Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775128 - dev-libs/elfutils-0.182 does not respect LDFLAGS
Summary: dev-libs/elfutils-0.182 does not respect LDFLAGS
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Toolchain Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-09 20:54 UTC by Agostino Sarubbo
Modified: 2021-03-09 23:46 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2021-03-09 20:54:31 UTC
Compile with LDFLAGS="${LDFLAGS} -Wl,--hash-style=gnu -Wl,-z,norelro"

# checksec --file=/usr/lib64/libdw-0.182.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    DSO             No RPATH   No RUNPATH   No Symbols        Yes   9               21              /usr/lib64/libdw-0.182.so

Partial relro is active instead of No relro.
Comment 1 Sergei Trofimovich gentoo-dev 2021-03-09 21:26:42 UTC
> dev-libs/elfutils-0.182 does not respect LDFLAGS

I think it depends on your definition. Default linker canary gets passed just fine (at least for me).

I don't have checksec installed. Where does it come from?

Can you attach a build.log so we could check what was passed for linking libdw.so?

My guess is that due to https://sourceware.org/git/?p=elfutils.git;a=blob;f=configure.ac;h=aa8439e82b757a3b2d6e561c2c32a0dc84c5f644;hb=HEAD#l209

 209 ZRELRO_LDFLAGS="-Wl,-z,relro"
 210 AC_CACHE_CHECK([whether gcc supports $ZRELRO_LDFLAGS], ac_cv_zrelro, [dnl
 211 save_LDFLAGS="$LDFLAGS"
 212 LDFLAGS="$ZRELRO_LDFLAGS $save_LDFLAGS"
 213 AC_LINK_IFELSE([AC_LANG_PROGRAM()], ac_cv_zrelro=yes, ac_cv_zrelro=no)
 214 LDFLAGS="$save_LDFLAGS"
 215 ])
 216 if test "$ac_cv_zrelro" = "yes"; then
 217         dso_LDFLAGS="$dso_LDFLAGS $ZRELRO_LDFLAGS"
 218 fi
 219 
 220 AC_SUBST([dso_LDFLAGS])

-Wl,-z,relro gets appended to existing user's flags. But does not override it. I find it reasonable. Unless we really want to undo minor hardening downstream like this. Gentoo's binutils apready defaults to --enable-relro, thus I'd say it's a reasonable default upstream as well.

The minor arguable point is whether user's LDFLAGS should override package's behaviour. Flags ordering should better be handled upstream as it might be quite invasive.
Comment 2 Agostino Sarubbo gentoo-dev 2021-03-09 21:42:45 UTC
checksec is from app-admin/checksec I'll attach the build log but I guess that relro is appened after my norelro
Comment 3 Agostino Sarubbo gentoo-dev 2021-03-09 21:44:50 UTC
(In reply to Sergei Trofimovich from comment #1)
> Gentoo's binutils apready defaults to --enable-relro,

I guess it is done in the hardening profile not for standard profile unless it changed lately
Comment 4 Sergei Trofimovich gentoo-dev 2021-03-09 23:46:04 UTC
(In reply to Agostino Sarubbo from comment #3)
> (In reply to Sergei Trofimovich from comment #1)
> > Gentoo's binutils apready defaults to --enable-relro,
> 
> I guess it is done in the hardening profile not for standard profile unless
> it changed lately

--enable-relro is enabled in binutils unconditionally:

  https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-devel/binutils/binutils-2.36.1.ebuild#n246

    --enable-relro
    # Newer versions (>=2.24) make this an explicit option. #497268


Initially it was added in 2017, 4 years ago: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a21b012fa6c110975dd84f0b31cc9bdac216a1cc