Attachment #99055 for bug #149649




# If you want to play with it, unmask in /etc/portage/package.unmask
# but be prepared to rebuild anything you build with gcc-4, later.
# 2006-01-11 kevquinn
# BETA PATCH TESTING # =sys-devel/gcc-4*

# Mask off glibc-2.4 until the approach for SSP compatibilty is
# resolved in a way that doesn't break running systems, and we
# have a sensible upgrade path.  Advise having a static busybox
# around if you try it in a live system.
# 2006-03-13 kevquinn
# BETA PATCH TESTING # =sys-libs/glibc-2.4*

# These packages do more harm than good w/ hardened.
# users must now the opensource xorg nv driver with nvidia cards.

Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/files/specs/hardened.specs (+15 lines)
	1	diff -Nru gcc-4.1.1.ORIG/gcc/gcc.c gcc-4.1.1/gcc/gcc.c
	2	--- gcc-4.1.1.ORIG/gcc/gcc.c 2006-10-07 17:32:48.000000000 +0200
Line 0 Link Here
	1	Add callouts to minispecs to simplify gcc hardening.
	2	Hardening is achieved through "minispecs" which adjust
	3	the additional specs CC1_SSP, CC1_PIE, LINK_COMMAND_PIE
	4	(and rewriting STARTFILE_SPEC/ENDFILE_SPEC for PIE).
	5	These minispecs are supplied directly rather than
	6	patching gcc itself.
	7	Kevin F. Quinn, 2006-10-02
	8
	9	--- gcc/gcc.c.orig 2006-10-03 03:13:30.000000000 +0200
Line 0 Link Here
	1	%include <pie.specs>
	2	%include <ssp.specs>
	3	%include <zrelro.specs>
	4	%include <znow.specs>

Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/files/specs/hardenednopie.specs (+3 lines)
	1	%include <ssp.specs>
	2	%include <zrelro.specs>
	3	%include <znow.specs>

Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/files/specs/hardenednopiessp.specs (+2 lines)
	1	%include <zrelro.specs>
	2	%include <znow.specs>

Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/files/specs/hardenednossp.specs (+3 lines)
	1	%include <pie.specs>
	2	%include <zrelro.specs>
	3	%include <znow.specs>




*asm_pic:
%{D__KERNEL__|static|nostdlib|nostartfiles|fPIC|fpic|fno-PIC|fno-pic|fPIE|fpie|fno-PIE|fno-pie|nopie:;:-K PIC}

*cc1_pie:
%{D__KERNEL__|static|nostdlib|nostartfiles|fPIC|fpic|fno-PIC|fno-pic|fPIE|fpie|fno-PIE|fno-pie|nopie:;:-fPIE}

*startfile:
%{!shared: %{nopie:%{pg|p|profile:gcrt1.o%s;pie:Scrt1.o%s;:crt1.o%s};:Scrt1.o%s}}    crti.o%s %{nopie:%{static:crtbeginT.o%s;%{shared|pie:crtbeginS.o%s;:crtbegin.o%s}};:%{static:crtbeginT.o%s;:crtbeginS.o%s}}

*endfile:
%{ffast-math|funsafe-math-optimizations:crtfastmath.o%s}    %{static|nopie:%{shared|pie:crtendS.o%s;:crtend.o%s};:crtendS.o%s} crtn.o%s

*link_command_pie:
%{pie:-pie;:%{nopie|static|A|shared|nostdlib|nostartfiles|fno-PIE|fno-pie:;:-pie}}


Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/files/specs/ssp.specs (+3 lines)
	1	*cc1_ssp:
	2	%{D__KERNEL__\|nostdlib\|nodefaultlibs\|fno-stack-protector\|fstack-protector\|fno-stack-protector-all:;:-fstack-protector-all}
	3

Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/files/specs/znow.specs (+3 lines)
	1	*link_command_zrelro:
	2	%{!nonow: -z now} %{now: }
	3

Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/files/specs/zrelro.specs (+3 lines)
	1	*link_command_zrelro:
	2	%{!norelro: -z relro} %{relro: }
	3

Lines 57-61 Link Here

(-)portage.ORIG/sys-devel/gcc/gcc-4.1.1-r1.ebuild (+4 lines)
57	# Fix cross-compiling	57	# Fix cross-compiling
58	epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-cross-compile.patch	58	epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-cross-compile.patch
59		59
		60	# Add hardened minispec support
		61	use hardened && epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch
		62	use hardened && use ppc && epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-hardened-minispec-callouts-asm-pic.patch
		63
60	[[ ${CTARGET} == -softfloat- ]] && epatch "${FILESDIR}"/4.0.2/gcc-4.0.2-softfloat.patch	64	[[ ${CTARGET} == -softfloat- ]] && epatch "${FILESDIR}"/4.0.2/gcc-4.0.2-softfloat.patch
61	}	65	}




--- login/Makefile.orig	2006-02-10 11:40:05.000000000 +0100

	Modifications to glibc-2.4 to allow it to build with stack-protection
	enabled throughout, and to provide a logging stack_chk_fail handler.

	debug/stack_chk_fail.c: provide stack_chk_fail handler that logs to
	  syslog, and uses syscalls directly inline.

	debug/Makefile: build stack_chk_fail_local -fno-stack-protector
	  Leave stack_chk_fail alone, so checking __SSP__ will show whether
	  compiler is rigged to build SSP, and hence that we want the modified
	  handler (which will never trigger SSP because there are no function
	  calls).

	csu/Makefile, linuxthreads/Makefile, nptl/Makefile: inihibit SSP on
	  crti/crtn (i.e. compilation of initfini)

	elf/rtld-Rules: Add compilation rules for .oS targets (so that
	  stack_chk_fail_local will build for rtld).

	elf/Makefile: Add libc_nonshared.a to rtld build set so that
	  stack_chk_fail_local can be found (and other modifications
	  so that static objects are considered).

	Makerules: add stack_chk_fail_local.os to libc_pic.os (needed for
	  SSP builds on x86 so that it can resolve __stack_chk_fail_local).
	  Note this is a whole-archive link so adding libc_nonshared.a is
	  causes too much stuff to be included.

	Kevin F. Quinn 2006-09-30

--- debug/stack_chk_fail.c.orig	2006-09-29 17:04:58.000000000 +0200

		epatch "${WORKDIR}"/patches
	fi

	if use hardened ; then
		einfo "Patching pt_chown to BIND_NOW"
		epatch ${FILESDIR}/2.3.6/glibc-2.3.6-pt_chown-znow.patch

		einfo "Patching SSP handler so that glibc builds with hardened compiler"
		epatch ${FILESDIR}/2.4/glibc-2.4-linuxssp.patch
	fi

	gnuconfig_update
}


Return to bug 149649

Lines 11-24 Link Here

(-)portage.ORIG/profiles/hardened/package.mask (-2 / +2 lines)
11	# If you want to play with it, unmask in /etc/portage/package.unmask	11	# If you want to play with it, unmask in /etc/portage/package.unmask
12	# but be prepared to rebuild anything you build with gcc-4, later.	12	# but be prepared to rebuild anything you build with gcc-4, later.
13	# 2006-01-11 kevquinn	13	# 2006-01-11 kevquinn
14	=sys-devel/gcc-4*	14	# BETA PATCH TESTING # =sys-devel/gcc-4*
15		15
16	# Mask off glibc-2.4 until the approach for SSP compatibilty is	16	# Mask off glibc-2.4 until the approach for SSP compatibilty is
17	# resolved in a way that doesn't break running systems, and we	17	# resolved in a way that doesn't break running systems, and we
18	# have a sensible upgrade path. Advise having a static busybox	18	# have a sensible upgrade path. Advise having a static busybox
19	# around if you try it in a live system.	19	# around if you try it in a live system.
20	# 2006-03-13 kevquinn	20	# 2006-03-13 kevquinn
21	=sys-libs/glibc-2.4*	21	# BETA PATCH TESTING # =sys-libs/glibc-2.4*
22		22
23	# These packages do more harm than good w/ hardened.	23	# These packages do more harm than good w/ hardened.
24	# users must now the opensource xorg nv driver with nvidia cards.	24	# users must now the opensource xorg nv driver with nvidia cards.

Line 0 Link Here

(-)portage.ORIG/sys-devel/gcc/files/specs/pie.specs (+15 lines)
	1	*asm_pic:
	2	%{D__KERNEL__\|static\|nostdlib\|nostartfiles\|fPIC\|fpic\|fno-PIC\|fno-pic\|fPIE\|fpie\|fno-PIE\|fno-pie\|nopie:;:-K PIC}
	3
	4	*cc1_pie:
	5	%{D__KERNEL__\|static\|nostdlib\|nostartfiles\|fPIC\|fpic\|fno-PIC\|fno-pic\|fPIE\|fpie\|fno-PIE\|fno-pie\|nopie:;:-fPIE}
	6
	7	*startfile:
	8	%{!shared: %{nopie:%{pg\|p\|profile:gcrt1.o%s;pie:Scrt1.o%s;:crt1.o%s};:Scrt1.o%s}} crti.o%s %{nopie:%{static:crtbeginT.o%s;%{shared\|pie:crtbeginS.o%s;:crtbegin.o%s}};:%{static:crtbeginT.o%s;:crtbeginS.o%s}}
	9
	10	*endfile:
	11	%{ffast-math\|funsafe-math-optimizations:crtfastmath.o%s} %{static\|nopie:%{shared\|pie:crtendS.o%s;:crtend.o%s};:crtendS.o%s} crtn.o%s
	12
	13	*link_command_pie:
	14	%{pie:-pie;:%{nopie\|static\|A\|shared\|nostdlib\|nostartfiles\|fno-PIE\|fno-pie:;:-pie}}
	15

Line 0 Link Here

(-)portage.ORIG/sys-libs/glibc/glibc-2.5.ebuild (+39 lines)
		1	--- login/Makefile.orig 2006-02-10 11:40:05.000000000 +0100
Line 0 Link Here
		1	Modifications to glibc-2.4 to allow it to build with stack-protection
		2	enabled throughout, and to provide a logging stack_chk_fail handler.
		3
		4	debug/stack_chk_fail.c: provide stack_chk_fail handler that logs to
		5	syslog, and uses syscalls directly inline.
		6
		7	debug/Makefile: build stack_chk_fail_local -fno-stack-protector
		8	Leave stack_chk_fail alone, so checking __SSP__ will show whether
		9	compiler is rigged to build SSP, and hence that we want the modified
		10	handler (which will never trigger SSP because there are no function
		11	calls).
		12
		13	csu/Makefile, linuxthreads/Makefile, nptl/Makefile: inihibit SSP on
		14	crti/crtn (i.e. compilation of initfini)
		15
		16	elf/rtld-Rules: Add compilation rules for .oS targets (so that
		17	stack_chk_fail_local will build for rtld).
		18
		19	elf/Makefile: Add libc_nonshared.a to rtld build set so that
		20	stack_chk_fail_local can be found (and other modifications
		21	so that static objects are considered).
		22
		23	Makerules: add stack_chk_fail_local.os to libc_pic.os (needed for
		24	SSP builds on x86 so that it can resolve __stack_chk_fail_local).
		25	Note this is a whole-archive link so adding libc_nonshared.a is
		26	causes too much stuff to be included.
		27
		28	Kevin F. Quinn 2006-09-30
		29
		30	--- debug/stack_chk_fail.c.orig 2006-09-29 17:04:58.000000000 +0200
Lines 214-219 Link Here
214	epatch "${WORKDIR}"/patches	214	epatch "${WORKDIR}"/patches
215	fi	215	fi
216		216
		217	if use hardened ; then
		218	einfo "Patching pt_chown to BIND_NOW"
		219	epatch ${FILESDIR}/2.3.6/glibc-2.3.6-pt_chown-znow.patch
		220
		221	einfo "Patching SSP handler so that glibc builds with hardened compiler"
		222	epatch ${FILESDIR}/2.4/glibc-2.4-linuxssp.patch
		223	fi
		224
217	gnuconfig_update	225	gnuconfig_update
218	}	226	}
219		227