From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH 3/8] Adjust build configuration Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. Last-updated: krb5-1.15-beta1 --- src/build-tools/krb5-config.in | 7 +++++++ src/config/pre.in | 2 +- src/config/shlib.conf | 5 +++-- 3 files changed, 11 insertions(+), 3 deletions(-) Index: krb5-1.19.3/src/build-tools/krb5-config.in =================================================================== --- krb5-1.19.3.orig/src/build-tools/krb5-config.in +++ krb5-1.19.3/src/build-tools/krb5-config.in @@ -224,6 +224,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` + if test `dirname $libdir` = /usr ; then + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` + fi + lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"` + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"` + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"` + if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 Index: krb5-1.19.3/src/config/pre.in =================================================================== --- krb5-1.19.3.orig/src/config/pre.in +++ krb5-1.19.3/src/config/pre.in @@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ -INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root +INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 ## This is needed because autoconf will sometimes define @exec_prefix@ to be ## ${prefix}. prefix=@prefix@ Index: krb5-1.19.3/src/config/shlib.conf =================================================================== --- krb5-1.19.3.orig/src/config/shlib.conf +++ krb5-1.19.3/src/config/shlib.conf @@ -424,7 +424,7 @@ mips-*-netbsd*) # Linux ld doesn't default to stuffing the SONAME field... # Use objdump -x to examine the fields of the library # UNDEF_CHECK is suppressed by --enable-asan - LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' + LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel' UNDEF_CHECK='-Wl,--no-undefined' # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' @@ -436,7 +436,8 @@ mips-*-netbsd*) SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' - CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' + CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' + INSTALL_SHLIB='${INSTALL} -m755' CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'