diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-07-22 16:29:06 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-07-22 16:29:06 -0400 |
commit | 2202e378de8d7c6dcd752ceb3b546591b14c2be6 (patch) | |
tree | 832285282e3a32c28096f470a12b860bc61aa9f7 /krb5-1.9.1-buildconf.patch | |
parent | 94ead682bab70d7367ee100ad468d38fadf3f34b (diff) | |
download | krb5-2202e378de8d7c6dcd752ceb3b546591b14c2be6.tar.gz krb5-2202e378de8d7c6dcd752ceb3b546591b14c2be6.tar.xz krb5-2202e378de8d7c6dcd752ceb3b546591b14c2be6.zip |
- build shared libraries with partial RELRO support (#723995)
- filter out potentially multiple instances of -Wl,-z,relro from krb5-config
output, now that it's in the buildroot's default LDFLAGS
Diffstat (limited to 'krb5-1.9.1-buildconf.patch')
-rw-r--r-- | krb5-1.9.1-buildconf.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/krb5-1.9.1-buildconf.patch b/krb5-1.9.1-buildconf.patch new file mode 100644 index 0000000..85173cf --- /dev/null +++ b/krb5-1.9.1-buildconf.patch @@ -0,0 +1,60 @@ +Build binaries in this package as RELRO PIEs, libraries as partial RELRO, +and install shared libraries with the execute bit set on them. Prune out +the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect +apps which just want to link with the libraries. FIXME: needs to check and +not just assume that the compiler supports using these flags. + +diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf +--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500 ++++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400 +@@ -419,7 +419,7 @@ mips-*-netbsd*) + SHLIBEXT=.so + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro' + # + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' + SHLIB_EXPORT_FILE_DEP=binutils.versions +@@ -430,7 +430,8 @@ + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in +--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 ++++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 +@@ -187,8 +187,15 @@ if test -n "$do_libs"; then + -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ + -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ +- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` ++ -e 's#\$(CFLAGS)##'` + ++ if test `dirname $libdir` = /usr ; then ++ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` ++ fi ++ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"` ++ + if test $library = 'kdb'; then + lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" + library=krb5 +diff -up krb5-1.9/src/config/pre.in krb5-1.9/src/config/pre.in +--- krb5-1.9/src/config/pre.in 2011-04-01 15:45:06.640705226 -0400 ++++ krb5-1.9/src/config/pre.in 2011-04-01 15:45:11.179705234 -0400 +@@ -188,7 +188,7 @@ + INSTALL_SCRIPT=@INSTALL_PROGRAM@ + INSTALL_DATA=@INSTALL_DATA@ + INSTALL_SHLIB=@INSTALL_SHLIB@ +-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root ++INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 + ## This is needed because autoconf will sometimes define @exec_prefix@ to be + ## ${prefix}. + prefix=@prefix@ |