diff options
Diffstat (limited to 'hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild')
| -rw-r--r-- | hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild | 47 |
1 files changed, 34 insertions, 13 deletions
diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild b/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild index 5a03986..6f8463b 100644 --- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild +++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild @@ -16,7 +16,7 @@ # CHOST = CTARGET - install into / # CHOST != CTARGET - install into /usr/CTARGET/ -KEYWORDS="-* alpha amd64 arm ia64 ~mips ppc ppc64 sh sparc x86" +KEYWORDS="-* ~alpha ~amd64 ~arm ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86" BRANCH_UPDATE="" @@ -236,8 +236,7 @@ toolchain-glibc_src_unpack() { if use debug; then # When using Hardened Gentoo stack handler, have smashes dump core for - # analysis - debug only, as core could be an information leak - # (paranoia). + # analysis - debug only, as core could be an information leak. sed -i -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ ${S}/debug/Makefile || die "Failed to modify debug/Makefile for debug stack handler" @@ -247,9 +246,17 @@ toolchain-glibc_src_unpack() { sed -i -e 's:-fstack-protector$:-fstack-protector-all:' ${S}/nscd/Makefile || die "Failed to ensure nscd builds with ssp-all" - # Fix all ifdef PIC to accept also __PIC__, in header and - # un-pre-processed assembler source files. - fixup_DPIC -style prepend ${S} "*.[h|S]" + # Fixup use of PIC to choose PIC variants when built -fPIE. + # Prepends all files that have "#ifdef PIC" or similar, with + # preprocessor macros to define PIC if the compiler has + # defined __PIC__. + find ${S} -name '*.[h|S]' | \ + xargs grep -l '^[[:space:]]*#[[:space:]]*if.*\bPIC\b' | \ + xargs sed -i -e '1i#if defined __PIC__ && !defined PIC\ +# define PIC\ +#endif\ +' + fi gnuconfig_update @@ -732,6 +739,23 @@ setup_flags() { # Don't let the compiler automatically build PIEs unless USE=hardened. use hardened || filter-flags -fPIE + + # When building hardened, define PIC always as many files use libtool-style + # macro PIC rather than the builtin macro __PIC__ to differentiate. +#1 if use hardened; then +#1 mkdir -p ${T}/include +#1 [[ -f ${T}/include/define-pic.h ]] || +#1 cat > ${T}/include/define-pic.h <<-EOF +#1 #if defined __PIC__ && !defined PIC +#1 # define PIC +#1 #endif +#1 EOF +#1 append-flags "-I${T}/include -imacrosdefine-pic.h" +#1 # Note; the glibc build process filters out -I* from CFLAGS - +#1 # define-pic.h will be moved to the build directory in +#1 # the configure phase. +#1 fi +#2 #use hardened && append-flags -DPIC } check_kheader_version() { @@ -930,6 +954,9 @@ glibc_do_configure() { local GBUILDDIR=${WORKDIR}/build-${ABI}-${CTARGET}-$1 mkdir -p "${GBUILDDIR}" cd "${GBUILDDIR}" +#1 # Copy define-pic.h into the build directory, where glibc's build process +#1 # will find it. +#1 use hardened && cp ${T}/include/define-pic.h . einfo "Configuring GLIBC for $1 with: ${myconf// /\n\t\t}" "${S}"/configure ${myconf} || die "failed to configure glibc" } @@ -1091,15 +1118,9 @@ pkg_setup() { die "install pax-utils" fi - # Building glibc with the default-PIE compiler requires binutils-2.17. The - # dependency is brought in conditional on USE=hardened. if gcc-specs-pie && ! use hardened; then eerror "USE=hardened must be set to build glibc with a hardened compiler" - die "set USE=hardened (or gcc-config to gcc/vanilla)" - fi - if use hardened && ! version_is_at_least $(ld-version) "2.17"; then - eerror "Need binutils-2.17 or higher active to build glibc hardened" - die "install >=sys-devel/binutils-2.17 (or binutils-config to it)" + die "set USE=hardened (or gcc-config to gcc-vanilla)" fi } |