| 1 |
I'd like to know if all the excessive flags that are checked for now |
| 2 |
(with the various capitalizations and such) are still really in use, or |
| 3 |
were ever in use, or will in the future be used. If not, then maybe some |
| 4 |
of this is redundant and we could trim it back to mor like what we'd |
| 5 |
come up with earlier in the night. |
| 6 |
|
| 7 |
Goals for this patch were something that (1) worked with currently known |
| 8 |
versions of gcc/hgcc/pappy-gcc (2) readable, and making these tests |
| 9 |
available to ebuilds in a nice clean *consistent* way, that is easily |
| 10 |
extensible to handle whichever way such pic/ssp features are triggered |
| 11 |
in the future, or set environment variables or any other appropriate |
| 12 |
method (3) test validity of the -yet_exec and such calls before adding |
| 13 |
them, otherwise filter-flags -fPIC will at least print error messages if |
| 14 |
a stock gcc user adding CFLAGS="-fPIC" (4) strip the -fPIC, etc. flags |
| 15 |
whenever the matching filter-flags call is made. Sure, -yet_exec |
| 16 |
overrides this, and it still gets added when gcc knows what it is, but |
| 17 |
as these things are more likely now to show up in CFLAGS with or without |
| 18 |
hardened-gcc being there, we thought this was an appropriate thing to |
| 19 |
strip. |
| 20 |
|
| 21 |
|
| 22 |
--- /opt/gentoo-rsync/untouched/eclass/flag-o-matic.eclass 2004-03-16 14:41:32.000000000 -0700 |
| 23 |
+++ flag-o-matic.eclass 2004-04-02 22:58:56.374385350 -0700 |
| 24 |
@@ -265,6 +265,30 @@ |
| 25 |
return 1 |
| 26 |
} |
| 27 |
|
| 28 |
+has_pic() { |
| 29 |
+ [ "${CFLAGS/-fPIC}" != "${CFLAGS}" ] && return 0 |
| 30 |
+ [ "${CFLAGS/-fpic}" != "${CFLAGS}" ] && return 0 |
| 31 |
+ [ has_version sys-devel/hardened-gcc ] && return 0 |
| 32 |
+ [ ! -z "`${CC/ .*/} --version| grep pie`" ] && return 0 |
| 33 |
+ return 1 |
| 34 |
+} |
| 35 |
+ |
| 36 |
+has_pie() { |
| 37 |
+ [ "${CFLAGS/-fPIE}" != "${CFLAGS}" ] && return 0 |
| 38 |
+ [ "${CFLAGS/-fpie}" != "${CFLAGS}" ] && return 0 |
| 39 |
+ [ "${CFLAGS/-pie}" != "${CFLAGS}" ] && return 0 |
| 40 |
+ [ has_version sys-devel/hardened-gcc ] && return 0 |
| 41 |
+ [ ! -z "`${CC/ .*/} --version| grep pie`" ] && return 0 |
| 42 |
+ return 1 |
| 43 |
+} |
| 44 |
+ |
| 45 |
+has_ssp() { |
| 46 |
+ [ "${CFLAGS/-fstack-protector}" != "${CFLAGS}" ] && return 0 |
| 47 |
+ [ has_version sys-devel/hardened-gcc ] && return 0 |
| 48 |
+ [ ! -z "`${CC/ .*/} --version| grep pie`" ] && return 0 |
| 49 |
+ return 1 |
| 50 |
+} |
| 51 |
+ |
| 52 |
replace-sparc64-flags() { |
| 53 |
local SPARC64_CPUS="ultrasparc v9" |
| 54 |
|
| 55 |
@@ -312,23 +336,29 @@ |
| 56 |
} |
| 57 |
|
| 58 |
etexec-flags() { |
| 59 |
- has_version sys-devel/hardened-gcc |
| 60 |
+ has_pie || has_pic |
| 61 |
if [ $? == 0 ] ; then |
| 62 |
+ # strip -fPIC/fPIE flags regardless if you've gotten this far |
| 63 |
+ strip-flags -fPIC -fpic -fPIE -fpie -pie |
| 64 |
if [ "`is-flag -yet_exec`" != "true" ]; then |
| 65 |
- debug-print ">>> appending flags -yet_exec" |
| 66 |
- append-flags -yet_exec |
| 67 |
- append-ldflags -yet_exec |
| 68 |
+ # If our compiler supports -yet_exec, append it now |
| 69 |
+ [ -z "`gcc -yet_exec -S -o /dev/null -xc /dev/null 2>&1`" ] \ |
| 70 |
+ && ( debug-print ">>> appending flags -yet_exec" ; \ |
| 71 |
+ append-flags -yet_exec ; append-ldflags -yet_exec ) |
| 72 |
fi |
| 73 |
fi |
| 74 |
} |
| 75 |
|
| 76 |
fstack-flags() { |
| 77 |
- has_version sys-devel/hardened-gcc |
| 78 |
+ has_ssp |
| 79 |
if [ $? == 0 ] ; then |
| 80 |
+ # strip -fstack-protector regardless if you've gotten this far |
| 81 |
+ strip-flags -fstack-protector -fstack-protector-all |
| 82 |
if [ "`is-flag -yno_propolice`" != "true" ]; then |
| 83 |
- debug-print ">>> appending flags -yno_propolice" |
| 84 |
- append-flags -yno_propolice |
| 85 |
- append-ldflags -yno_propolice |
| 86 |
+ # If our compiler supports -yno_propolice, append it now |
| 87 |
+ [ -z "`gcc -yno_propolice -S -o /dev/null -xc /dev/null 2>&1`" ] \ |
| 88 |
+ && ( debug-print ">>> appending flags -yno_propolice" ; \ |
| 89 |
+ append-flags -yno_propolice ; append-ldflags -yno_propolice ) |
| 90 |
fi |
| 91 |
fi |
| 92 |
} |
| 93 |
|
| 94 |
On Fri, 2004-04-02 at 22:52, Brandon Hale wrote: |
| 95 |
> After I posted this we continued to do heavy development, there are more |
| 96 |
> cases to work out (-yet_exec -yno_propolice are not supported by a stock |
| 97 |
> Gentoo GCC using ssp/pie in CFLAGS). Feel free to join in our discussion |
| 98 |
> or pitch in, otherwise we'll keep hacking on this.. |
| 99 |
|
| 100 |
|
| 101 |
-- |
| 102 |
Scott W Taylor <swtaylor@g.o> |
| 103 |
|
| 104 |
|
| 105 |
-- |
| 106 |
gentoo-hardened@g.o mailing list |
Archives