1 |
I'd like to know if all the excessive flags that are checked for now |
2 |
(with the various capitalizations and such) are still really in use, or |
3 |
were ever in use, or will in the future be used. If not, then maybe some |
4 |
of this is redundant and we could trim it back to mor like what we'd |
5 |
come up with earlier in the night. |
6 |
|
7 |
Goals for this patch were something that (1) worked with currently known |
8 |
versions of gcc/hgcc/pappy-gcc (2) readable, and making these tests |
9 |
available to ebuilds in a nice clean *consistent* way, that is easily |
10 |
extensible to handle whichever way such pic/ssp features are triggered |
11 |
in the future, or set environment variables or any other appropriate |
12 |
method (3) test validity of the -yet_exec and such calls before adding |
13 |
them, otherwise filter-flags -fPIC will at least print error messages if |
14 |
a stock gcc user adding CFLAGS="-fPIC" (4) strip the -fPIC, etc. flags |
15 |
whenever the matching filter-flags call is made. Sure, -yet_exec |
16 |
overrides this, and it still gets added when gcc knows what it is, but |
17 |
as these things are more likely now to show up in CFLAGS with or without |
18 |
hardened-gcc being there, we thought this was an appropriate thing to |
19 |
strip. |
20 |
|
21 |
|
22 |
--- /opt/gentoo-rsync/untouched/eclass/flag-o-matic.eclass 2004-03-16 14:41:32.000000000 -0700 |
23 |
+++ flag-o-matic.eclass 2004-04-02 22:58:56.374385350 -0700 |
24 |
@@ -265,6 +265,30 @@ |
25 |
return 1 |
26 |
} |
27 |
|
28 |
+has_pic() { |
29 |
+ [ "${CFLAGS/-fPIC}" != "${CFLAGS}" ] && return 0 |
30 |
+ [ "${CFLAGS/-fpic}" != "${CFLAGS}" ] && return 0 |
31 |
+ [ has_version sys-devel/hardened-gcc ] && return 0 |
32 |
+ [ ! -z "`${CC/ .*/} --version| grep pie`" ] && return 0 |
33 |
+ return 1 |
34 |
+} |
35 |
+ |
36 |
+has_pie() { |
37 |
+ [ "${CFLAGS/-fPIE}" != "${CFLAGS}" ] && return 0 |
38 |
+ [ "${CFLAGS/-fpie}" != "${CFLAGS}" ] && return 0 |
39 |
+ [ "${CFLAGS/-pie}" != "${CFLAGS}" ] && return 0 |
40 |
+ [ has_version sys-devel/hardened-gcc ] && return 0 |
41 |
+ [ ! -z "`${CC/ .*/} --version| grep pie`" ] && return 0 |
42 |
+ return 1 |
43 |
+} |
44 |
+ |
45 |
+has_ssp() { |
46 |
+ [ "${CFLAGS/-fstack-protector}" != "${CFLAGS}" ] && return 0 |
47 |
+ [ has_version sys-devel/hardened-gcc ] && return 0 |
48 |
+ [ ! -z "`${CC/ .*/} --version| grep pie`" ] && return 0 |
49 |
+ return 1 |
50 |
+} |
51 |
+ |
52 |
replace-sparc64-flags() { |
53 |
local SPARC64_CPUS="ultrasparc v9" |
54 |
|
55 |
@@ -312,23 +336,29 @@ |
56 |
} |
57 |
|
58 |
etexec-flags() { |
59 |
- has_version sys-devel/hardened-gcc |
60 |
+ has_pie || has_pic |
61 |
if [ $? == 0 ] ; then |
62 |
+ # strip -fPIC/fPIE flags regardless if you've gotten this far |
63 |
+ strip-flags -fPIC -fpic -fPIE -fpie -pie |
64 |
if [ "`is-flag -yet_exec`" != "true" ]; then |
65 |
- debug-print ">>> appending flags -yet_exec" |
66 |
- append-flags -yet_exec |
67 |
- append-ldflags -yet_exec |
68 |
+ # If our compiler supports -yet_exec, append it now |
69 |
+ [ -z "`gcc -yet_exec -S -o /dev/null -xc /dev/null 2>&1`" ] \ |
70 |
+ && ( debug-print ">>> appending flags -yet_exec" ; \ |
71 |
+ append-flags -yet_exec ; append-ldflags -yet_exec ) |
72 |
fi |
73 |
fi |
74 |
} |
75 |
|
76 |
fstack-flags() { |
77 |
- has_version sys-devel/hardened-gcc |
78 |
+ has_ssp |
79 |
if [ $? == 0 ] ; then |
80 |
+ # strip -fstack-protector regardless if you've gotten this far |
81 |
+ strip-flags -fstack-protector -fstack-protector-all |
82 |
if [ "`is-flag -yno_propolice`" != "true" ]; then |
83 |
- debug-print ">>> appending flags -yno_propolice" |
84 |
- append-flags -yno_propolice |
85 |
- append-ldflags -yno_propolice |
86 |
+ # If our compiler supports -yno_propolice, append it now |
87 |
+ [ -z "`gcc -yno_propolice -S -o /dev/null -xc /dev/null 2>&1`" ] \ |
88 |
+ && ( debug-print ">>> appending flags -yno_propolice" ; \ |
89 |
+ append-flags -yno_propolice ; append-ldflags -yno_propolice ) |
90 |
fi |
91 |
fi |
92 |
} |
93 |
|
94 |
On Fri, 2004-04-02 at 22:52, Brandon Hale wrote: |
95 |
> After I posted this we continued to do heavy development, there are more |
96 |
> cases to work out (-yet_exec -yno_propolice are not supported by a stock |
97 |
> Gentoo GCC using ssp/pie in CFLAGS). Feel free to join in our discussion |
98 |
> or pitch in, otherwise we'll keep hacking on this.. |
99 |
|
100 |
|
101 |
-- |
102 |
Scott W Taylor <swtaylor@g.o> |
103 |
|
104 |
|
105 |
-- |
106 |
gentoo-hardened@g.o mailing list |