1 |
commit: 0b7eace724b0035856311008c95cc7fe18b8231b |
2 |
Author: Krzesimir Nowak <knowak <AT> microsoft <DOT> com> |
3 |
AuthorDate: Fri Mar 17 02:34:21 2023 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Mar 17 02:35:53 2023 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b7eace7 |
7 |
|
8 |
sys-libs/glibc: disable CET explicitly if USE=-cet |
9 |
|
10 |
When bootstrapping, we may have a situation where CET-enabled gcc from seed is |
11 |
used to build CET-disabled glibc. As such, gcc implicitly enables CET if no |
12 |
-fcf-protection flag is passed. For a typical package it should not be a problem, |
13 |
but for glibc it matters as it is dealing with CET in ld.so. So if CET is supposed to be |
14 |
disabled for glibc, be explicit about it. |
15 |
|
16 |
[sam: cherry-picked from Flatcar at https://github.com/flatcar/coreos-overlay/commit/f4b92a6de9fcf506b30f1c6156b27c0e3d25438e] |
17 |
|
18 |
Bug: https://bugs.gentoo.org/830454 |
19 |
Closes: https://bugs.gentoo.org/901363 |
20 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
21 |
|
22 |
sys-libs/glibc/glibc-2.36-r7.ebuild | 13 ++++++++++++- |
23 |
sys-libs/glibc/glibc-2.37-r1.ebuild | 13 ++++++++++++- |
24 |
sys-libs/glibc/glibc-9999.ebuild | 13 ++++++++++++- |
25 |
3 files changed, 36 insertions(+), 3 deletions(-) |
26 |
|
27 |
diff --git a/sys-libs/glibc/glibc-2.36-r7.ebuild b/sys-libs/glibc/glibc-2.36-r7.ebuild |
28 |
index 8bb3e20062b4..28002f738a95 100644 |
29 |
--- a/sys-libs/glibc/glibc-2.36-r7.ebuild |
30 |
+++ b/sys-libs/glibc/glibc-2.36-r7.ebuild |
31 |
@@ -472,7 +472,18 @@ setup_flags() { |
32 |
filter-flags '-fsanitize=*' |
33 |
|
34 |
# See end of bug #830454; we handle this via USE=cet |
35 |
- filter-flags '-fcf-protection=' |
36 |
+ filter-flags '-fcf-protection=*' |
37 |
+ |
38 |
+ # When bootstrapping, we may have a situation where |
39 |
+ # CET-enabled gcc from seed is used to build CET-disabled |
40 |
+ # glibc. As such, gcc implicitly enables CET if no |
41 |
+ # -fcf-protection flag is passed. For a typical package it |
42 |
+ # should not be a problem, but for glibc it matters as it is |
43 |
+ # dealing with CET in ld.so. So if CET is supposed to be |
44 |
+ # disabled for glibc, be explicit about it. |
45 |
+ if (use amd64 || use x86) && ! use cet; then |
46 |
+ append-flags '-fcf-protection=none' |
47 |
+ fi |
48 |
} |
49 |
|
50 |
use_multiarch() { |
51 |
|
52 |
diff --git a/sys-libs/glibc/glibc-2.37-r1.ebuild b/sys-libs/glibc/glibc-2.37-r1.ebuild |
53 |
index 55b5a05c1ef8..4b041ecc1f7e 100644 |
54 |
--- a/sys-libs/glibc/glibc-2.37-r1.ebuild |
55 |
+++ b/sys-libs/glibc/glibc-2.37-r1.ebuild |
56 |
@@ -472,7 +472,18 @@ setup_flags() { |
57 |
filter-flags '-fsanitize=*' |
58 |
|
59 |
# See end of bug #830454; we handle this via USE=cet |
60 |
- filter-flags '-fcf-protection=' |
61 |
+ filter-flags '-fcf-protection=*' |
62 |
+ |
63 |
+ # When bootstrapping, we may have a situation where |
64 |
+ # CET-enabled gcc from seed is used to build CET-disabled |
65 |
+ # glibc. As such, gcc implicitly enables CET if no |
66 |
+ # -fcf-protection flag is passed. For a typical package it |
67 |
+ # should not be a problem, but for glibc it matters as it is |
68 |
+ # dealing with CET in ld.so. So if CET is supposed to be |
69 |
+ # disabled for glibc, be explicit about it. |
70 |
+ if (use amd64 || use x86) && ! use cet; then |
71 |
+ append-flags '-fcf-protection=none' |
72 |
+ fi |
73 |
} |
74 |
|
75 |
use_multiarch() { |
76 |
|
77 |
diff --git a/sys-libs/glibc/glibc-9999.ebuild b/sys-libs/glibc/glibc-9999.ebuild |
78 |
index df348d783cb1..f5ec71d81a7b 100644 |
79 |
--- a/sys-libs/glibc/glibc-9999.ebuild |
80 |
+++ b/sys-libs/glibc/glibc-9999.ebuild |
81 |
@@ -472,7 +472,18 @@ setup_flags() { |
82 |
filter-flags '-fsanitize=*' |
83 |
|
84 |
# See end of bug #830454; we handle this via USE=cet |
85 |
- filter-flags '-fcf-protection=' |
86 |
+ filter-flags '-fcf-protection=*' |
87 |
+ |
88 |
+ # When bootstrapping, we may have a situation where |
89 |
+ # CET-enabled gcc from seed is used to build CET-disabled |
90 |
+ # glibc. As such, gcc implicitly enables CET if no |
91 |
+ # -fcf-protection flag is passed. For a typical package it |
92 |
+ # should not be a problem, but for glibc it matters as it is |
93 |
+ # dealing with CET in ld.so. So if CET is supposed to be |
94 |
+ # disabled for glibc, be explicit about it. |
95 |
+ if (use amd64 || use x86) && ! use cet; then |
96 |
+ append-flags '-fcf-protection=none' |
97 |
+ fi |
98 |
} |
99 |
|
100 |
use_multiarch() { |