[gentoo-dev] [RFC] toolchain-funcs.eclass / toolchain-glibc.eclass - gcc-6 bugfixes and updates

[gentoo-dev] [RFC] toolchain-funcs.eclass / toolchain-glibc.eclass - gcc-6 bugfixes and updates

[Matthias Maier]

Hello all,

this is a series of patches against the toolchian-funcs and toolchain-glibc
eclasses, most notably

 - introducing new tc-enables-pie(), tc-enables-ssp(),
   tc-enables-ssp-strong() and tc-enables-ssp-all() functions in
   toolchain-funcs compatible with gcc >=6 and clang as a replacement for
   the old gcc-specs-* functions (patch 1).

   After this patchset is merged, I will follow up with fixes to a (small)
   number of ebuilds and eclasses utilizing the old gcc-specs-* functions
   so that we can deprecate those relatively quickly.

 - updates toolchain-glibc to use said new variants and removing obsolete
   configuration logic for gcc >=6. [1]

 - enables a number of (upstreamed) security features for glibc-2.25 per
   default. [2,3]

Best,
Matthias

[1] https://bugs.gentoo.org/show_bug.cgi?id=618160
[2] https://bugs.gentoo.org/show_bug.cgi?id=621742
[3] https://bugs.gentoo.org/show_bug.cgi?id=609048

[gentoo-dev] [PATCH 1/5] toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6.

[Matthias Maier]

From: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>

Newly added tc-enables-pie(), tc-enables-ssp(), tc-enables-ssp-strong()
and tc-enables-ssp-all() check macros instead of specs.
This solution also works with older GCC and with Clang.

Signed-off-by: Matthias Maier <tamiko@gentoo.org>
---
 eclass/toolchain-funcs.eclass | 71 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/eclass/toolchain-funcs.eclass b/eclass/toolchain-funcs.eclass
index a0c359a950..3658c40518 100644
--- a/eclass/toolchain-funcs.eclass
+++ b/eclass/toolchain-funcs.eclass
@@ -792,6 +792,77 @@ gcc-specs-stack-check() {
 }
 
 
+# @FUNCTION: tc-enables-pie
+# @RETURN: Truth if the current compiler generates position-independent code (PIC) which can be linked into executables
+# @DESCRIPTION:
+# Return truth if the current compiler generates position-independent code (PIC)
+# which can be linked into executables.
+tc-enables-pie() {
+	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
+		#if defined(__PIE__)
+		true
+		#else
+		false
+		#endif
+		EOF
+	)
+}
+
+# @FUNCTION: tc-enables-ssp
+# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on at least minimal level
+# @DESCRIPTION:
+# Return truth if the current compiler enables stack smashing protection (SSP)
+# on level corresponding to any of the following options:
+#  -fstack-protector
+#  -fstack-protector-strong
+#  -fstack-protector-all
+tc-enables-ssp() {
+	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
+		#if defined(__SSP__) || defined(__SSP_STRONG__) || defined(__SSP_ALL__)
+		true
+		#else
+		false
+		#endif
+		EOF
+	)
+}
+
+# @FUNCTION: tc-enables-ssp-strong
+# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on at least middle level
+# @DESCRIPTION:
+# Return truth if the current compiler enables stack smashing protection (SSP)
+# on level corresponding to any of the following options:
+#  -fstack-protector-strong
+#  -fstack-protector-all
+tc-enables-ssp-strong() {
+	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
+		#if defined(__SSP_STRONG__) || defined(__SSP_ALL__)
+		true
+		#else
+		false
+		#endif
+		EOF
+	)
+}
+
+# @FUNCTION: tc-enables-ssp-all
+# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on maximal level
+# @DESCRIPTION:
+# Return truth if the current compiler enables stack smashing protection (SSP)
+# on level corresponding to any of the following options:
+#  -fstack-protector-all
+tc-enables-ssp-all() {
+	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
+		#if defined(__SSP_ALL__)
+		true
+		#else
+		false
+		#endif
+		EOF
+	)
+}
+
+
 # @FUNCTION: gen_usr_ldscript
 # @USAGE: [-a] <list of libs to create linker scripts for>
 # @DESCRIPTION:
-- 
2.13.0

[gentoo-dev] [PATCH 2/5] toolchain-glibc.eclass: Build most of >=sys-libs/glibc-2.25 with -fstack-protector-all (bug #609048).

[Matthias Maier]

From: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>

configure accepts --enable-stack-protector=... option which results
in build system passing appropriate -fstack-protector... option
when possible.

Signed-off-by: Matthias Maier <tamiko@gentoo.org>
---
 eclass/toolchain-glibc.eclass       | 17 ++++++++++++++---
 sys-libs/glibc/glibc-2.23-r3.ebuild |  5 -----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/eclass/toolchain-glibc.eclass b/eclass/toolchain-glibc.eclass
index ef9d91acae..eba829cd2f 100644
--- a/eclass/toolchain-glibc.eclass
+++ b/eclass/toolchain-glibc.eclass
@@ -254,7 +254,7 @@ setup_flags() {
 	# this flag for us, so no need to do it manually.
 	version_is_at_least 2.16 ${PV} || append-cppflags -U_FORTIFY_SOURCE
 
-	# building glibc with SSP is fraught with difficulty, especially
+	# building glibc <2.25 with SSP is fraught with difficulty, especially
 	# due to __stack_chk_fail_local which would mean significant changes
 	# to the glibc build process. See bug #94325 #293721
 	# Note we have to handle both user-given CFLAGS and gcc defaults via
@@ -262,7 +262,9 @@ setup_flags() {
 	# added before user flags, and we can't just filter-flags because
 	# _filter_hardened doesn't support globs.
 	filter-flags -fstack-protector*
-	gcc-specs-ssp && append-flags $(test-flags -fno-stack-protector)
+	if ! version_is_at_least 2.25 ; then
+		tc-enables-ssp && append-flags $(test-flags -fno-stack-protector)
+	fi
 
 	if use hardened && gcc-specs-pie ; then
 		# Force PIC macro definition for all compilations since they're all
@@ -783,6 +785,10 @@ glibc_do_configure() {
 		myconf+=( --enable-old-ssp-compat )
 	fi
 
+	if version_is_at_least 2.25 ; then
+		myconf+=( --enable-stack-protector=all )
+	fi
+
 	[[ $(tc-is-softfloat) == "yes" ]] && myconf+=( --without-fp )
 
 	if [[ $1 == "linuxthreads" ]] ; then
@@ -941,7 +947,7 @@ toolchain-glibc_headers_configure() {
 		libc_cv_mlong_double_128ibm=yes
 		libc_cv_ppc_machine=yes
 		libc_cv_ppc_rel16=yes
-		libc_cv_predef_{fortify_source,stack_protector}=no
+		libc_cv_predef_fortify_source=no
 		libc_cv_visibility_attribute=yes
 		libc_cv_z_combreloc=yes
 		libc_cv_z_execstack=yes
@@ -955,6 +961,11 @@ toolchain-glibc_headers_configure() {
 		ac_cv_lib_audit_audit_log_user_avc_message=no
 		ac_cv_lib_cap_cap_init=no
 	)
+	if ! version_is_at_least 2.25 ; then
+		vars+=(
+			libc_cv_predef_stack_protector=no
+		)
+	fi
 	einfo "Forcing cached settings:"
 	for v in "${vars[@]}" ; do
 		einfo " ${v}"
diff --git a/sys-libs/glibc/glibc-2.23-r3.ebuild b/sys-libs/glibc/glibc-2.23-r3.ebuild
index 410b3485c1..1109618f52 100644
--- a/sys-libs/glibc/glibc-2.23-r3.ebuild
+++ b/sys-libs/glibc/glibc-2.23-r3.ebuild
@@ -137,11 +137,6 @@ src_prepare() {
 				-e '/^CFLAGS-backtrace.c/ iCPPFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \
 				debug/Makefile || die
 		fi
-
-		# Build various bits with ssp-all
-		sed -i \
-			-e 's:-fstack-protector$:-fstack-protector-all:' \
-			*/Makefile || die
 	fi
 
 	case $(gcc-fullversion) in
-- 
2.13.0

[gentoo-dev] [PATCH 3/5] toolchain-glibc.eclass: Always enable stack guard randomization (bug #621742).

[Matthias Maier]

From: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>

Signed-off-by: Matthias Maier <tamiko@gentoo.org>
---
 eclass/toolchain-glibc.eclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eclass/toolchain-glibc.eclass b/eclass/toolchain-glibc.eclass
index eba829cd2f..5be31eb193 100644
--- a/eclass/toolchain-glibc.eclass
+++ b/eclass/toolchain-glibc.eclass
@@ -780,7 +780,7 @@ glibc_do_configure() {
 	[[ -d ports ]] && addons+=",ports"
 	popd > /dev/null
 
-	myconf+=( $(use_enable hardened stackguard-randomization) )
+	myconf+=( --enable-stackguard-randomization )
 	if has_version '<sys-libs/glibc-2.13' ; then
 		myconf+=( --enable-old-ssp-compat )
 	fi
-- 
2.13.0

[gentoo-dev] [PATCH 4/5] eclass/toolchain-glibc.eclass: use tc-enables-pie instead of gcc-specs-pie

[Matthias Maier]

---
 eclass/toolchain-glibc.eclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/eclass/toolchain-glibc.eclass b/eclass/toolchain-glibc.eclass
index 5be31eb193..270c9cdac7 100644
--- a/eclass/toolchain-glibc.eclass
+++ b/eclass/toolchain-glibc.eclass
@@ -266,7 +266,7 @@ setup_flags() {
 		tc-enables-ssp && append-flags $(test-flags -fno-stack-protector)
 	fi
 
-	if use hardened && gcc-specs-pie ; then
+	if use hardened && tc-enables-pie ; then
 		# Force PIC macro definition for all compilations since they're all
 		# either -fPIC or -fPIE with the default-PIE compiler.
 		append-cppflags -DPIC
@@ -535,7 +535,7 @@ toolchain-glibc_pkg_pretend() {
 		ewarn "hypervisor, which is probably not what you want."
 	fi
 
-	use hardened && ! gcc-specs-pie && \
+	use hardened && ! tc-enables-pie && \
 		ewarn "PIE hardening not applied, as your compiler doesn't default to PIE"
 
 	# Make sure host system is up to date #394453
-- 
2.13.0

[gentoo-dev] [PATCH 5/5] eclass/toolchain-glibc.eclass: skip pie check for gcc-6 or newer

[Matthias Maier]

For gcc-6 and newer the old logic in the toolchain-glibc eclass:

  if use hardened && gcc-specs-pie ; then
    append-cppflags -DPIC
  else
    filter-flags -fPIE
  fi

is obsolete. Simply disable the check.
---
 eclass/toolchain-glibc.eclass | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/eclass/toolchain-glibc.eclass b/eclass/toolchain-glibc.eclass
index 270c9cdac7..32c1307c3a 100644
--- a/eclass/toolchain-glibc.eclass
+++ b/eclass/toolchain-glibc.eclass
@@ -266,15 +266,21 @@ setup_flags() {
 		tc-enables-ssp && append-flags $(test-flags -fno-stack-protector)
 	fi
 
-	if use hardened && tc-enables-pie ; then
-		# Force PIC macro definition for all compilations since they're all
-		# either -fPIC or -fPIE with the default-PIE compiler.
-		append-cppflags -DPIC
-	else
-		# Don't build -fPIE without the default-PIE compiler and the
-		# hardened-pie patch
-		filter-flags -fPIE
-	fi
+	if [[ $(gcc-major-version) -lt 6 ]]; then
+		# Starting with gcc-6 (and fully upstreamed pie patches) we control
+		# default enabled/disabled pie via use flags. So nothing to do
+		# here. #618160
+
+		if use hardened && tc-enables-pie ; then
+			# Force PIC macro definition for all compilations since they're all
+			# either -fPIC or -fPIE with the default-PIE compiler.
+			append-cppflags -DPIC
+		else
+			# Don't build -fPIE without the default-PIE compiler and the
+			# hardened-pie patch
+			filter-flags -fPIE
+		fi
+ 	fi
 }
 
 want_nptl() {
-- 
2.13.0

[gentoo-dev] Re: [RFC] toolchain-funcs.eclass / toolchain-glibc.eclass - gcc-6 bugfixes and updates

[Matthias Maier]

[-- Attachment #1: Type: text/plain, Size: 179 bytes --]


On Wed, Jun 14, 2017, at 18:15 CDT, Matthias Maier <tamiko@gentoo.org> wrote:

> [...]

and of course, many thanks to Arfrever for patches and his kind support!

Best,
Matthias


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 850 bytes --]

Re: [gentoo-dev] [PATCH 1/5] toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6.

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 3331 bytes --]

On śro, 2017-06-14 at 18:15 -0500, Matthias Maier wrote:
> From: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
> 
> Newly added tc-enables-pie(), tc-enables-ssp(), tc-enables-ssp-strong()
> and tc-enables-ssp-all() check macros instead of specs.
> This solution also works with older GCC and with Clang.
> 
> Signed-off-by: Matthias Maier <tamiko@gentoo.org>
> ---
>  eclass/toolchain-funcs.eclass | 71 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 71 insertions(+)
> 
> diff --git a/eclass/toolchain-funcs.eclass b/eclass/toolchain-funcs.eclass
> index a0c359a950..3658c40518 100644
> --- a/eclass/toolchain-funcs.eclass
> +++ b/eclass/toolchain-funcs.eclass
> @@ -792,6 +792,77 @@ gcc-specs-stack-check() {
>  }
>  
>  
> +# @FUNCTION: tc-enables-pie
> +# @RETURN: Truth if the current compiler generates position-independent code (PIC) which can be linked into executables
> +# @DESCRIPTION:
> +# Return truth if the current compiler generates position-independent code (PIC)
> +# which can be linked into executables.
> +tc-enables-pie() {
> +	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
> +		#if defined(__PIE__)
> +		true
> +		#else
> +		false
> +		#endif
> +		EOF
> +	)

Looks quite horrible. Why can't you just compare the output against
a value instead of randomly executing it?

> +}
> +
> +# @FUNCTION: tc-enables-ssp
> +# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on at least minimal level
> +# @DESCRIPTION:
> +# Return truth if the current compiler enables stack smashing protection (SSP)
> +# on level corresponding to any of the following options:
> +#  -fstack-protector
> +#  -fstack-protector-strong
> +#  -fstack-protector-all
> +tc-enables-ssp() {
> +	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
> +		#if defined(__SSP__) || defined(__SSP_STRONG__) || defined(__SSP_ALL__)
> +		true
> +		#else
> +		false
> +		#endif
> +		EOF
> +	)
> +}
> +
> +# @FUNCTION: tc-enables-ssp-strong
> +# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on at least middle level
> +# @DESCRIPTION:
> +# Return truth if the current compiler enables stack smashing protection (SSP)
> +# on level corresponding to any of the following options:
> +#  -fstack-protector-strong
> +#  -fstack-protector-all
> +tc-enables-ssp-strong() {
> +	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
> +		#if defined(__SSP_STRONG__) || defined(__SSP_ALL__)
> +		true
> +		#else
> +		false
> +		#endif
> +		EOF
> +	)
> +}
> +
> +# @FUNCTION: tc-enables-ssp-all
> +# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on maximal level
> +# @DESCRIPTION:
> +# Return truth if the current compiler enables stack smashing protection (SSP)
> +# on level corresponding to any of the following options:
> +#  -fstack-protector-all
> +tc-enables-ssp-all() {
> +	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
> +		#if defined(__SSP_ALL__)
> +		true
> +		#else
> +		false
> +		#endif
> +		EOF
> +	)
> +}
> +
> +
>  # @FUNCTION: gen_usr_ldscript
>  # @USAGE: [-a] <list of libs to create linker scripts for>
>  # @DESCRIPTION:

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 988 bytes --]

Re: [gentoo-dev] [PATCH 1/5] toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6.

[Matthias Maier]

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

>> +# @FUNCTION: tc-enables-pie
>> +# @RETURN: Truth if the current compiler generates position-independent code (PIC) which can be linked into executables
>> +# @DESCRIPTION:
>> +# Return truth if the current compiler generates position-independent code (PIC)
>> +# which can be linked into executables.
>> +tc-enables-pie() {
>> +	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
>> +		#if defined(__PIE__)
>> +		true
>> +		#else
>> +		false
>> +		#endif
>> +		EOF
>> +	)
>
> Looks quite horrible. Why can't you just compare the output against
> a value instead of randomly executing it?

Because we have to execute the compiler anyway and this is the quickest
way of getting the answer we need. Further, piping an unfiltered output
(e.g. -E -dM -x c) through grep is by no means prettier.

Best,
Matthias



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 850 bytes --]

Re: [gentoo-dev] [PATCH 1/5] toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6.

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1133 bytes --]

On czw, 2017-06-15 at 03:09 -0500, Matthias Maier wrote:
> > > +# @FUNCTION: tc-enables-pie
> > > +# @RETURN: Truth if the current compiler generates position-independent code (PIC) which can be linked into executables
> > > +# @DESCRIPTION:
> > > +# Return truth if the current compiler generates position-independent code (PIC)
> > > +# which can be linked into executables.
> > > +tc-enables-pie() {
> > > +	$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
> > > +		#if defined(__PIE__)
> > > +		true
> > > +		#else
> > > +		false
> > > +		#endif
> > > +		EOF
> > > +	)
> > 
> > Looks quite horrible. Why can't you just compare the output against
> > a value instead of randomly executing it?
> 
> Because we have to execute the compiler anyway and this is the quickest
> way of getting the answer we need. Further, piping an unfiltered output
> (e.g. -E -dM -x c) through grep is by no means prettier.
> 

That's not what I mean. What I mean is that you are executing
the filtered output, i.e. calling whatever gets spilt on stdout as shell
script.

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 988 bytes --]

[gentoo-dev] [RFC v2] toolchain-funcs.eclass / toolchain-glibc.eclass - gcc-6 bugfixes and updates

[Matthias Maier]

OK.

This is a slightly modified version that uses string comparison to form the
result.

Best,
Matthias

[gentoo-dev] [PATCH 01/05] toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6.

[Matthias Maier]

From: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>

Newly added tc-enables-pie(), tc-enables-ssp(), tc-enables-ssp-strong()
and tc-enables-ssp-all() check macros instead of specs.
This solution also works with older GCC and with Clang.

Signed-off-by: Matthias Maier <tamiko@gentoo.org>
---
 eclass/toolchain-funcs.eclass | 67 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

diff --git a/eclass/toolchain-funcs.eclass b/eclass/toolchain-funcs.eclass
index a0c359a950..8cfe329a96 100644
--- a/eclass/toolchain-funcs.eclass
+++ b/eclass/toolchain-funcs.eclass
@@ -792,6 +792,73 @@ gcc-specs-stack-check() {
 }
 
 
+# @FUNCTION: tc-enables-pie
+# @RETURN: Truth if the current compiler generates position-independent code (PIC) which can be linked into executables
+# @DESCRIPTION:
+# Return truth if the current compiler generates position-independent code (PIC)
+# which can be linked into executables.
+tc-enables-pie() {
+	local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
+		#if defined(__PIE__)
+		true
+		#endif
+		EOF
+	)"
+	[ "${ret}" = "true" ]
+}
+
+# @FUNCTION: tc-enables-ssp
+# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on at least minimal level
+# @DESCRIPTION:
+# Return truth if the current compiler enables stack smashing protection (SSP)
+# on level corresponding to any of the following options:
+#  -fstack-protector
+#  -fstack-protector-strong
+#  -fstack-protector-all
+tc-enables-ssp() {
+	local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
+		#if defined(__SSP__) || defined(__SSP_STRONG__) || defined(__SSP_ALL__)
+		true
+		#endif
+		EOF
+	)"
+	[ "${ret}" = "true" ]
+}
+
+# @FUNCTION: tc-enables-ssp-strong
+# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on at least middle level
+# @DESCRIPTION:
+# Return truth if the current compiler enables stack smashing protection (SSP)
+# on level corresponding to any of the following options:
+#  -fstack-protector-strong
+#  -fstack-protector-all
+tc-enables-ssp-strong() {
+	local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
+		#if defined(__SSP_STRONG__) || defined(__SSP_ALL__)
+		true
+		#endif
+		EOF
+	)"
+	[ "${ret}" = "true" ]
+}
+
+# @FUNCTION: tc-enables-ssp-all
+# @RETURN: Truth if the current compiler enables stack smashing protection (SSP) on maximal level
+# @DESCRIPTION:
+# Return truth if the current compiler enables stack smashing protection (SSP)
+# on level corresponding to any of the following options:
+#  -fstack-protector-all
+tc-enables-ssp-all() {
+	local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2> /dev/null
+		#if defined(__SSP_ALL__)
+		true
+		#endif
+		EOF
+	)"
+	[ "${ret}" = "true" ]
+}
+
+
 # @FUNCTION: gen_usr_ldscript
 # @USAGE: [-a] <list of libs to create linker scripts for>
 # @DESCRIPTION:
-- 
2.13.0

Re: [gentoo-dev] [PATCH 01/05] toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6.

[Michał Górny]

Dnia 15 czerwca 2017 15:45:10 CEST, Matthias Maier <tamiko@gentoo.org> napisał(a):
>From: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
>
>Newly added tc-enables-pie(), tc-enables-ssp(), tc-enables-ssp-strong()
>and tc-enables-ssp-all() check macros instead of specs.
>This solution also works with older GCC and with Clang.
>
>Signed-off-by: Matthias Maier <tamiko@gentoo.org>
>---
>eclass/toolchain-funcs.eclass | 67
>+++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 67 insertions(+)
>
>diff --git a/eclass/toolchain-funcs.eclass
>b/eclass/toolchain-funcs.eclass
>index a0c359a950..8cfe329a96 100644
>--- a/eclass/toolchain-funcs.eclass
>+++ b/eclass/toolchain-funcs.eclass
>@@ -792,6 +792,73 @@ gcc-specs-stack-check() {
> }
> 
> 
>+# @FUNCTION: tc-enables-pie
>+# @RETURN: Truth if the current compiler generates
>position-independent code (PIC) which can be linked into executables
>+# @DESCRIPTION:
>+# Return truth if the current compiler generates position-independent
>code (PIC)
>+# which can be linked into executables.
>+tc-enables-pie() {
>+	local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2>
>/dev/null
>+		#if defined(__PIE__)
>+		true
>+		#endif
>+		EOF
>+	)"
>+	[ "${ret}" = "true" ]

[[ ${ret} == true ]]

Would be the canonical bash way.

>+}
>+
>+# @FUNCTION: tc-enables-ssp
>+# @RETURN: Truth if the current compiler enables stack smashing
>protection (SSP) on at least minimal level
>+# @DESCRIPTION:
>+# Return truth if the current compiler enables stack smashing
>protection (SSP)
>+# on level corresponding to any of the following options:
>+#  -fstack-protector
>+#  -fstack-protector-strong
>+#  -fstack-protector-all
>+tc-enables-ssp() {
>+	local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2>
>/dev/null
>+		#if defined(__SSP__) || defined(__SSP_STRONG__) ||
>defined(__SSP_ALL__)
>+		true
>+		#endif
>+		EOF
>+	)"
>+	[ "${ret}" = "true" ]
>+}
>+
>+# @FUNCTION: tc-enables-ssp-strong
>+# @RETURN: Truth if the current compiler enables stack smashing
>protection (SSP) on at least middle level
>+# @DESCRIPTION:
>+# Return truth if the current compiler enables stack smashing
>protection (SSP)
>+# on level corresponding to any of the following options:
>+#  -fstack-protector-strong
>+#  -fstack-protector-all
>+tc-enables-ssp-strong() {
>+	local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2>
>/dev/null
>+		#if defined(__SSP_STRONG__) || defined(__SSP_ALL__)
>+		true
>+		#endif
>+		EOF
>+	)"
>+	[ "${ret}" = "true" ]
>+}
>+
>+# @FUNCTION: tc-enables-ssp-all
>+# @RETURN: Truth if the current compiler enables stack smashing
>protection (SSP) on maximal level
>+# @DESCRIPTION:
>+# Return truth if the current compiler enables stack smashing
>protection (SSP)
>+# on level corresponding to any of the following options:
>+#  -fstack-protector-all
>+tc-enables-ssp-all() {
>+	local ret="$($(tc-getCC) ${CPPFLAGS} ${CFLAGS} -E -P - <<-EOF 2>
>/dev/null
>+		#if defined(__SSP_ALL__)
>+		true
>+		#endif
>+		EOF
>+	)"
>+	[ "${ret}" = "true" ]
>+}
>+
>+
> # @FUNCTION: gen_usr_ldscript
> # @USAGE: [-a] <list of libs to create linker scripts for>
> # @DESCRIPTION:


-- 
Best regards,
Michał Górny (by phone)

Re: [gentoo-dev] [PATCH 01/05] toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6.

[Matthias Maier]

> [[ ${ret} == true ]]
>
> Would be the canonical bash way.

Updated.

Re: [gentoo-dev] [RFC] toolchain-funcs.eclass / toolchain-glibc.eclass - gcc-6 bugfixes and updates

[Matthias Maier]

On Wed, Jun 14, 2017, at 18:15 CDT, Matthias Maier <tamiko@gentoo.org> wrote:

> Hello all,
>
> this is a series of patches against the toolchian-funcs and toolchain-glibc
> eclasses, most notably
>
>  - introducing new tc-enables-pie(), tc-enables-ssp(),
>    tc-enables-ssp-strong() and tc-enables-ssp-all() functions in
>    toolchain-funcs compatible with gcc >=6 and clang as a replacement for
>    the old gcc-specs-* functions (patch 1).
>
>    After this patchset is merged, I will follow up with fixes to a (small)
>    number of ebuilds and eclasses utilizing the old gcc-specs-* functions
>    so that we can deprecate those relatively quickly.
>
>  - updates toolchain-glibc to use said new variants and removing obsolete
>    configuration logic for gcc >=6. [1]
>
>  - enables a number of (upstreamed) security features for glibc-2.25 per
>    default. [2,3]

Pushed.

Best,
Matthias

Re: [gentoo-dev] [RFC] toolchain-funcs.eclass / toolchain-glibc.eclass - gcc-6 bugfixes and updates

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 453 bytes --]

On 16/06/17 09:27, Matthias Maier wrote:
> On Wed, Jun 14, 2017, at 18:15 CDT, Matthias Maier <tamiko@gentoo.org> wrote:
>
>> Hello all,
>>
>> this is a series of patches against the toolchian-funcs and toolchain-glibc
>> eclasses, most notably
>>
> Pushed.
>
> Best,
> Matthias
>
.. That was quick ...

I swore there was something in the devmanual about a nice long period of
bikeshedding before changes to eclasses were approved ..


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] [RFC] toolchain-funcs.eclass / toolchain-glibc.eclass - gcc-6 bugfixes and updates

[Sergei Trofimovich]

[-- Attachment #1: Type: text/plain, Size: 1113 bytes --]

On Fri, 16 Jun 2017 14:25:02 +0100
"M. J. Everitt" <m.j.everitt@iee.org> wrote:

> .. That was quick ...
> 
> I swore there was something in the devmanual about a nice long period of
> bikeshedding before changes to eclasses were approved ..

The eclass writing and changes guide is described in devmanual and available
at https://devmanual.gentoo.org/eclass-writing/

Namely "Adding and Updating Eclasses" section includes rationale why one
should consider that. TL;DR: The goal is to serve both as an announcement
and as a chance to spot errors before affecting everyone.

Valuable feedback (ideally actionable or supportive) feedback is important
to community and individuals as it allows us all to make a step in the right
direction.

I view existence of bikeshedding centithreads (with zero valuable feedback)
as a negative side of Gentoo community as it's a time sink.
I suggest not to start and not to contribute to such threads.

Unfortunately even rare snarky comments don't work all that well in mailing lists.

Thanks for your patience and understanding :)

-- 

  Sergei

[-- Attachment #2: Цифровая подпись OpenPGP --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] [RFC] toolchain-funcs.eclass / toolchain-glibc.eclass - gcc-6 bugfixes and updates

[Alexis Ballier]

On Fri, 16 Jun 2017 14:25:02 +0100
"M. J. Everitt" <m.j.everitt@iee.org> wrote:

> On 16/06/17 09:27, Matthias Maier wrote:
> > On Wed, Jun 14, 2017, at 18:15 CDT, Matthias Maier
> > <tamiko@gentoo.org> wrote: 
> >> Hello all,
> >>
> >> this is a series of patches against the toolchian-funcs and
> >> toolchain-glibc eclasses, most notably
> >>  
> > Pushed.
> >
> > Best,
> > Matthias
> >  
> .. That was quick ...
> 
> I swore there was something in the devmanual about a nice long period
> of bikeshedding before changes to eclasses were approved ..
> 

Maintainers are not even required to send their changes to the ML
before committing. They do it because they think it makes sense to
have some review for eclasses having a wide usage. Sending trivial
changes here instead of b.g.o can be seen as spam.