[gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes.

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: Magnus Granberg <zorry@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes.
Date: Thu, 09 Jan 2014 21:58:46 +0100	[thread overview]
Message-ID: <7554031.Sacz2dxc8i@laptop1.gw.ume.nu> (raw)

[-- Attachment #1: Type: text/plain, Size: 749 bytes --]

Hi

Some time ago we discussed that we should enable stack smashing 
(-fstack-protector) by default.  So we opened a bug to track this [1].  
The affected Gcc version will be 4.8.2 and newer. Only amd64, x86, mips, ppc, 
ppc64 and arm will be affected by this change. 

You can turn off ssp by using the nossp USE flag or by adding 
-fno-stack-protector to the CFLAGS and/or CXXFLAGS. We are using the same 
patch as Debian/Ubuntu but with some Gentoo fixes.

The patch will move the sed for the HARD_CFLAGS, ALLCFLAGS and 
ALLCXXFLAGS from do_gcc_PIE_patches() to make_gcc_hard().  We will 
make_gcc_hard() the default for all Gcc versions 4.8 and newer, and turn 
it on or off with hardened_gcc_works() that will make some sanity checks.

/Magnus

[-- Attachment #2: toolchin.eclass.patch --]
[-- Type: text/x-patch, Size: 3251 bytes --]

2013-12-31  Magnus Granberg  <zorry@gentoo.org>

	# 484714
	We Add -fstack-protector as default

--- a/eclass/toolchain.eclass	2013-12-30 21:21:05.431832881 +0100
+++ b/eclass/toolchain.eclass	2013-12-31 11:34:00.720993536 +0100
@@ -473,7 +473,9 @@ toolchain_src_prepare() {
 	do_gcc_PIE_patches
 	epatch_user
 
-	use hardened && make_gcc_hard
+	if ( tc_version_is_at_least 4.8 || use hardened ) && ! use vanilla ; then
+		make_gcc_hard
+	fi
 
 	# install the libstdc++ python into the right location
 	# http://gcc.gnu.org/PR51368
@@ -606,6 +608,12 @@ do_gcc_PIE_patches() {
 		epatch "${WORKDIR}"/piepatch/def
 	fi
 
+	BRANDING_GCC_PKGVERSION="${BRANDING_GCC_PKGVERSION}, pie-${PIE_VER}"
+}
+
+# configure to build with the hardened GCC specs as the default
+make_gcc_hard() {
+	
 	# we want to be able to control the pie patch logic via something other
 	# than ALL_CFLAGS...
 	sed -e '/^ALL_CFLAGS/iHARD_CFLAGS = ' \
@@ -618,38 +626,38 @@ do_gcc_PIE_patches() {
                         -i "${S}"/gcc/Makefile.in
 	fi
 
-	BRANDING_GCC_PKGVERSION="${BRANDING_GCC_PKGVERSION}, pie-${PIE_VER}"
-}
-
-# configure to build with the hardened GCC specs as the default
-make_gcc_hard() {
-	# defaults to enable for all hardened toolchains
-	local gcc_hard_flags="-DEFAULT_RELRO -DEFAULT_BIND_NOW"
-
-	if hardened_gcc_works ; then
-		einfo "Updating gcc to use automatic PIE + SSP building ..."
-		gcc_hard_flags+=" -DEFAULT_PIE_SSP"
-	elif hardened_gcc_works pie ; then
-		einfo "Updating gcc to use automatic PIE building ..."
-		ewarn "SSP has not been enabled by default"
-		gcc_hard_flags+=" -DEFAULT_PIE"
-	elif hardened_gcc_works ssp ; then
-		einfo "Updating gcc to use automatic SSP building ..."
-		ewarn "PIE has not been enabled by default"
-		gcc_hard_flags+=" -DEFAULT_SSP"
+	# defaults to enable for all toolchains
+	local gcc_hard_flags=""
+	if use hardened ; then
+		if hardened_gcc_works ; then
+			einfo "Updating gcc to use automatic PIE + SSP building ..."
+			gcc_hard_flags+=" -DEFAULT_PIE_SSP"
+		elif hardened_gcc_works pie ; then
+			einfo "Updating gcc to use automatic PIE building ..."
+			ewarn "SSP has not been enabled by default"
+			gcc_hard_flags+=" -DEFAULT_PIE"
+		elif hardened_gcc_works ssp ; then
+			einfo "Updating gcc to use automatic SSP building ..."
+			ewarn "PIE has not been enabled by default"
+			gcc_hard_flags+=" -DEFAULT_SSP"
+		else
+			# do nothing if hardened is't supported, but don't die either
+			ewarn "hardened is not supported for this arch in this gcc version"
+			return 0
+		fi
+		# rebrand to make bug reports easier
+		BRANDING_GCC_PKGVERSION=${BRANDING_GCC_PKGVERSION/Gentoo/Gentoo Hardened}
 	else
-		# do nothing if hardened isnt supported, but dont die either
-		ewarn "hardened is not supported for this arch in this gcc version"
-		ebeep
-		return 0
+		if hardened_gcc_works ssp ; then
+			einfo "Updating gcc to use automatic SSP building ..."
+			gcc_hard_flags+=" -DEFAULT_SSP"
+		fi
 	fi
 
 	sed -i \
 		-e "/^HARD_CFLAGS = /s|=|= ${gcc_hard_flags} |" \
 		"${S}"/gcc/Makefile.in || die
 
-	# rebrand to make bug reports easier
-	BRANDING_GCC_PKGVERSION=${BRANDING_GCC_PKGVERSION/Gentoo/Gentoo Hardened}
 }
 
 # This is a historical wart.  The original Gentoo/amd64 port used:

next             reply	other threads:[~2014-01-09 21:00 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-09 20:58 Magnus Granberg [this message]
2014-01-09 21:11 ` [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes Rick "Zero_Chaos" Farina
2014-01-09 22:19   ` William Hubbs
2014-01-09 23:26   ` [gentoo-dev] " Ryan Hill
2014-01-09 23:30     ` Andreas K. Huettel
2014-01-09 23:41       ` William Hubbs
2014-01-10  0:12         ` Ryan Hill
2014-01-10  6:35           ` Rick "Zero_Chaos" Farina
2014-01-10 15:50             ` Ryan Hill
2014-01-10 18:37               ` Rick "Zero_Chaos" Farina
2014-01-10 20:08               ` Anthony G. Basile
2014-01-10 21:56                 ` Ryan Hill
2014-01-09 21:57 ` [gentoo-dev] " Pacho Ramos
2014-01-09 22:06   ` Anthony G. Basile
2014-01-09 22:16     ` Pacho Ramos
2014-01-09 22:21     ` Michał Górny
2014-01-09 22:29       ` Rick "Zero_Chaos" Farina
2014-01-09 23:03         ` Anthony G. Basile
2014-01-09 23:09         ` Anthony G. Basile
2014-01-09 23:19           ` Rick "Zero_Chaos" Farina
2014-01-09 23:30         ` [gentoo-dev] " Ryan Hill
2014-01-10  0:17           ` Ryan Hill
2014-01-10  6:39             ` Rick "Zero_Chaos" Farina
2014-01-09 23:59         ` [gentoo-dev] " Rich Freeman
2014-01-10  4:50           ` Michał Górny
2014-01-09 23:01       ` Anthony G. Basile
2014-01-09 23:13         ` Rick "Zero_Chaos" Farina
2014-01-09 23:28           ` Anthony G. Basile
2014-01-09 22:07   ` Magnus Granberg
2014-01-09 23:56 ` [gentoo-dev] " Ryan Hill
2014-01-10 15:45   ` Magnus Granberg
2014-01-10  5:18 ` Ryan Hill
2014-01-10 15:24   ` Magnus Granberg
2014-01-10 16:30     ` Ryan Hill

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7554031.Sacz2dxc8i@laptop1.gw.ume.nu \
    --to=zorry@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox