|
Lines 61-66
Link Here
|
| 61 |
#### bindnow-flags #### |
61 |
#### bindnow-flags #### |
| 62 |
# Returns the flags to enable "now" binding in the current selected linker. |
62 |
# Returns the flags to enable "now" binding in the current selected linker. |
| 63 |
# |
63 |
# |
|
|
64 |
#### get-soft-flags #### |
| 65 |
# Write to stdout the gcc options to disable hardened tech |
| 66 |
# Intended for use where the options need to be set to |
| 67 |
# something other than C[XX]FLAGS. Use this rather than |
| 68 |
# hard-coding the flags in ebuilds. |
| 69 |
# Usage: |
| 70 |
# MY_CC_OPTS=$(get-soft-flags [pie] [ssp] [ssp-to-all] [now] [relro]) |
| 71 |
# |
| 64 |
################ DEPRECATED functions ################ |
72 |
################ DEPRECATED functions ################ |
| 65 |
# The following are still present to avoid breaking existing |
73 |
# The following are still present to avoid breaking existing |
| 66 |
# code more than necessary; however they are deprecated. Please |
74 |
# code more than necessary; however they are deprecated. Please |
|
Lines 101-107
Link Here
|
| 101 |
export ALLOWED_FLAGS="${ALLOWED_FLAGS} -g -g0 -g1 -g2 -g3 -ggdb -ggdb0 -ggdb1 -ggdb2 -ggdb3" |
109 |
export ALLOWED_FLAGS="${ALLOWED_FLAGS} -g -g0 -g1 -g2 -g3 -ggdb -ggdb0 -ggdb1 -ggdb2 -ggdb3" |
| 102 |
fi |
110 |
fi |
| 103 |
# allow a bunch of flags that negate features / control ABI |
111 |
# allow a bunch of flags that negate features / control ABI |
| 104 |
ALLOWED_FLAGS="${ALLOWED_FLAGS} -fno-stack-protector -fno-stack-protector-all" |
112 |
ALLOWED_FLAGS="${ALLOWED_FLAGS} -nopie -nonow -norelro -fno-stack-protector -fno-stack-protector-all" |
| 105 |
ALLOWED_FLAGS="${ALLOWED_FLAGS} -mregparm -mno-app-regs -mapp-regs \ |
113 |
ALLOWED_FLAGS="${ALLOWED_FLAGS} -mregparm -mno-app-regs -mapp-regs \ |
| 106 |
-mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow \ |
114 |
-mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow \ |
| 107 |
-mips1 -mips2 -mips3 -mips4 -mips32 -mips64 -mips16 \ |
115 |
-mips1 -mips2 -mips3 -mips4 -mips32 -mips64 -mips16 \ |
|
Lines 118-123
Link Here
|
| 118 |
return 0 |
126 |
return 0 |
| 119 |
} |
127 |
} |
| 120 |
|
128 |
|
|
|
129 |
# echo flags to disabled hardened tech |
| 130 |
get-soft-flags() { |
| 131 |
local f |
| 132 |
for f in "$@" ; do |
| 133 |
case "${f}" in |
| 134 |
# Ideally we should only concern ourselves with PIE flags, |
| 135 |
# not -fPIC or -fpic, but too many places filter -fPIC without |
| 136 |
# thinking about -fPIE. |
| 137 |
pie) |
| 138 |
gcc-specs-pie || continue |
| 139 |
is-flagq -nopie || echo -n -nopie;; |
| 140 |
ssp) |
| 141 |
gcc-specs-ssp || continue |
| 142 |
is-flagq -fno-stack-protector || echo -n -fno-stack-protector;; |
| 143 |
ssp-to-all) |
| 144 |
gcc-specs-ssp-to-all || continue |
| 145 |
is-flagq -fno-stack-protector-all || echo -n -fno-stack-protector-all;; |
| 146 |
now) |
| 147 |
gcc-specs-now || continue |
| 148 |
is-flagq -nonow || echo -n -nonow;; |
| 149 |
relro) |
| 150 |
gcc-specs-relro || continue |
| 151 |
is-flagq -norelro || echo -n -norelro;; |
| 152 |
*) |
| 153 |
die "get-soft-flags does not understand ${f}";; |
| 154 |
esac |
| 155 |
done |
| 156 |
} |
| 157 |
|
| 121 |
# inverted filters for hardened compiler. This is trying to unpick |
158 |
# inverted filters for hardened compiler. This is trying to unpick |
| 122 |
# the hardened compiler defaults. |
159 |
# the hardened compiler defaults. |
| 123 |
_filter-hardened() { |
160 |
_filter-hardened() { |
|
Lines 128-141
Link Here
|
| 128 |
# not -fPIC or -fpic, but too many places filter -fPIC without |
165 |
# not -fPIC or -fpic, but too many places filter -fPIC without |
| 129 |
# thinking about -fPIE. |
166 |
# thinking about -fPIE. |
| 130 |
-fPIC|-fpic|-fPIE|-fpie|-Wl,pie|-pie) |
167 |
-fPIC|-fpic|-fPIE|-fpie|-Wl,pie|-pie) |
| 131 |
gcc-specs-pie || continue |
168 |
append-flags $(get-soft-flags pie);; |
| 132 |
is-flagq -nopie || append-flags -nopie;; |
|
|
| 133 |
-fstack-protector) |
169 |
-fstack-protector) |
| 134 |
gcc-specs-ssp || continue |
170 |
append-flags $(get-soft-flags ssp);; |
| 135 |
is-flagq -fno-stack-protector || append-flags -fno-stack-protector;; |
|
|
| 136 |
-fstack-protector-all) |
171 |
-fstack-protector-all) |
| 137 |
gcc-specs-ssp-to-all || continue |
172 |
append-flags $(get-soft-flags ssp-to-all);; |
| 138 |
is-flagq -fno-stack-protector-all || append-flags -fno-stack-protector-all;; |
|
|
| 139 |
esac |
173 |
esac |
| 140 |
done |
174 |
done |
| 141 |
} |
175 |
} |
|
Lines 385-391
Link Here
|
| 385 |
# its really only present due to the append-flags() abomination. |
420 |
# its really only present due to the append-flags() abomination. |
| 386 |
test-flags() { test-flags-CC "$@"; } |
421 |
test-flags() { test-flags-CC "$@"; } |
| 387 |
|
422 |
|
| 388 |
# Depriciated, use test-flags() |
423 |
# Deprecated, use test-flags() |
| 389 |
test_flag() { |
424 |
test_flag() { |
| 390 |
ewarn "test_flag: deprecated, please use test-flags()!" >&2 |
425 |
ewarn "test_flag: deprecated, please use test-flags()!" >&2 |
| 391 |
|
426 |
|
