diff options
| -rw-r--r-- | eclass/toolchain-funcs.eclass | 67 | ||||
| -rw-r--r-- | eclass/toolchain-glibc.eclass | 48 | ||||
| -rw-r--r-- | sys-libs/glibc/glibc-2.25-r1.ebuild | 5 | ||||
| -rw-r--r-- | sys-libs/glibc/glibc-9999.ebuild | 5 |
4 files changed, 102 insertions, 23 deletions
diff --git a/eclass/toolchain-funcs.eclass b/eclass/toolchain-funcs.eclass index a0c359a950b2..121db46e62b5 100644 --- a/eclass/toolchain-funcs.eclass +++ b/eclass/toolchain-funcs.eclass @@ -792,6 +792,73 @@ gcc-specs-stack-check() { } +# @FUNCTION: tc-enables-pie +# @RETURN: Truth if the current compiler generates position-independent code (PIC) which can be linked into executables +# @DESCRIPTION: +# Return truth if the current compiler generates position-independent code (PIC) +# which can be linked into executables. +tc-enables-pie() { + local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null + #if defined(__PIE__) + true + #endif + EOF + )" + [[ ${ret} == true ]] +} + +# @FUNCTION: tc-enables-ssp +# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on at least minimal level +# @DESCRIPTION: +# Return truth if the current compiler enables stack smashing protection (SSP) +# on level corresponding to any of the following options: +# -fstack-protector +# -fstack-protector-strong +# -fstack-protector-all +tc-enables-ssp() { + local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null + #if defined(__SSP__) || defined(__SSP_STRONG__) || defined(__SSP_ALL__) + true + #endif + EOF + )" + [[ ${ret} == true ]] +} + +# @FUNCTION: tc-enables-ssp-strong +# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on at least middle level +# @DESCRIPTION: +# Return truth if the current compiler enables stack smashing protection (SSP) +# on level corresponding to any of the following options: +# -fstack-protector-strong +# -fstack-protector-all +tc-enables-ssp-strong() { + local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null + #if defined(__SSP_STRONG__) || defined(__SSP_ALL__) + true + #endif + EOF + )" + [[ ${ret} == true ]] +} + +# @FUNCTION: tc-enables-ssp-all +# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on maximal level +# @DESCRIPTION: +# Return truth if the current compiler enables stack smashing protection (SSP) +# on level corresponding to any of the following options: +# -fstack-protector-all +tc-enables-ssp-all() { + local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null + #if defined(__SSP_ALL__) + true + #endif + EOF + )" + [[ ${ret} == true ]] +} + + # @FUNCTION: gen_usr_ldscript # @USAGE: [-a] <list of libs to create linker scripts for> # @DESCRIPTION: diff --git a/eclass/toolchain-glibc.eclass b/eclass/toolchain-glibc.eclass index ef9d91acaed4..1d6a54a37f14 100644 --- a/eclass/toolchain-glibc.eclass +++ b/eclass/toolchain-glibc.eclass @@ -254,7 +254,7 @@ setup_flags() { # this flag for us, so no need to do it manually. version_is_at_least 2.16 ${PV} || append-cppflags -U_FORTIFY_SOURCE - # building glibc with SSP is fraught with difficulty, especially + # building glibc <2.25 with SSP is fraught with difficulty, especially # due to __stack_chk_fail_local which would mean significant changes # to the glibc build process. See bug #94325 #293721 # Note we have to handle both user-given CFLAGS and gcc defaults via @@ -262,16 +262,24 @@ setup_flags() { # added before user flags, and we can't just filter-flags because # _filter_hardened doesn't support globs. filter-flags -fstack-protector* - gcc-specs-ssp && append-flags $(test-flags -fno-stack-protector) + if ! version_is_at_least 2.25 ; then + tc-enables-ssp && append-flags $(test-flags -fno-stack-protector) + fi - if use hardened && gcc-specs-pie ; then - # Force PIC macro definition for all compilations since they're all - # either -fPIC or -fPIE with the default-PIE compiler. - append-cppflags -DPIC - else - # Don't build -fPIE without the default-PIE compiler and the - # hardened-pie patch - filter-flags -fPIE + if [[ $(gcc-major-version) -lt 6 ]]; then + # Starting with gcc-6 (and fully upstreamed pie patches) we control + # default enabled/disabled pie via use flags. So nothing to do + # here. #618160 + + if use hardened && tc-enables-pie ; then + # Force PIC macro definition for all compilations since they're all + # either -fPIC or -fPIE with the default-PIE compiler. + append-cppflags -DPIC + else + # Don't build -fPIE without the default-PIE compiler and the + # hardened-pie patch + filter-flags -fPIE + fi fi } @@ -533,7 +541,7 @@ toolchain-glibc_pkg_pretend() { ewarn "hypervisor, which is probably not what you want." fi - use hardened && ! gcc-specs-pie && \ + use hardened && ! tc-enables-pie && \ ewarn "PIE hardening not applied, as your compiler doesn't default to PIE" # Make sure host system is up to date #394453 @@ -778,11 +786,20 @@ glibc_do_configure() { [[ -d ports ]] && addons+=",ports" popd > /dev/null - myconf+=( $(use_enable hardened stackguard-randomization) ) if has_version '<sys-libs/glibc-2.13' ; then myconf+=( --enable-old-ssp-compat ) fi + if version_is_at_least 2.25 ; then + myconf+=( --enable-stack-protector=all ) + fi + + if version_is_at_least 2.25 ; then + myconf+=( --enable-stackguard-randomization ) + else + myconf+=( $(use_enable hardened stackguard-randomization) ) + fi + [[ $(tc-is-softfloat) == "yes" ]] && myconf+=( --without-fp ) if [[ $1 == "linuxthreads" ]] ; then @@ -941,7 +958,7 @@ toolchain-glibc_headers_configure() { libc_cv_mlong_double_128ibm=yes libc_cv_ppc_machine=yes libc_cv_ppc_rel16=yes - libc_cv_predef_{fortify_source,stack_protector}=no + libc_cv_predef_fortify_source=no libc_cv_visibility_attribute=yes libc_cv_z_combreloc=yes libc_cv_z_execstack=yes @@ -955,6 +972,11 @@ toolchain-glibc_headers_configure() { ac_cv_lib_audit_audit_log_user_avc_message=no ac_cv_lib_cap_cap_init=no ) + if ! version_is_at_least 2.25 ; then + vars+=( + libc_cv_predef_stack_protector=no + ) + fi einfo "Forcing cached settings:" for v in "${vars[@]}" ; do einfo " ${v}" diff --git a/sys-libs/glibc/glibc-2.25-r1.ebuild b/sys-libs/glibc/glibc-2.25-r1.ebuild index f8e505dcec98..5850d7d32c4e 100644 --- a/sys-libs/glibc/glibc-2.25-r1.ebuild +++ b/sys-libs/glibc/glibc-2.25-r1.ebuild @@ -137,11 +137,6 @@ src_prepare() { -e '/^CFLAGS-backtrace.c/ iCPPFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ debug/Makefile || die fi - - # Build various bits with ssp-all - sed -i \ - -e 's:-fstack-protector$:-fstack-protector-all:' \ - */Makefile || die fi case $(gcc-fullversion) in diff --git a/sys-libs/glibc/glibc-9999.ebuild b/sys-libs/glibc/glibc-9999.ebuild index 950b62b89acf..4b4945c04f7f 100644 --- a/sys-libs/glibc/glibc-9999.ebuild +++ b/sys-libs/glibc/glibc-9999.ebuild @@ -135,10 +135,5 @@ src_prepare() { -e '/^CFLAGS-backtrace.c/ iCPPFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ debug/Makefile || die fi - - # Build various bits with ssp-all - sed -i \ - -e 's:-fstack-protector$:-fstack-protector-all:' \ - */Makefile || die fi } |