Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 775128

Summary: dev-libs/elfutils-0.182 does not respect LDFLAGS
Product: Gentoo Linux Reporter: Agostino Sarubbo <ago>
Component: Current packagesAssignee: Gentoo Toolchain Maintainers <toolchain>
Status: RESOLVED OBSOLETE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2021-03-09 20:54:31 UTC 
Compile with LDFLAGS="${LDFLAGS} -Wl,--hash-style=gnu -Wl,-z,norelro"

# checksec --file=/usr/lib64/libdw-0.182.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    DSO             No RPATH   No RUNPATH   No Symbols        Yes   9               21              /usr/lib64/libdw-0.182.so

Partial relro is active instead of No relro.
Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev 2021-03-09 21:26:42 UTC 
> dev-libs/elfutils-0.182 does not respect LDFLAGS

I think it depends on your definition. Default linker canary gets passed just fine (at least for me).

I don't have checksec installed. Where does it come from?

Can you attach a build.log so we could check what was passed for linking libdw.so?

My guess is that due to https://sourceware.org/git/?p=elfutils.git;a=blob;f=configure.ac;h=aa8439e82b757a3b2d6e561c2c32a0dc84c5f644;hb=HEAD#l209

 209 ZRELRO_LDFLAGS="-Wl,-z,relro"
 210 AC_CACHE_CHECK([whether gcc supports $ZRELRO_LDFLAGS], ac_cv_zrelro, [dnl
 211 save_LDFLAGS="$LDFLAGS"
 212 LDFLAGS="$ZRELRO_LDFLAGS $save_LDFLAGS"
 213 AC_LINK_IFELSE([AC_LANG_PROGRAM()], ac_cv_zrelro=yes, ac_cv_zrelro=no)
 214 LDFLAGS="$save_LDFLAGS"
 215 ])
 216 if test "$ac_cv_zrelro" = "yes"; then
 217         dso_LDFLAGS="$dso_LDFLAGS $ZRELRO_LDFLAGS"
 218 fi
 219 
 220 AC_SUBST([dso_LDFLAGS])

-Wl,-z,relro gets appended to existing user's flags. But does not override it. I find it reasonable. Unless we really want to undo minor hardening downstream like this. Gentoo's binutils apready defaults to --enable-relro, thus I'd say it's a reasonable default upstream as well.

The minor arguable point is whether user's LDFLAGS should override package's behaviour. Flags ordering should better be handled upstream as it might be quite invasive.
Comment 2 Agostino Sarubbo gentoo-dev 2021-03-09 21:42:45 UTC 
checksec is from app-admin/checksec I'll attach the build log but I guess that relro is appened after my norelro
Comment 3 Agostino Sarubbo gentoo-dev 2021-03-09 21:44:50 UTC 
(In reply to Sergei Trofimovich from comment #1)
> Gentoo's binutils apready defaults to --enable-relro,

I guess it is done in the hardening profile not for standard profile unless it changed lately
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2021-03-09 23:46:04 UTC 
(In reply to Agostino Sarubbo from comment #3)
> (In reply to Sergei Trofimovich from comment #1)
> > Gentoo's binutils apready defaults to --enable-relro,
> 
> I guess it is done in the hardening profile not for standard profile unless
> it changed lately

--enable-relro is enabled in binutils unconditionally:

  https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-devel/binutils/binutils-2.36.1.ebuild#n246

    --enable-relro
    # Newer versions (>=2.24) make this an explicit option. #497268


Initially it was added in 2017, 4 years ago: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a21b012fa6c110975dd84f0b31cc9bdac216a1cc
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2023-08-22 22:04:50 UTC 
Version long gone