Attachment #99045 for bug #149649




# If you want to play with it, unmask in /etc/portage/package.unmask
# but be prepared to rebuild anything you build with gcc-4, later.
# 2006-01-11 kevquinn
# BETA PATCH TESTING # =sys-devel/gcc-4*

# Mask off glibc-2.4 until the approach for SSP compatibilty is
# resolved in a way that doesn't break running systems, and we
# have a sensible upgrade path.  Advise having a static busybox
# around if you try it in a live system.
# 2006-03-13 kevquinn
# BETA PATCH TESTING # =sys-libs/glibc-2.4*

# These packages do more harm than good w/ hardened.
# users must now the opensource xorg nv driver with nvidia cards.

Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/gcc-4.1.1-r1.ebuild (+12 lines)
		1	Add callouts to minispecs to simplify gcc hardening.
		2	Hardening is achieved through "minispecs" which adjust
		3	the additional specs CC1_SSP, CC1_PIE, LINK_COMMAND_PIE
		4	(and rewriting STARTFILE_SPEC/ENDFILE_SPEC for PIE).
		5	These minispecs are supplied directly rather than
		6	patching gcc itself.
		7	Kevin F. Quinn, 2006-10-02
		8
		9	--- gcc/gcc.c.orig 2006-10-03 03:13:30.000000000 +0200
Lines 57-61 Link Here
57	# Fix cross-compiling	57	# Fix cross-compiling
58	epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-cross-compile.patch	58	epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-cross-compile.patch
59		59
		60	# Add hardened minispec support
		61	use hardened && epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch
		62
60	[[ ${CTARGET} == -softfloat- ]] && epatch "${FILESDIR}"/4.0.2/gcc-4.0.2-softfloat.patch	63	[[ ${CTARGET} == -softfloat- ]] && epatch "${FILESDIR}"/4.0.2/gcc-4.0.2-softfloat.patch
61	}	64	}




--- login/Makefile.orig	2006-02-10 11:40:05.000000000 +0100

	Modifications to glibc-2.4 to allow it to build with stack-protection
	enabled throughout, and to provide a logging stack_chk_fail handler.

	debug/stack_chk_fail.c: provide stack_chk_fail handler that logs to
	  syslog, and uses syscalls directly inline.

	debug/Makefile: build stack_chk_fail_local -fno-stack-protector
	  Leave stack_chk_fail alone, so checking __SSP__ will show whether
	  compiler is rigged to build SSP, and hence that we want the modified
	  handler (which will never trigger SSP because there are no function
	  calls).

	csu/Makefile, linuxthreads/Makefile, nptl/Makefile: inihibit SSP on
	  crti/crtn (i.e. compilation of initfini)

	elf/rtld-Rules: Add compilation rules for .oS targets (so that
	  stack_chk_fail_local will build for rtld).

	elf/Makefile: Add libc_nonshared.a to rtld build set so that
	  stack_chk_fail_local can be found (and other modifications
	  so that static objects are considered).

	Makerules: add stack_chk_fail_local.os to libc_pic.os (needed for
	  SSP builds on x86 so that it can resolve __stack_chk_fail_local).
	  Note this is a whole-archive link so adding libc_nonshared.a is
	  causes too much stuff to be included.

	Kevin F. Quinn 2006-09-30

--- debug/stack_chk_fail.c.orig	2006-09-29 17:04:58.000000000 +0200

		epatch "${WORKDIR}"/patches
	fi

	if use hardened ; then
		einfo "Patching pt_chown to BIND_NOW"
		epatch ${FILESDIR}/2.3.6/glibc-2.3.6-pt_chown-znow.patch

		einfo "Patching SSP handler so that glibc builds with hardened compiler"
		epatch ${FILESDIR}/2.4/glibc-2.4-linuxssp.patch
	fi

	gnuconfig_update
}


Return to bug 149649

Lines 11-24 Link Here

(-)portage.ORIG/profiles/hardened/package.mask (-2 / +2 lines)
11	# If you want to play with it, unmask in /etc/portage/package.unmask	11	# If you want to play with it, unmask in /etc/portage/package.unmask
12	# but be prepared to rebuild anything you build with gcc-4, later.	12	# but be prepared to rebuild anything you build with gcc-4, later.
13	# 2006-01-11 kevquinn	13	# 2006-01-11 kevquinn
14	=sys-devel/gcc-4*	14	# BETA PATCH TESTING # =sys-devel/gcc-4*
15		15
16	# Mask off glibc-2.4 until the approach for SSP compatibilty is	16	# Mask off glibc-2.4 until the approach for SSP compatibilty is
17	# resolved in a way that doesn't break running systems, and we	17	# resolved in a way that doesn't break running systems, and we
18	# have a sensible upgrade path. Advise having a static busybox	18	# have a sensible upgrade path. Advise having a static busybox
19	# around if you try it in a live system.	19	# around if you try it in a live system.
20	# 2006-03-13 kevquinn	20	# 2006-03-13 kevquinn
21	=sys-libs/glibc-2.4*	21	# BETA PATCH TESTING # =sys-libs/glibc-2.4*
22		22
23	# These packages do more harm than good w/ hardened.	23	# These packages do more harm than good w/ hardened.
24	# users must now the opensource xorg nv driver with nvidia cards.	24	# users must now the opensource xorg nv driver with nvidia cards.

Line 0 Link Here

(-)portage.ORIG/sys-libs/glibc/glibc-2.5.ebuild (+39 lines)
		1	--- login/Makefile.orig 2006-02-10 11:40:05.000000000 +0100
Line 0 Link Here
		1	Modifications to glibc-2.4 to allow it to build with stack-protection
		2	enabled throughout, and to provide a logging stack_chk_fail handler.
		3
		4	debug/stack_chk_fail.c: provide stack_chk_fail handler that logs to
		5	syslog, and uses syscalls directly inline.
		6
		7	debug/Makefile: build stack_chk_fail_local -fno-stack-protector
		8	Leave stack_chk_fail alone, so checking __SSP__ will show whether
		9	compiler is rigged to build SSP, and hence that we want the modified
		10	handler (which will never trigger SSP because there are no function
		11	calls).
		12
		13	csu/Makefile, linuxthreads/Makefile, nptl/Makefile: inihibit SSP on
		14	crti/crtn (i.e. compilation of initfini)
		15
		16	elf/rtld-Rules: Add compilation rules for .oS targets (so that
		17	stack_chk_fail_local will build for rtld).
		18
		19	elf/Makefile: Add libc_nonshared.a to rtld build set so that
		20	stack_chk_fail_local can be found (and other modifications
		21	so that static objects are considered).
		22
		23	Makerules: add stack_chk_fail_local.os to libc_pic.os (needed for
		24	SSP builds on x86 so that it can resolve __stack_chk_fail_local).
		25	Note this is a whole-archive link so adding libc_nonshared.a is
		26	causes too much stuff to be included.
		27
		28	Kevin F. Quinn 2006-09-30
		29
		30	--- debug/stack_chk_fail.c.orig 2006-09-29 17:04:58.000000000 +0200
Lines 214-219 Link Here
214	epatch "${WORKDIR}"/patches	214	epatch "${WORKDIR}"/patches
215	fi	215	fi
216		216
		217	if use hardened ; then
		218	einfo "Patching pt_chown to BIND_NOW"
		219	epatch ${FILESDIR}/2.3.6/glibc-2.3.6-pt_chown-znow.patch
		220
		221	einfo "Patching SSP handler so that glibc builds with hardened compiler"
		222	epatch ${FILESDIR}/2.4/glibc-2.4-linuxssp.patch
		223	fi
		224
217	gnuconfig_update	225	gnuconfig_update
218	}	226	}
219		227