diff options
author | Magnus Granberg <zorry@gentoo.org> | 2010-06-18 01:03:12 +0000 |
---|---|---|
committer | Magnus Granberg <zorry@gentoo.org> | 2010-06-18 01:03:12 +0000 |
commit | 1a55bc0b143baa9b45a51480e81ac2839ce28b83 (patch) | |
tree | 591a44c22eb41c80ebc9e0187cf86e0a2e2547a9 | |
parent | Version bump, removed old (diff) | |
download | gentoo-2-1a55bc0b143baa9b45a51480e81ac2839ce28b83.tar.gz gentoo-2-1a55bc0b143baa9b45a51480e81ac2839ce28b83.tar.bz2 gentoo-2-1a55bc0b143baa9b45a51480e81ac2839ce28b83.zip |
Add support for full hardened on >=gcc 4.4 bug #318171
-rw-r--r-- | eclass/toolchain.eclass | 114 |
1 files changed, 76 insertions, 38 deletions
diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass index a963efdbfdee..2db2045c4e2b 100644 --- a/eclass/toolchain.eclass +++ b/eclass/toolchain.eclass @@ -1,6 +1,6 @@ # Copyright 1999-2008 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain.eclass,v 1.427 2010/06/02 21:31:12 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain.eclass,v 1.428 2010/06/18 01:03:12 zorry Exp $ # # Maintainer: Toolchain Ninjas <toolchain@gentoo.org> @@ -143,6 +143,7 @@ else IUSE="${IUSE} altivec build fortran nls nocxx" [[ -n ${PIE_VER} ]] && IUSE="${IUSE} nopie" [[ -n ${PP_VER} ]] && IUSE="${IUSE} nossp" + [[ -n ${SPECS_VER} ]] && IUSE="${IUSE} nossp" [[ -n ${HTB_VER} ]] && IUSE="${IUSE} boundschecking" [[ -n ${D_VER} ]] && IUSE="${IUSE} d" @@ -243,6 +244,14 @@ gcc_get_s_dir() { # SPECS_VER # SPECS_GCC_VER # This is for the minispecs files included in the hardened gcc-4.x +# The specs files for hardenedno*, vanilla and for building the "specs" file. +# SPECS_VER is expected to be the version of this patch, SPECS_GCC_VER +# the gcc version of the patch. +# An example: +# SPECS_VER="8.7.6.5" +# SPECS_GCC_VER="3.4.0" +# The resulting filename of this tarball will be: +# gcc-${SPECS_GCC_VER:-${GCC_RELEASE_VER}}-specs-${SPECS_VER}.tar.bz2 # # PP_VER # PP_GCC_VER @@ -278,7 +287,7 @@ gcc_get_s_dir() { # gentoo_urls() { local devspace="HTTP~lv/GCC/URI HTTP~eradicator/gcc/URI HTTP~vapier/dist/URI - HTTP~halcy0n/patches/URI" + HTTP~halcy0n/patches/URI HTTP~zorry/patches/gcc/URI" devspace=${devspace//HTTP/http:\/\/dev.gentoo.org\/} echo mirror://gentoo/$1 ${devspace//URI/$1} } @@ -290,9 +299,6 @@ get_gcc_src_uri() { export HTB_GCC_VER=${HTB_GCC_VER:-${GCC_RELEASE_VER}} export SPECS_GCC_VER=${SPECS_GCC_VER:-${GCC_RELEASE_VER}} - [[ -n ${PIE_VER} ]] && \ - PIE_CORE=${PIE_CORE:-gcc-${PIE_GCC_VER}-piepatches-v${PIE_VER}.tar.bz2} - # Set where to download gcc itself depending on whether we're using a # prerelease, snapshot, or release tarball. if [[ -n ${PRERELEASE} ]] ; then @@ -334,11 +340,12 @@ get_gcc_src_uri() { # strawberry pie, Cappuccino and a Gauloises (it's a good thing) [[ -n ${PIE_VER} ]] && \ - GCC_SRC_URI="${GCC_SRC_URI} !nopie? ( $(gentoo_urls ${PIE_CORE}) )" - + PIE_CORE=${PIE_CORE:-gcc-${PIE_GCC_VER}-piepatches-v${PIE_VER}.tar.bz2} && \ + GCC_SRC_URI="${GCC_SRC_URI} $(gentoo_urls ${PIE_CORE})" + # gcc minispec for the hardened gcc 4 compiler [[ -n ${SPECS_VER} ]] && \ - GCC_SRC_URI="${GCC_SRC_URI} !nopie? ( $(gentoo_urls gcc-${SPECS_GCC_VER}-specs-${SPECS_VER}.tar.bz2) )" + GCC_SRC_URI="${GCC_SRC_URI} $(gentoo_urls gcc-${SPECS_GCC_VER}-specs-${SPECS_VER}.tar.bz2)" # gcc bounds checking patch if [[ -n ${HTB_VER} ]] ; then @@ -392,6 +399,7 @@ hardened_gcc_works() { [[ ${CTARGET} == *-freebsd* ]] && return 1 want_pie || return 1 + tc_version_is_at_least 4.3.2 && use nopie && return 1 hardened_gcc_is_stable pie && return 0 if has "~$(tc-arch)" ${ACCEPT_KEYWORDS} ; then hardened_gcc_check_unsupported pie && return 1 @@ -400,7 +408,8 @@ hardened_gcc_works() { fi return 1 elif [[ $1 == "ssp" ]] ; then - [[ -z ${PP_VER} ]] && return 1 + [[ -n ${PP_VER} ]] || [[ -n ${SPECS_VER} ]] || return 1 + tc_version_is_at_least 4.3.2 && use nossp && return 1 hardened_gcc_is_stable ssp && return 0 if has "~$(tc-arch)" ${ACCEPT_KEYWORDS} ; then hardened_gcc_check_unsupported ssp && return 1 @@ -490,7 +499,12 @@ _want_stuff() { return 1 } want_boundschecking() { _want_stuff HTB_VER boundschecking ; } -want_pie() { _want_stuff PIE_VER !nopie ; } +want_pie() { + ! use hardened && [[ -n ${PIE_VER} ]] && use nopie && return 1 + [[ -n ${PIE_VER} ]] && [[ -n ${SPECS_VER} ]] && return 0 + tc_version_is_at_least 4.3.2 && return 1 + _want_stuff PIE_VER !nopie +} want_ssp() { _want_stuff PP_VER !nossp ; } want_split_specs() { @@ -498,11 +512,19 @@ want_split_specs() { } want_minispecs() { if tc_version_is_at_least 4.3.2 && use hardened ; then - if [[ -n ${SPECS_VER} ]] ; then - return 0 + if ! want_pie ; then + ewarn "PIE_VER or SPECS_VER is not defiend in the GCC ebuild." + elif use vanilla ; then + ewarn "You will not get hardened features if you have the vanilla USE-flag." + elif use nopie && use nossp ; then + ewarn "You will not get hardened features if you have the nopie and nossp USE-flag." + elif ! hardened_gcc_works pie && ! hardened_gcc_works ssp && ! use nopie ; then + ewarn "Your $(tc-arch) arch is not supported." else - die "For Hardened to work you need the minispecs files" + return 0 fi + ewarn "Hope you know what you are doing. Hardened will not work." + return 0 fi return 1 } @@ -708,27 +730,42 @@ create_gcc_env_entry() { [[ -n ${gcc_specs_file} ]] && echo "GCC_SPECS=\"${gcc_specs_file}\"" >> ${gcc_envd_file} } setup_minispecs_gcc_build_specs() { - # Setup the "build.specs" file for gcc to use when building. - if want_minispecs ; then - if hardened_gcc_works pie ; then - cat "${WORKDIR}"/specs/pie.specs >> "${WORKDIR}"/build.specs - fi - for s in nostrict znow; do + # Setup the "build.specs" file for gcc 4.3 to use when building. + if hardened_gcc_works pie ; then + cat "${WORKDIR}"/specs/pie.specs >> "${WORKDIR}"/build.specs + fi + if hardened_gcc_works ssp ; then + for s in ssp sspall ; do cat "${WORKDIR}"/specs/${s}.specs >> "${WORKDIR}"/build.specs done - export GCC_SPECS="${WORKDIR}"/build.specs fi + for s in nostrict znow ; do + cat "${WORKDIR}"/specs/${s}.specs >> "${WORKDIR}"/build.specs + done + export GCC_SPECS="${WORKDIR}"/build.specs } copy_minispecs_gcc_specs() { + # setup the hardenedno* specs files and the vanilla specs file. + if hardened_gcc_works ; then + create_gcc_env_entry hardenednopiessp + fi + if hardened_gcc_works pie ; then + create_gcc_env_entry hardenednopie + fi + if hardened_gcc_works ssp ; then + create_gcc_env_entry hardenednossp + fi + create_gcc_env_entry vanilla + insinto ${LIBPATH} + doins "${WORKDIR}"/specs/*.specs || die "failed to install specs" # Build system specs file which, if it exists, must be a complete set of # specs as it completely and unconditionally overrides the builtin specs. - # For gcc 4 - if use hardened && want_minispecs ; then + # For gcc 4.3 + if ! tc_version_is_at_least 4.4 ; then $(XGCC) -dumpspecs > "${WORKDIR}"/specs/specs cat "${WORKDIR}"/build.specs >> "${WORKDIR}"/specs/specs - insinto ${LIBPATH} - doins "${WORKDIR}"/specs/* || die "failed to install specs" - fi + doins "${WORKDIR}"/specs/specs || die "failed to install the specs file" + fi } add_profile_eselect_conf() { local compiler_config_file=$1 @@ -885,6 +922,7 @@ gcc_pkg_setup() { want_libssp && libc_has_ssp && \ die "libssp cannot be used with a glibc that has been patched to provide ssp symbols" + want_minispecs unset LANGUAGES #265283 } @@ -1010,7 +1048,7 @@ gcc-compiler_src_unpack() { # the necessary support want_pie && use hardened && glibc_have_pie - if use hardened && ! want_minispecs ; then + if use hardened ; then einfo "updating configuration to build hardened GCC" make_gcc_hard || die "failed to make gcc hard" fi @@ -1201,6 +1239,11 @@ gcc-compiler-configure() { confgcc="${confgcc} --disable-libssp" fi + # If we want hardened support with the newer piepatchset for >=gcc 4.4 + if tc_version_is_at_least 4.4 && want_minispecs ; then + confgcc="${confgcc} $(use_enable hardened esp)" + fi + if tc_version_is_at_least "4.2" ; then confgcc="${confgcc} $(use_enable openmp libgomp)" fi @@ -1700,9 +1743,11 @@ gcc_src_compile() { einfo "CFLAGS=\"${CFLAGS}\"" einfo "CXXFLAGS=\"${CXXFLAGS}\"" - # For hardened gcc 4 for build the hardened specs file to use when building gcc - setup_minispecs_gcc_build_specs - + # For hardened gcc 4.3 piepatchset to build the hardened specs + # file (build.specs) to use when building gcc. + if ! tc_version_is_at_least 4.4 && want_minispecs ; then + setup_minispecs_gcc_build_specs + fi # Build in a separate build tree mkdir -p "${WORKDIR}"/build pushd "${WORKDIR}"/build > /dev/null @@ -1827,10 +1872,7 @@ gcc-compiler_src_install() { fi # Setup the gcc_env_entry for hardened gcc 4 with minispecs if want_minispecs ; then - if hardened_gcc_works pie ; then - create_gcc_env_entry hardenednopie - fi - create_gcc_env_entry vanilla + copy_minispecs_gcc_specs fi # Make sure we dont have stuff lying around that # can nuke multiple versions of gcc @@ -1936,9 +1978,6 @@ gcc-compiler_src_install() { # Create config files for eselect-compiler create_eselect_conf - # Cpoy the needed minispec for hardened gcc 4 - copy_minispecs_gcc_specs - # Move pretty-printers to gdb datadir to shut ldconfig up gdbdir=/usr/share/gdb/auto-load for module in $(find "${D}" -iname "*-gdb.py" -print); do @@ -2289,13 +2328,12 @@ do_gcc_PIE_patches() { # adds default pie support (rs6000 too) if DEFAULT_PIE[_SSP] is defined EPATCH_MULTI_MSG="Applying default pie patches ..." \ epatch "${WORKDIR}"/piepatch/def - + fi # we want to be able to control the pie patch logic via something other # than ALL_CFLAGS... sed -e '/^ALL_CFLAGS/iHARD_CFLAGS = ' \ -e 's|^ALL_CFLAGS = |ALL_CFLAGS = $(HARD_CFLAGS) |' \ -i "${S}"/gcc/Makefile.in - fi BRANDING_GCC_PKGVERSION="${BRANDING_GCC_PKGVERSION}, pie-${PIE_VER}" } |