 > } > want_boundschecking() { _want_stuff HTB_VER boundschecking ; } >-want_pie() { _want_stuff PIE_VER !nopie ; } >+want_pie() { >+ ! use hardened && [[ -n ${PIE_VER} ]] && use nopie && return 1 >+ [[ -n ${PIE_VER} ]] && [[ -n ${SPECS_VER} ]] && return 0 >+ tc_version_is_at_least 4.3.2 && return 1 >+ _want_stuff PIE_VER !nopie >+} > want_ssp() { _want_stuff PP_VER !nossp ; } > > want_split_specs() { >@@ -498,11 +503,19 @@ > } > want_minispecs() { > if tc_version_is_at_least 4.3.2 && use hardened ; then >- if [[ -n ${SPECS_VER} ]] ; then >- return 0 >+ if ! want_pie ; then >+ ewarn "PIE_VER or SPECS_VER is not defiend in the GCC ebuild." >+ elif use vanilla ; then >+ ewarn "You will not get hardened features if you have the vanilla USE-flag." >+ elif use nopie && use nossp ; then >+ ewarn "You will not get hardened features if you have the nopie and nossp USE-flag." >+ elif ! hardened_gcc_works pie && ! hardened_gcc_works ssp && ! use nopie ; then >+ ewarn "Your $(tc-arch) arch is not supported." > else >- die "For Hardened to work you need the minispecs files" >+ return 0 > fi >+ ewarn "Hope you know what you are doing. Hardened will not work." >+ return 0 > fi > return 1 > } >@@ -708,27 +730,42 @@ > [[ -n ${gcc_specs_file} ]] && echo "GCC_SPECS=\"${gcc_specs_file}\"" >> ${gcc_envd_file} > } > setup_minispecs_gcc_build_specs() { >- # Setup the "build.specs" file for gcc to use when building. >- if want_minispecs ; then >- if hardened_gcc_works pie ; then >- cat "${WORKDIR}"/specs/pie.specs >> "${WORKDIR}"/build.specs >- fi >- for s in nostrict znow; do >+ # Setup the "build.specs" file for gcc 4.3 to use when building. >+ if hardened_gcc_works pie ; then >+ cat "${WORKDIR}"/specs/pie.specs >> "${WORKDIR}"/build.specs >+ fi >+ if hardened_gcc_works ssp ; then >+ for s in ssp sspall ; do > cat "${WORKDIR}"/specs/${s}.specs >> "${WORKDIR}"/build.specs > done >- export GCC_SPECS="${WORKDIR}"/build.specs > fi >+ for s in nostrict znow ; do >+ cat "${WORKDIR}"/specs/${s}.specs >> "${WORKDIR}"/build.specs >+ done >+ export GCC_SPECS="${WORKDIR}"/build.specs > } > copy_minispecs_gcc_specs() { >+ # setup the -hardenedno* specs files and the vanilla specs file. >+ if hardened_gcc_works ; then >+ create_gcc_env_entry hardenednopiessp >+ fi >+ if hardened_gcc_works pie ; then >+ create_gcc_env_entry hardenednopie >+ fi >+ if hardened_gcc_works ssp ; then >+ create_gcc_env_entry hardenednossp >+ fi >+ create_gcc_env_entry vanilla >+ insinto ${LIBPATH} >+ doins "${WORKDIR}"/specs/*.specs || die "failed to install specs" > # Build system specs file which, if it exists, must be a complete set of > # specs as it completely and unconditionally overrides the builtin specs. >- # For gcc 4 >- if use hardened && want_minispecs ; then >+ # For gcc 4.3 >+ if ! tc_version_is_at_least 4.4 ; then > $(XGCC) -dumpspecs > "${WORKDIR}"/specs/specs > cat "${WORKDIR}"/build.specs >> "${WORKDIR}"/specs/specs >- insinto ${LIBPATH} >- doins "${WORKDIR}"/specs/* || die "failed to install specs" >- fi >+ doins "${WORKDIR}"/specs/specs || die "failed to install the specs file" >+ fi > } > add_profile_eselect_conf() { > local compiler_config_file=$1 >@@ -885,6 +902,7 @@ > > want_libssp && libc_has_ssp && \ > die "libssp cannot be used with a glibc that has been patched to provide ssp symbols" >+ want_minispecs > > unset LANGUAGES #265283 > } >@@ -1010,7 +1030,7 @@ > # the necessary support > want_pie && use hardened && glibc_have_pie > >- if use hardened && ! want_minispecs ; then >+ if use hardened ; then > einfo "updating configuration to build hardened GCC" > make_gcc_hard || die "failed to make gcc hard" > fi >@@ -1201,6 +1219,11 @@ > confgcc="${confgcc} --disable-libssp" > fi > >+ # If we want hardened support with the newer pie-patchset for >=gcc 4.4 >+ if tc_version_is_at_least 4.4 && want_minispecs ; then >+ confgcc="${confgcc} $(use_enable hardened esp)" >+ fi >+ > if tc_version_is_at_least "4.2" ; then > confgcc="${confgcc} $(use_enable openmp libgomp)" > fi >@@ -1682,9 +1719,11 @@ > einfo "CFLAGS=\"${CFLAGS}\"" > einfo "CXXFLAGS=\"${CXXFLAGS}\"" > >- # For hardened gcc 4 for build the hardened specs file to use when building gcc >- setup_minispecs_gcc_build_specs >- >+ # For hardened gcc 4.3 piepatchset to build the hardened specs >+ # file (build.specs) to use when building gcc. >+ if ! tc_version_is_at_least 4.4 && want_minispecs ; then >+ setup_minispecs_gcc_build_specs >+ fi > # Build in a separate build tree > mkdir -p "${WORKDIR}"/build > pushd "${WORKDIR}"/build > /dev/null >@@ -1809,10 +1848,7 @@ > fi > # Setup the gcc_env_entry for hardened gcc 4 with minispecs > if want_minispecs ; then >- if hardened_gcc_works pie ; then >- create_gcc_env_entry hardenednopie >- fi >- create_gcc_env_entry vanilla >+ copy_minispecs_gcc_specs > fi > # Make sure we dont have stuff lying around that > # can nuke multiple versions of gcc >@@ -1918,9 +1950,6 @@ > # Create config files for eselect-compiler > create_eselect_conf > >- # Cpoy the needed minispec for hardened gcc 4 >- copy_minispecs_gcc_specs >- > # Move pretty-printers to gdb datadir to shut ldconfig up > gdbdir=/usr/share/gdb/auto-load > for module in $(find "${D}" -iname "*-gdb.py" -print); do >@@ -2271,13 +2297,12 @@ > # adds default pie support (rs6000 too) if DEFAULT_PIE[_SSP] is defined > EPATCH_MULTI_MSG="Applying default pie patches ..." \ > epatch "${WORKDIR}"/piepatch/def >- >+ fi > # we want to be able to control the pie patch logic via something other > # than ALL_CFLAGS... > sed -e '/^ALL_CFLAGS/iHARD_CFLAGS = ' \ > -e 's|^ALL_CFLAGS = |ALL_CFLAGS = $(HARD_CFLAGS) |' \ > -i "${S}"/gcc/Makefile.in >- fi > > BRANDING_GCC_PKGVERSION="${BRANDING_GCC_PKGVERSION}, pie-${PIE_VER}" > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=233053">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 318171
:
230049
|
230063
|
230065
|
230067
|
230089
|
231461
|
231555
|
233051
| 233053
