pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/mk Add a package-settable variable PKGSRC_OVERRIDE_MKPIE
details: https://anonhg.NetBSD.org/pkgsrc/rev/40b3a993b500
branches: trunk
changeset: 372026:40b3a993b500
user: pho <pho%pkgsrc.org@localhost>
date: Tue Jan 18 01:41:09 2022 +0000
description:
Add a package-settable variable PKGSRC_OVERRIDE_MKPIE
This is needed by packages that require hand-holding in building PIE. Also a
post-build check for MKPIE is performed by default when PKG_DEVELOPER=YES.
diffstat:
mk/bsd.prefs.mk | 18 +++++++-
mk/check/bsd.check-vars.mk | 3 +-
mk/check/bsd.check.mk | 3 +-
mk/check/check-pie-elf.awk | 87 ++++++++++++++++++++++++++++++++++++++++++++++
mk/check/check-pie.mk | 75 +++++++++++++++++++++++++++++++++++++++
mk/compiler/gcc.mk | 4 +-
mk/cwrappers.mk | 8 ++-
mk/wrapper/bsd.wrapper.mk | 4 +-
8 files changed, 191 insertions(+), 11 deletions(-)
diffs (truncated from 312 to 300 lines):
diff -r 494c44da487b -r 40b3a993b500 mk/bsd.prefs.mk
--- a/mk/bsd.prefs.mk Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/bsd.prefs.mk Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.415 2021/11/30 09:39:11 jperkin Exp $
+# $NetBSD: bsd.prefs.mk,v 1.416 2022/01/18 01:41:09 pho Exp $
#
# This file includes the mk.conf file, which contains the user settings.
#
@@ -27,6 +27,17 @@
# directory. Typical values look like editors/emacs or
# misc/openoffice-bin.
#
+# Package-settable variables:
+#
+# PKGSRC_OVERRIDE_MKPIE
+# When this variable is set to no, MKPIE is enforced by putting toolchain
+# flags into tool wrapper scripts. Setting it to yes prevents that and
+# shifts the responsibility of building PIE from the pkgsrc infrastructure
+# to an individual package.
+#
+# Possible values: yes, no
+# Default value: no
+#
# Keywords: mk.conf user platform
#
@@ -736,11 +747,12 @@
# Allows the security mitigation of ASLR to be used.
# Impact: very small performance drop.
#
-_PKGSRC_MKPIE= no
+PKGSRC_OVERRIDE_MKPIE?= no
+_PKGSRC_MKPIE= no
.if ${PKGSRC_MKPIE:tl} == "yes" && \
${MKPIE_SUPPORTED:Uyes:tl} == "yes" && \
${_OPSYS_SUPPORTS_MKPIE:Uno} == "yes"
-_PKGSRC_MKPIE= yes
+_PKGSRC_MKPIE= yes
.endif
# Enable reproducible build flags
diff -r 494c44da487b -r 40b3a993b500 mk/check/bsd.check-vars.mk
--- a/mk/check/bsd.check-vars.mk Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/check/bsd.check-vars.mk Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.check-vars.mk,v 1.10 2017/10/03 09:43:06 jperkin Exp $
+# $NetBSD: bsd.check-vars.mk,v 1.11 2022/01/18 01:41:09 pho Exp $
#
# This Makefile fragment is included separately by bsd.pkg.mk and
# defines some variables which must be defined earlier than where
@@ -6,6 +6,7 @@
#
CHECK_FILES_SUPPORTED?= yes
+CHECK_PIE_SUPPORTED?= yes
CHECK_RELRO_SUPPORTED?= yes
CHECK_SHLIBS_SUPPORTED?= yes
CHECK_SSP_SUPPORTED?= yes
diff -r 494c44da487b -r 40b3a993b500 mk/check/bsd.check.mk
--- a/mk/check/bsd.check.mk Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/check/bsd.check.mk Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.check.mk,v 1.10 2017/10/03 09:43:06 jperkin Exp $
+# $NetBSD: bsd.check.mk,v 1.11 2022/01/18 01:41:09 pho Exp $
#
# This Makefile fragment is included by bsd.pkg.mk and provides all
# variables and targets related to build and install checks.
@@ -29,6 +29,7 @@
.include "check-headers.mk"
.include "check-interpreter.mk"
.include "check-perms.mk"
+.include "check-pie.mk"
.include "check-portability.mk"
.include "check-relro.mk"
.include "check-shlibs.mk"
diff -r 494c44da487b -r 40b3a993b500 mk/check/check-pie-elf.awk
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mk/check/check-pie-elf.awk Tue Jan 18 01:41:09 2022 +0000
@@ -0,0 +1,87 @@
+# $NetBSD: check-pie-elf.awk,v 1.1 2022/01/18 01:41:09 pho Exp $
+#
+# Read a list of potential ELF binaries from stdin. For each, extract the list
+# of headers. There are four possibilities:
+#
+# 1. Elf_Ehdr.e_type == ET_EXEC &&
+# PT_INTERP does not exist
+#
+# This is a statically-linked executable. Ignore these, as they cannot
+# ever be a PIE.
+#
+# 2. Elf_Ehdr.e_type == ET_EXEC &&
+# PT_INTERP exists in the program headers
+#
+# This is a dynamically-linked non-PIE that this script complains about.
+#
+# 3. Elf_Ehdr.e_type == ET_DYN &&
+# PT_INTERP exists in the program headers &&
+# DT_FLAGS_1 exists in the dynamic section &&
+# DT_FLAGS_1 contains DF_1_PIE
+#
+# This is a PIE.
+#
+# 4. Elf_Ehdr.e_type == ET_DYN &&
+# PT_INTERP does not exist in the program headers
+#
+# This is a shared object.
+#
+# See also https://stackoverflow.com/a/55704865
+#
+
+function shquote(IN, out) {
+ out = IN;
+ gsub("\\\\", "\\\\", out);
+ gsub("\\\n", "\\n", out);
+ gsub("\\\t", "\\t", out);
+ gsub(" ", "\\ ", out);
+ gsub("'", "\\'", out);
+ gsub("`", "\\`", out);
+ gsub("\"", "\\\"", out);
+ gsub(";", "\\;", out);
+ gsub("&", "\\&", out);
+ gsub("<", "\\<", out);
+ gsub(">", "\\>", out);
+ gsub("\\(", "\\(", out);
+ gsub("\\)", "\\)", out);
+ gsub("\\|", "\\|", out);
+ gsub("\\*", "\\*", out);
+ gsub("\\?", "\\?", out);
+ gsub("\\{", "\\{", out);
+ gsub("\\}", "\\}", out);
+ gsub("\\[", "\\[", out);
+ gsub("\\]", "\\]", out);
+ gsub("\\$", "\\$", out);
+ gsub("!", "\\!", out);
+ gsub("#", "\\#", out);
+ gsub("\\^", "\\^", out);
+ gsub("~", "\\~", out);
+ return out;
+}
+
+function check_pie(ELF, is_non_pie, is_dyn_exec) {
+ is_non_pie = 0;
+ is_dyn_exec = 0;
+ cmd = readelf " -Whl " shquote(ELF) " 2>/dev/null";
+ while ((cmd | getline) > 0) {
+ if ($1 == "Type:" && $2 == "EXEC") {
+ is_non_pie = 1;
+ }
+ else if ($1 == "INTERP") {
+ is_dyn_exec = 1;
+ }
+ }
+ close(cmd);
+ if (is_non_pie == 1 && is_dyn_exec == 1) {
+ print ELF ": not a PIE";
+ }
+}
+
+BEGIN {
+ readelf = ENVIRON["READELF"];
+ if (readelf == "") {
+ readelf = "readelf";
+ }
+}
+
+{ check_pie($0); }
diff -r 494c44da487b -r 40b3a993b500 mk/check/check-pie.mk
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mk/check/check-pie.mk Tue Jan 18 01:41:09 2022 +0000
@@ -0,0 +1,75 @@
+# $NetBSD
+#
+# This file verifies that MKPIE (position-independent executables) was applied
+# accordingly at build-time.
+#
+# User-settable variables:
+#
+# CHECK_PIE
+# Whether the check should be enabled or not.
+#
+# Default value: "yes" for PKG_DEVELOPERs, "no" otherwise.
+#
+# Package-settable variables:
+#
+# CHECK_PIE_SKIP
+# A list of shell patterns (like man/*) that should be excluded
+# from the check. Note that a * in a pattern also matches a slash
+# in a pathname.
+#
+# Default value: empty.
+#
+# CHECK_PIE_SUPPORTED
+# Whether the check should be enabled for this package or not.
+#
+# Default value: yes
+#
+
+_VARGROUPS+= check-pie
+_USER_VARS.check-pie= CHECK_PIE
+_PKG_VARS.check-pie= CHECK_PIE_SUPPORTED
+
+.if ${_PKGSRC_MKPIE:Uno} != "no" && ${PKG_DEVELOPER:Uno:tl} != "no"
+CHECK_PIE?= yes
+.else
+CHECK_PIE?= no
+.endif
+CHECK_PIE_SUPPORTED?= yes
+CHECK_PIE_SKIP?= # none
+
+# All binaries but not libraries
+_CHECK_PIE_ERE= (bin/|sbin/|libexec/)
+
+_CHECK_PIE_FILELIST_CMD?= \
+ ${SED} -e '/^@/d' ${PLIST} | \
+ while read file; do \
+ ${TEST} -h "$$file" || ${ECHO} "$$file"; \
+ done
+
+_CHECK_PIE_CMD= # empty
+.if ${OBJECT_FMT} == "ELF"
+USE_TOOLS+= awk readelf
+_CHECK_PIE_CMD= ${AWK} -f ${PKGSRCDIR}/mk/check/check-pie-elf.awk
+_CHECK_PIE_ENV+= READELF=${TOOLS_PATH.readelf:Q}
+.endif
+
+.if ${CHECK_PIE:tl} == "yes" && \
+ ${CHECK_PIE_SUPPORTED:tl} == "yes" && \
+ !empty(_CHECK_PIE_CMD)
+privileged-install-hook: _check-pie
+_check-pie: error-check .PHONY
+ @${STEP_MSG} "Checking for PIE in ${PKGNAME}"
+ ${RUN} rm -f ${ERROR_DIR}/${.TARGET}
+ ${RUN} \
+ cd ${DESTDIR:Q}${PREFIX:Q}; \
+ ${_CHECK_PIE_FILELIST_CMD} | \
+ ${EGREP} -h ${_CHECK_PIE_ERE:Q} | \
+ while read file; do \
+ case "$$file" in \
+ ${CHECK_PIE_SKIP:@p@${p}) continue;;@} \
+ *) ${ECHO} "$$file"; \
+ esac; \
+ done | \
+ ${PKGSRC_SETENV} ${_CHECK_PIE_ENV} ${_CHECK_PIE_CMD} \
+ > ${ERROR_DIR}/${.TARGET}
+.endif
diff -r 494c44da487b -r 40b3a993b500 mk/compiler/gcc.mk
--- a/mk/compiler/gcc.mk Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/compiler/gcc.mk Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.234 2021/12/22 10:14:27 nia Exp $
+# $NetBSD: gcc.mk,v 1.235 2022/01/18 01:41:09 pho Exp $
#
# This is the compiler definition for the GNU Compiler Collection.
#
@@ -352,6 +352,7 @@
# XXX for libraries a sink wrapper around gcc is required and used instead
_MKPIE_LDFLAGS.gcc= -pie
+. if ${PKGSRC_OVERRIDE_MKPIE:tl} == "no"
_GCC_CFLAGS+= ${_MKPIE_CFLAGS.gcc}
_GCC_FCFLAGS+= ${_MKPIE_FCFLAGS.gcc}
#_GCC_LDFLAGS+= ${_MKPIE_LDFLAGS.gcc}
@@ -360,6 +361,7 @@
CWRAPPERS_APPEND.f77+= ${_MKPIE_FCFLAGS.gcc}
# this differs for libraries and executables (handled in mk/cwrappers.mk)
# CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc}
+. endif
.endif
.if ${_PKGSRC_MKREPRO} == "yes"
diff -r 494c44da487b -r 40b3a993b500 mk/cwrappers.mk
--- a/mk/cwrappers.mk Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/cwrappers.mk Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: cwrappers.mk,v 1.31 2019/05/07 19:36:43 rillig Exp $
+# $NetBSD: cwrappers.mk,v 1.32 2022/01/18 01:41:09 pho Exp $
#
# This Makefile fragment implements integration of pkgtools/cwrappers.
@@ -89,9 +89,11 @@
${RUN}ln -s ${CWRAPPERS_SRC_DIR}/${CWRAPPERS_CONFIG.${wrappee}}-wrapper ${WRAPPER_BINDIR}/${alias}
. endfor
. if ${_PKGSRC_MKPIE} == "yes"
-. for arg in ${_MKPIE_LDFLAGS.gcc}
+. if ${PKGSRC_OVERRIDE_MKPIE:tl} == "no"
+. for arg in ${_MKPIE_LDFLAGS.gcc}
${RUN}echo append_executable=${arg} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}}
-. endfor
+. endfor
+. endif
. endif
.endfor
diff -r 494c44da487b -r 40b3a993b500 mk/wrapper/bsd.wrapper.mk
--- a/mk/wrapper/bsd.wrapper.mk Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/wrapper/bsd.wrapper.mk Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.wrapper.mk,v 1.102 2020/04/27 05:23:11 rillig Exp $
+# $NetBSD: bsd.wrapper.mk,v 1.103 2022/01/18 01:41:09 pho Exp $
Home |
Main Index |
Thread Index |
Old Index