| 1 |
You made me curious, so I took a look at on this. |
| 2 |
|
| 3 |
The eclass has a single function stating: "Set up CFLAGS for a debug |
| 4 |
build" in its description. Although it is not conditional for debug |
| 5 |
builds, so gets applied all the time, being called from the eclass' |
| 6 |
src_configure function. The filter flags statements are conditional and |
| 7 |
applied only in case of a static-libs build. |
| 8 |
Appending lazy binding is also conditional for Xorg and drivers. |
| 9 |
|
| 10 |
According to the Hardened/Toolchains wiki, one can find this section: |
| 11 |
"The following packages have issues with BIND_NOW at the time of writing, |
| 12 |
and it has to be relaxed somewhat for them: |
| 13 |
X - some drivers consist of several libraries which are co-dependent, |
| 14 |
and the modules frequently have references to modules that they load. |
| 15 |
transcode - relies on lazy binding to be able to load its modules; the |
| 16 |
issues are similar to the X issues." |
| 17 |
|
| 18 |
The function does not check whether the build happens on a hardened system |
| 19 |
or not. |
| 20 |
|
| 21 |
If you are using a hardened toolchain, relro and now is specified by |
| 22 |
default. I guess lazy takes precedence if present. Unless it would have no |
| 23 |
effect. I'm not sure what you mean by adding relro and now to the filters. |
| 24 |
Since these would be applied anyways by gcc specs. I'm also not sure what |
| 25 |
happens if both lazy and relro+now are appended at the same time. |
| 26 |
|
| 27 |
If I would try to test Xorg and its drivers with relro+now, I would |
| 28 |
comment out the append lazy line. I can give that a try if it is |
| 29 |
reasonable, but the statement in the wiki seems pretty clear. I don't know |
| 30 |
when those experiences described came from. |
| 31 |
|
| 32 |
Regards: |
| 33 |
Dw. |
| 34 |
-- |
| 35 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 36 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
| 37 |
|
| 38 |
2013.Szeptember 30.(H) 14:41 időpontban Hinnerk van Bruinehsen ezt írta: |
| 39 |
> Hi, |
| 40 |
> |
| 41 |
> If one builds Xorg it's build with only partial RELRO enabled (test e.g. |
| 42 |
> with |
| 43 |
> checksec.sh). |
| 44 |
> This is caused by the xorg-2.eclass and affects seemingly all packages |
| 45 |
> that use |
| 46 |
> that eclass (It has a conditional that checks if hardened is used and |
| 47 |
> filters |
| 48 |
> some flags). |
| 49 |
> Does anyone know why this is the case? Is it a legacy issue or are there |
| 50 |
> valid |
| 51 |
> reasons why Xorg is build with only partial RELRO? |
| 52 |
> I've tried to build it on my systems with full RELRO (by adding |
| 53 |
> -z,relro,-z,now |
| 54 |
> to the filter inside the eclass) and it works without issues so far. |
| 55 |
> |
| 56 |
> WKR |
| 57 |
> Hinnerk |
| 58 |
> |
Archives