[gentoo-hardened] modification of packages according to two bugs for hardened-gcc - gentoo-hardened

From:	Alexander Gabert <pappy@g.o>
To:	gentoo-hardened@g.o
Subject:	[gentoo-hardened] modification of packages according to two bugs for hardened-gcc
Date:	Fri, 05 Sep 2003 17:37:40
Message-Id:	`1062783457.9805.16.camel@mirage`

1

hi,

2

3

the following packages have been updated with changes for supporting

4

hgcc on my local copy and will be committed soon if no one bothers.

5

i also slept about replacing has_version with is_installed

6

7

here we go!

8

9

diff -u -r -N portage/sys-apps/devfsd/devfsd-1.3.25-r4.ebuild

10

portage.PAPPY/sys-apps/devfsd/devfsd-1.3.25-r4.ebuild

11

--- portage/sys-apps/devfsd/devfsd-1.3.25-r4.ebuild 2003-08-03

12

21:34:53.000000000 +0000

13

+++ portage.PAPPY/sys-apps/devfsd/devfsd-1.3.25-r4.ebuild   2003-09-04

14

16:20:07.000000000 +0000

15

@@ -23,6 +23,11 @@

16

    cd ${S}

17

    epatch ${FILESDIR}/${P}-kernel-2.5.patch.bz2

18

19

+   if has_version 'sys-devel/hardened-gcc' && [ ${CC} = "gcc" ]; then

20

+       einfo "hardened-gcc: adding ${CC} -yet_exec ${CFLAGS}"

21

+       CFLAGS="-yet_exec ${CFLAGS}"

22

+   fi

23

+

24

    sed -e "s:-O2:${CFLAGS}:g" \

25

        -e 's:/usr/man:/usr/share/man:' \

26

        -e '32,34d;11,16d' -e '6c\' \

27

diff -u -r -N portage/sys-apps/grub/grub-0.93.20030118.ebuild

28

portage.PAPPY/sys-apps/grub/grub-0.93.20030118.ebuild

29

--- portage/sys-apps/grub/grub-0.93.20030118.ebuild 2003-07-27

30

19:12:44.000000000 +0000

31

+++ portage.PAPPY/sys-apps/grub/grub-0.93.20030118.ebuild   2003-09-04

32

16:54:33.000000000 +0000

33

@@ -42,6 +42,11 @@

34

35

    use static && export LDFLAGS="${LDFLAGS} -static"

36

37

+   if has_version 'sys-devel/hardened-gcc' && [ ${CC} = "gcc" ]; then

38

+       einfo "hardened-gcc: adding ${CC} -yet_exec"

39

+       CC="${CC} -yet_exec"

40

+   fi

41

+

42

    econf --exec-prefix=/ \

43

        --disable-auto-linux-mem-opt || die

44

    emake || die

45

diff -u -r -N portage/sys-apps/lilo/lilo-22.5.7.2.ebuild

46

portage.PAPPY/sys-apps/lilo/lilo-22.5.7.2.ebuild

47

--- portage/sys-apps/lilo/lilo-22.5.7.2.ebuild  2003-09-01

48

19:24:55.000000000 +0000

49

+++ portage.PAPPY/sys-apps/lilo/lilo-22.5.7.2.ebuild    2003-09-04

50

16:36:47.000000000 +0000

51

@@ -41,7 +41,16 @@

52

}

53

54

 src_compile() {

55

-   emake CC="${CC:=gcc}" lilo || die

56

+

57

+   # http://www.gentoo.org/proj/en/hardened/etdyn-ssp.xml

58

+   # sys-apps/lilo is using inline assembler, hardened-gcc does not

59

like this

60

+   # when autocompiling for etdyn and position independent executables

61

+   if has_version 'sys-devel/hardened-gcc'; then

62

+       einfo "hardened-gcc: adding ${CC} -yet_exec"

63

+       emake CC="${CC:=gcc} -yet_exec" lilo || die 

64

+   else

65

+       emake CC="${CC:=gcc}" lilo || die

66

+   fi

67

}

68

69

 src_install() {

70

diff -u -r -N

71

portage/sys-apps/module-init-tools/module-init-tools-0.9.13_pre2.ebuild

72

portage.PAPPY/sys-apps/module-init-tools/module-init-tools-0.9.13_pre2.ebuild

73

---

74

portage/sys-apps/module-init-tools/module-init-tools-0.9.13_pre2.ebuild

75

2003-08-10 20:45:13.000000000 +0000

76

+++

77

portage.PAPPY/sys-apps/module-init-tools/module-init-tools-0.9.13_pre2.ebuild   2003-09-04 18:18:05.000000000 +0000

78

@@ -66,6 +66,11 @@

79

    einfo "Building modutils..."

80

    cd ${WORKDIR}/modutils-${MODUTILS_PV}

81

82

+    if has_version 'sys-devel/hardened-gcc' && [ ${CC} = "gcc" ]; then

83

+        einfo "hardened-gcc: adding ${CC} -yet_exec ${CFLAGS}"

84

+        CFLAGS="${CFLAGS}

85

-yet_exec"                                                                                                           

86

+    fi

87

+

88

    econf \

89

        --disable-strip \

90

        --prefix=/ \

91

diff -u -r -N portage/sys-apps/modutils/modutils-2.4.25.ebuild

92

portage.PAPPY/sys-apps/modutils/modutils-2.4.25.ebuild

93

--- portage/sys-apps/modutils/modutils-2.4.25.ebuild    2003-07-06

94

09:17:58.000000000 +0000

95

+++ portage.PAPPY/sys-apps/modutils/modutils-2.4.25.ebuild  2003-09-04

96

18:11:20.000000000 +0000

97

@@ -28,6 +28,11 @@

98

    # version do not want to autoload modules :(

99

    myconf="${myconf} --disable-zlib"

100

101

+    if has_version 'sys-devel/hardened-gcc' && [ ${CC} = "gcc" ]; then

102

+        einfo "hardened-gcc: adding ${CC} -yet_exec ${CFLAGS}"

103

+        CFLAGS="${CFLAGS} -yet_exec"

104

+    fi

105

+

106

    econf \

107

        --prefix=/ \

108

        --disable-strip \

109

110

from the simplific nature of these changes, we can see that most of the

111

times, CFLAGS is used for adding the compatibility flags for

112

hardened-gcc.

113

114

if you find packages with broken ASM inline or malfunctioning

115

./configure or make, feel free to open bugs to pappy@g.o with

116

this according bugfix enlisted: you can always add -yet_exec for proper

117

operation when hardened-gcc is found on the machine respectively.

118

119

just take care that sometimes the CC is better than CFLAGS because they

120

may get stuck and dismissed by borken Makefiles and build processes ;-)

121

122

mplayer and libmpeg3 still need appropriate treatment in this direction.

123

124

most of the packages we compiled so far in system and world are immune

125

to such errors or like util-linux have been made compatible by solar

126

and/or me because of the importance of the package.

127

128

nevertheless there will be special cases where people decide to use

129

hardened-gcc to compile software that relies on assembler inline

130

constructions and/or uses broken misleading configure magic.

131

132

for these packages we have decided to introduce this "ignore" logic that

133

will compile the package as yet_exec as long as it cannot be made

134

totally PIC compileable.

135

136

But it has always been the high goal of hardened-gcc to protect server

137

based environments with a strong subset of given applications like smtp,

138

dns and http.

139

140

if such an "exposed" problematic package is found that should not be

141

made "ignorant" of hardened-gcc but should be made compatible and et-dyn

142

for proper protection by PaX in the kernel, please feel free to contact

143

me directly to ask for further help in processing it.

144

145

have fun and enjoy the weekend!

146

147

sincerely,

148

149

Alex

150

151

152

--

153

gentoo-hardened@g.o mailing list

1	hi,
2
3	the following packages have been updated with changes for supporting
4	hgcc on my local copy and will be committed soon if no one bothers.
5	i also slept about replacing has_version with is_installed
6
7	here we go!
8
9	diff -u -r -N portage/sys-apps/devfsd/devfsd-1.3.25-r4.ebuild
10	portage.PAPPY/sys-apps/devfsd/devfsd-1.3.25-r4.ebuild
11	--- portage/sys-apps/devfsd/devfsd-1.3.25-r4.ebuild 2003-08-03
12	21:34:53.000000000 +0000
13	+++ portage.PAPPY/sys-apps/devfsd/devfsd-1.3.25-r4.ebuild 2003-09-04
14	16:20:07.000000000 +0000
15	@@ -23,6 +23,11 @@
16	cd ${S}
17	epatch ${FILESDIR}/${P}-kernel-2.5.patch.bz2
18
19	+ if has_version 'sys-devel/hardened-gcc' && [ ${CC} = "gcc" ]; then
20	+ einfo "hardened-gcc: adding ${CC} -yet_exec ${CFLAGS}"
21	+ CFLAGS="-yet_exec ${CFLAGS}"
22	+ fi
23	+
24	sed -e "s:-O2:${CFLAGS}:g" \
25	-e 's:/usr/man:/usr/share/man:' \
26	-e '32,34d;11,16d' -e '6c\' \
27	diff -u -r -N portage/sys-apps/grub/grub-0.93.20030118.ebuild
28	portage.PAPPY/sys-apps/grub/grub-0.93.20030118.ebuild
29	--- portage/sys-apps/grub/grub-0.93.20030118.ebuild 2003-07-27
30	19:12:44.000000000 +0000
31	+++ portage.PAPPY/sys-apps/grub/grub-0.93.20030118.ebuild 2003-09-04
32	16:54:33.000000000 +0000
33	@@ -42,6 +42,11 @@
34
35	use static && export LDFLAGS="${LDFLAGS} -static"
36
37	+ if has_version 'sys-devel/hardened-gcc' && [ ${CC} = "gcc" ]; then
38	+ einfo "hardened-gcc: adding ${CC} -yet_exec"
39	+ CC="${CC} -yet_exec"
40	+ fi
41	+
42	econf --exec-prefix=/ \
43	--disable-auto-linux-mem-opt \|\| die
44	emake \|\| die
45	diff -u -r -N portage/sys-apps/lilo/lilo-22.5.7.2.ebuild
46	portage.PAPPY/sys-apps/lilo/lilo-22.5.7.2.ebuild
47	--- portage/sys-apps/lilo/lilo-22.5.7.2.ebuild 2003-09-01
48	19:24:55.000000000 +0000
49	+++ portage.PAPPY/sys-apps/lilo/lilo-22.5.7.2.ebuild 2003-09-04
50	16:36:47.000000000 +0000
51	@@ -41,7 +41,16 @@
52	}
53
54	src_compile() {
55	- emake CC="${CC:=gcc}" lilo \|\| die
56	+
57	+ # http://www.gentoo.org/proj/en/hardened/etdyn-ssp.xml
58	+ # sys-apps/lilo is using inline assembler, hardened-gcc does not
59	like this
60	+ # when autocompiling for etdyn and position independent executables
61	+ if has_version 'sys-devel/hardened-gcc'; then
62	+ einfo "hardened-gcc: adding ${CC} -yet_exec"
63	+ emake CC="${CC:=gcc} -yet_exec" lilo \|\| die
64	+ else
65	+ emake CC="${CC:=gcc}" lilo \|\| die
66	+ fi
67	}
68
69	src_install() {
70	diff -u -r -N
71	portage/sys-apps/module-init-tools/module-init-tools-0.9.13_pre2.ebuild
72	portage.PAPPY/sys-apps/module-init-tools/module-init-tools-0.9.13_pre2.ebuild
73	---
74	portage/sys-apps/module-init-tools/module-init-tools-0.9.13_pre2.ebuild
75	2003-08-10 20:45:13.000000000 +0000
76	+++
77	portage.PAPPY/sys-apps/module-init-tools/module-init-tools-0.9.13_pre2.ebuild 2003-09-04 18:18:05.000000000 +0000
78	@@ -66,6 +66,11 @@
79	einfo "Building modutils..."
80	cd ${WORKDIR}/modutils-${MODUTILS_PV}
81
82	+ if has_version 'sys-devel/hardened-gcc' && [ ${CC} = "gcc" ]; then
83	+ einfo "hardened-gcc: adding ${CC} -yet_exec ${CFLAGS}"
84	+ CFLAGS="${CFLAGS}
85	-yet_exec"
86	+ fi
87	+
88	econf \
89	--disable-strip \
90	--prefix=/ \
91	diff -u -r -N portage/sys-apps/modutils/modutils-2.4.25.ebuild
92	portage.PAPPY/sys-apps/modutils/modutils-2.4.25.ebuild
93	--- portage/sys-apps/modutils/modutils-2.4.25.ebuild 2003-07-06
94	09:17:58.000000000 +0000
95	+++ portage.PAPPY/sys-apps/modutils/modutils-2.4.25.ebuild 2003-09-04
96	18:11:20.000000000 +0000
97	@@ -28,6 +28,11 @@
98	# version do not want to autoload modules :(
99	myconf="${myconf} --disable-zlib"
100
101	+ if has_version 'sys-devel/hardened-gcc' && [ ${CC} = "gcc" ]; then
102	+ einfo "hardened-gcc: adding ${CC} -yet_exec ${CFLAGS}"
103	+ CFLAGS="${CFLAGS} -yet_exec"
104	+ fi
105	+
106	econf \
107	--prefix=/ \
108	--disable-strip \
109
110	from the simplific nature of these changes, we can see that most of the
111	times, CFLAGS is used for adding the compatibility flags for
112	hardened-gcc.
113
114	if you find packages with broken ASM inline or malfunctioning
115	./configure or make, feel free to open bugs to pappy@g.o with
116	this according bugfix enlisted: you can always add -yet_exec for proper
117	operation when hardened-gcc is found on the machine respectively.
118
119	just take care that sometimes the CC is better than CFLAGS because they
120	may get stuck and dismissed by borken Makefiles and build processes ;-)
121
122	mplayer and libmpeg3 still need appropriate treatment in this direction.
123
124	most of the packages we compiled so far in system and world are immune
125	to such errors or like util-linux have been made compatible by solar
126	and/or me because of the importance of the package.
127
128	nevertheless there will be special cases where people decide to use
129	hardened-gcc to compile software that relies on assembler inline
130	constructions and/or uses broken misleading configure magic.
131
132	for these packages we have decided to introduce this "ignore" logic that
133	will compile the package as yet_exec as long as it cannot be made
134	totally PIC compileable.
135
136	But it has always been the high goal of hardened-gcc to protect server
137	based environments with a strong subset of given applications like smtp,
138	dns and http.
139
140	if such an "exposed" problematic package is found that should not be
141	made "ignorant" of hardened-gcc but should be made compatible and et-dyn
142	for proper protection by PaX in the kernel, please feel free to contact
143	me directly to ask for further help in processing it.
144
145	have fun and enjoy the weekend!
146
147	sincerely,
148
149	Alex
150
151
152	--
153	gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened