From 882f23cf980d2277594b5f5c036114c0c4d9228a Mon Sep 17 00:00:00 2001 From: Juan RP Date: Wed, 27 Apr 2016 15:01:40 +0200 Subject: [PATCH] env/hardening: fix hardening on MIPS. Thanks to @chneukirchen for finding the correct solution: gcc sets -mno-shared by default when compiling non-PIC, and because we are overriding the builtin specs, this internal rule set for gnu/mips does not trigger: gcc/config/mips/gnu-user.h:/* Default to -mno-shared for non-PIC. */ gcc/config/mips/gnu-user.h: " %{mshared|mno-shared|fpic|fPIC|fpie|fPIE:;:-mno-shared}" So that we now use a specific specs file just for mips that sets -mshared for PIC. This fixes building packages with hardening enabled for MIPS. --- .../configure/gccspecs/hardened-mips-cc1 | 8 +++++ common/environment/configure/hardening.sh | 29 +++++++++---------- 2 files changed, 22 insertions(+), 15 deletions(-) create mode 100644 common/environment/configure/gccspecs/hardened-mips-cc1 diff --git a/common/environment/configure/gccspecs/hardened-mips-cc1 b/common/environment/configure/gccspecs/hardened-mips-cc1 new file mode 100644 index 0000000000..41e40b9802 --- /dev/null +++ b/common/environment/configure/gccspecs/hardened-mips-cc1 @@ -0,0 +1,8 @@ +*cpp_options: ++ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE -mshared}}}}} + +*cc1_options: ++ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE -mshared}}}}} + +*asm_options: ++ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-mshared}}}}} diff --git a/common/environment/configure/hardening.sh b/common/environment/configure/hardening.sh index a519efce58..890471de2b 100644 --- a/common/environment/configure/hardening.sh +++ b/common/environment/configure/hardening.sh @@ -1,27 +1,26 @@ # Enable SSP and FORITFY_SOURCE=2 by default. -CFLAGS=" -fstack-protector-strong -D_FORTIFY_SOURCE=2 $CFLAGS" -CXXFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 $CXXFLAGS" +_CFLAGS=" -fstack-protector-strong -D_FORTIFY_SOURCE=2 ${CFLAGS}" +_CXXFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 ${CXXFLAGS}" # Enable as-needed and relro by default. -LDFLAGS="-Wl,--as-needed -Wl,-z,relro $LDFLAGS" +_LDFLAGS="-Wl,--as-needed ${LDFLAGS}" case "$XBPS_TARGET_MACHINE" in i686-musl) # SSP currently broken (see https://github.com/voidlinux/void-packages/issues/2902) - CFLAGS+=" -fno-stack-protector" - CXXFLAGS+=" -fno-stack-protector" + _CFLAGS+=" -fno-stack-protector" + _CXXFLAGS+=" -fno-stack-protector" ;; esac if [ -z "$nopie" ]; then - case "$XBPS_TARGET_MACHINE" in - mips*) - # XXX for some reason the gcc specs does not apply correctly - CFLAGS+=" -fPIE" - CXXFLAGS+=" -fPIE" - ;; - esac _GCCSPECSDIR=${XBPS_COMMONDIR}/environment/configure/gccspecs - CFLAGS="-specs=${_GCCSPECSDIR}/hardened-cc1 $CFLAGS" - CXXFLAGS="-specs=${_GCCSPECSDIR}/hardened-cc1 $CXXFLAGS" + case "$XBPS_TARGET_MACHINE" in + mips*) _GCCSPECSFILE=${_GCCSPECSDIR}/hardened-mips-cc1;; + *) _GCCSPECSFILE=${_GCCSPECSDIR}/hardened-cc1;; + esac + CFLAGS="-specs=${_GCCSPECSFILE} ${_CFLAGS}" + CXXFLAGS="-specs=${_GCCSPECSFILE} ${_CXXFLAGS}" # We pass -z relro -z now here too, because libtool drops -specs... - LDFLAGS="-specs=${_GCCSPECSDIR}/hardened-ld -Wl,-z,relro -Wl,-z,now $LDFLAGS" + LDFLAGS="-specs=${_GCCSPECSDIR}/hardened-ld -Wl,-z,relro -Wl,-z,now ${_LDFLAGS}" fi + +unset _CFLAGS _CXXFLAGS _LDFLAGS