pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/mk



Module Name:    pkgsrc
Committed By:   pho
Date:           Tue Jan 18 01:41:09 UTC 2022

Modified Files:
        pkgsrc/mk: bsd.prefs.mk cwrappers.mk
        pkgsrc/mk/check: bsd.check-vars.mk bsd.check.mk
        pkgsrc/mk/compiler: gcc.mk
        pkgsrc/mk/wrapper: bsd.wrapper.mk
Added Files:
        pkgsrc/mk/check: check-pie-elf.awk check-pie.mk

Log Message:
Add a package-settable variable PKGSRC_OVERRIDE_MKPIE

This is needed by packages that require hand-holding in building PIE. Also a
post-build check for MKPIE is performed by default when PKG_DEVELOPER=YES.


To generate a diff of this commit:
cvs rdiff -u -r1.415 -r1.416 pkgsrc/mk/bsd.prefs.mk
cvs rdiff -u -r1.31 -r1.32 pkgsrc/mk/cwrappers.mk
cvs rdiff -u -r1.10 -r1.11 pkgsrc/mk/check/bsd.check-vars.mk \
    pkgsrc/mk/check/bsd.check.mk
cvs rdiff -u -r0 -r1.1 pkgsrc/mk/check/check-pie-elf.awk \
    pkgsrc/mk/check/check-pie.mk
cvs rdiff -u -r1.234 -r1.235 pkgsrc/mk/compiler/gcc.mk
cvs rdiff -u -r1.102 -r1.103 pkgsrc/mk/wrapper/bsd.wrapper.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mk/bsd.prefs.mk
diff -u pkgsrc/mk/bsd.prefs.mk:1.415 pkgsrc/mk/bsd.prefs.mk:1.416
--- pkgsrc/mk/bsd.prefs.mk:1.415        Tue Nov 30 09:39:11 2021
+++ pkgsrc/mk/bsd.prefs.mk      Tue Jan 18 01:41:09 2022
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.415 2021/11/30 09:39:11 jperkin Exp $
+# $NetBSD: bsd.prefs.mk,v 1.416 2022/01/18 01:41:09 pho Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -27,6 +27,17 @@
 #      directory. Typical values look like editors/emacs or
 #      misc/openoffice-bin.
 #
+# Package-settable variables:
+#
+# PKGSRC_OVERRIDE_MKPIE
+#      When this variable is set to no, MKPIE is enforced by putting toolchain
+#      flags into tool wrapper scripts. Setting it to yes prevents that and
+#      shifts the responsibility of building PIE from the pkgsrc infrastructure
+#      to an individual package.
+#
+#      Possible values: yes, no
+#      Default value: no
+#
 # Keywords: mk.conf user platform
 #
 
@@ -736,11 +747,12 @@ _BUILD_DEFS+=             INIT_SYSTEM
 # Allows the security mitigation of ASLR to be used.
 # Impact: very small performance drop.
 #
-_PKGSRC_MKPIE= no
+PKGSRC_OVERRIDE_MKPIE?=        no
+_PKGSRC_MKPIE=         no
 .if ${PKGSRC_MKPIE:tl} == "yes" && \
     ${MKPIE_SUPPORTED:Uyes:tl} == "yes" && \
     ${_OPSYS_SUPPORTS_MKPIE:Uno} == "yes"
-_PKGSRC_MKPIE= yes
+_PKGSRC_MKPIE=         yes
 .endif
 
 # Enable reproducible build flags

Index: pkgsrc/mk/cwrappers.mk
diff -u pkgsrc/mk/cwrappers.mk:1.31 pkgsrc/mk/cwrappers.mk:1.32
--- pkgsrc/mk/cwrappers.mk:1.31 Tue May  7 19:36:43 2019
+++ pkgsrc/mk/cwrappers.mk      Tue Jan 18 01:41:09 2022
@@ -1,4 +1,4 @@
-# $NetBSD: cwrappers.mk,v 1.31 2019/05/07 19:36:43 rillig Exp $
+# $NetBSD: cwrappers.mk,v 1.32 2022/01/18 01:41:09 pho Exp $
 #
 # This Makefile fragment implements integration of pkgtools/cwrappers.
 
@@ -89,9 +89,11 @@ generate-cwrappers:
        ${RUN}ln -s ${CWRAPPERS_SRC_DIR}/${CWRAPPERS_CONFIG.${wrappee}}-wrapper ${WRAPPER_BINDIR}/${alias}
 .  endfor
 . if ${_PKGSRC_MKPIE} == "yes"
-.  for arg in ${_MKPIE_LDFLAGS.gcc}
+.  if ${PKGSRC_OVERRIDE_MKPIE:tl} == "no"
+.    for arg in ${_MKPIE_LDFLAGS.gcc}
        ${RUN}echo append_executable=${arg} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}}
-.  endfor
+.    endfor
+.  endif
 . endif
 .endfor
 

Index: pkgsrc/mk/check/bsd.check-vars.mk
diff -u pkgsrc/mk/check/bsd.check-vars.mk:1.10 pkgsrc/mk/check/bsd.check-vars.mk:1.11
--- pkgsrc/mk/check/bsd.check-vars.mk:1.10      Tue Oct  3 09:43:06 2017
+++ pkgsrc/mk/check/bsd.check-vars.mk   Tue Jan 18 01:41:09 2022
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.check-vars.mk,v 1.10 2017/10/03 09:43:06 jperkin Exp $
+# $NetBSD: bsd.check-vars.mk,v 1.11 2022/01/18 01:41:09 pho Exp $
 #
 # This Makefile fragment is included separately by bsd.pkg.mk and
 # defines some variables which must be defined earlier than where
@@ -6,6 +6,7 @@
 #
 
 CHECK_FILES_SUPPORTED?=                yes
+CHECK_PIE_SUPPORTED?=          yes
 CHECK_RELRO_SUPPORTED?=                yes
 CHECK_SHLIBS_SUPPORTED?=       yes
 CHECK_SSP_SUPPORTED?=          yes
Index: pkgsrc/mk/check/bsd.check.mk
diff -u pkgsrc/mk/check/bsd.check.mk:1.10 pkgsrc/mk/check/bsd.check.mk:1.11
--- pkgsrc/mk/check/bsd.check.mk:1.10   Tue Oct  3 09:43:06 2017
+++ pkgsrc/mk/check/bsd.check.mk        Tue Jan 18 01:41:09 2022
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.check.mk,v 1.10 2017/10/03 09:43:06 jperkin Exp $
+# $NetBSD: bsd.check.mk,v 1.11 2022/01/18 01:41:09 pho Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to build and install checks.
@@ -29,6 +29,7 @@
 .include "check-headers.mk"
 .include "check-interpreter.mk"
 .include "check-perms.mk"
+.include "check-pie.mk"
 .include "check-portability.mk"
 .include "check-relro.mk"
 .include "check-shlibs.mk"

Index: pkgsrc/mk/compiler/gcc.mk
diff -u pkgsrc/mk/compiler/gcc.mk:1.234 pkgsrc/mk/compiler/gcc.mk:1.235
--- pkgsrc/mk/compiler/gcc.mk:1.234     Wed Dec 22 10:14:27 2021
+++ pkgsrc/mk/compiler/gcc.mk   Tue Jan 18 01:41:09 2022
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.234 2021/12/22 10:14:27 nia Exp $
+# $NetBSD: gcc.mk,v 1.235 2022/01/18 01:41:09 pho Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -352,6 +352,7 @@ _MKPIE_FCFLAGS.gcc= -fPIC
 # XXX for libraries a sink wrapper around gcc is required and used instead
 _MKPIE_LDFLAGS.gcc=    -pie
 
+.  if ${PKGSRC_OVERRIDE_MKPIE:tl} == "no"
 _GCC_CFLAGS+=          ${_MKPIE_CFLAGS.gcc}
 _GCC_FCFLAGS+=         ${_MKPIE_FCFLAGS.gcc}
 #_GCC_LDFLAGS+=                ${_MKPIE_LDFLAGS.gcc}
@@ -360,6 +361,7 @@ CWRAPPERS_APPEND.cxx+=      ${_MKPIE_CFLAGS.g
 CWRAPPERS_APPEND.f77+= ${_MKPIE_FCFLAGS.gcc}
 # this differs for libraries and executables (handled in mk/cwrappers.mk)
 # CWRAPPERS_APPEND.ld+=        ${_MKPIE_LDFLAGS.gcc}
+.  endif
 .endif
 
 .if ${_PKGSRC_MKREPRO} == "yes"

Index: pkgsrc/mk/wrapper/bsd.wrapper.mk
diff -u pkgsrc/mk/wrapper/bsd.wrapper.mk:1.102 pkgsrc/mk/wrapper/bsd.wrapper.mk:1.103
--- pkgsrc/mk/wrapper/bsd.wrapper.mk:1.102      Mon Apr 27 05:23:11 2020
+++ pkgsrc/mk/wrapper/bsd.wrapper.mk    Tue Jan 18 01:41:09 2022
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.wrapper.mk,v 1.102 2020/04/27 05:23:11 rillig Exp $
+# $NetBSD: bsd.wrapper.mk,v 1.103 2022/01/18 01:41:09 pho Exp $
 #
 # Copyright (c) 2005 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -304,7 +304,7 @@ _WRAP_TRANSFORM.CXX=        ${_WRAP_TRANSFORM.C
 .if !empty(PKGSRC_COMPILER:Mgcc)
 _WRAP_TRANSFORM.CC=    ${WRAPPER_TMPDIR}/transform-gcc
 _WRAP_TRANSFORM.CXX=   ${_WRAP_TRANSFORM.CC}
-. if ${_PKGSRC_MKPIE} != "no"
+. if ${_PKGSRC_MKPIE} != "no" && ${PKGSRC_OVERRIDE_MKPIE:tl} == "no"
 _WRAP_CMD_SINK.CC=     ${WRAPPER_TMPDIR}/cmd-sink-mkpie-gcc
 _WRAP_CMD_SINK.CXX=    ${_WRAP_CMD_SINK.CC}
 _WRAP_CMD_SINK.LD=     ${WRAPPER_TMPDIR}/cmd-sink-mkpie-ld

Added files:

Index: pkgsrc/mk/check/check-pie-elf.awk
diff -u /dev/null pkgsrc/mk/check/check-pie-elf.awk:1.1
--- /dev/null   Tue Jan 18 01:41:09 2022
+++ pkgsrc/mk/check/check-pie-elf.awk   Tue Jan 18 01:41:09 2022
@@ -0,0 +1,87 @@
+# $NetBSD: check-pie-elf.awk,v 1.1 2022/01/18 01:41:09 pho Exp $
+#
+# Read a list of potential ELF binaries from stdin. For each, extract the list
+# of headers. There are four possibilities:
+#
+# 1. Elf_Ehdr.e_type == ET_EXEC &&
+#    PT_INTERP does not exist
+#
+#      This is a statically-linked executable. Ignore these, as they cannot
+#      ever be a PIE.
+#
+# 2. Elf_Ehdr.e_type == ET_EXEC &&
+#    PT_INTERP exists in the program headers
+#
+#      This is a dynamically-linked non-PIE that this script complains about.
+#
+# 3. Elf_Ehdr.e_type == ET_DYN &&
+#    PT_INTERP exists in the program headers &&
+#    DT_FLAGS_1 exists in the dynamic section &&
+#    DT_FLAGS_1 contains DF_1_PIE
+#
+#      This is a PIE.
+#
+# 4. Elf_Ehdr.e_type == ET_DYN &&
+#    PT_INTERP does not exist in the program headers
+#
+#      This is a shared object.
+#
+# See also https://stackoverflow.com/a/55704865
+#
+
+function shquote(IN, out) {
+       out = IN;
+       gsub("\\\\", "\\\\", out);
+       gsub("\\\n", "\\n", out);
+       gsub("\\\t", "\\t", out);
+       gsub(" ", "\\ ", out);
+       gsub("'", "\\'", out);
+       gsub("`", "\\`", out);
+       gsub("\"", "\\\"", out);
+       gsub(";", "\\;", out);
+       gsub("&", "\\&", out);
+       gsub("<", "\\<", out);
+       gsub(">", "\\>", out);
+       gsub("\\(", "\\(", out);
+       gsub("\\)", "\\)", out);
+       gsub("\\|", "\\|", out);
+       gsub("\\*", "\\*", out);
+       gsub("\\?", "\\?", out);
+       gsub("\\{", "\\{", out);
+       gsub("\\}", "\\}", out);
+       gsub("\\[", "\\[", out);
+       gsub("\\]", "\\]", out);
+       gsub("\\$", "\\$", out);
+       gsub("!", "\\!", out);
+       gsub("#", "\\#", out);
+       gsub("\\^", "\\^", out);
+       gsub("~", "\\~", out);
+       return out;
+}
+
+function check_pie(ELF, is_non_pie, is_dyn_exec) {
+       is_non_pie = 0;
+       is_dyn_exec = 0;
+       cmd = readelf " -Whl " shquote(ELF) " 2>/dev/null";
+       while ((cmd | getline) > 0) {
+               if ($1 == "Type:" && $2 == "EXEC") {
+                       is_non_pie = 1;
+               }
+               else if ($1 == "INTERP") {
+                       is_dyn_exec = 1;
+               }
+       }
+       close(cmd);
+       if (is_non_pie == 1 && is_dyn_exec == 1) {
+               print ELF ": not a PIE";
+       }
+}
+
+BEGIN {
+       readelf = ENVIRON["READELF"];
+       if (readelf == "") {
+               readelf = "readelf";
+       }
+}
+
+{ check_pie($0); }
Index: pkgsrc/mk/check/check-pie.mk
diff -u /dev/null pkgsrc/mk/check/check-pie.mk:1.1
--- /dev/null   Tue Jan 18 01:41:09 2022
+++ pkgsrc/mk/check/check-pie.mk        Tue Jan 18 01:41:09 2022
@@ -0,0 +1,75 @@
+# $NetBSD
+#
+# This file verifies that MKPIE (position-independent executables) was applied
+# accordingly at build-time.
+#
+# User-settable variables:
+#
+# CHECK_PIE
+#      Whether the check should be enabled or not.
+#
+#      Default value: "yes" for PKG_DEVELOPERs, "no" otherwise.
+#
+# Package-settable variables:
+#
+# CHECK_PIE_SKIP
+#      A list of shell patterns (like man/*) that should be excluded
+#      from the check. Note that a * in a pattern also matches a slash
+#      in a pathname.
+#
+#      Default value: empty.
+#
+# CHECK_PIE_SUPPORTED
+#      Whether the check should be enabled for this package or not.
+#
+#      Default value: yes
+#
+
+_VARGROUPS+=           check-pie
+_USER_VARS.check-pie=  CHECK_PIE
+_PKG_VARS.check-pie=   CHECK_PIE_SUPPORTED
+
+.if ${_PKGSRC_MKPIE:Uno} != "no" && ${PKG_DEVELOPER:Uno:tl} != "no"
+CHECK_PIE?=            yes
+.else
+CHECK_PIE?=            no
+.endif
+CHECK_PIE_SUPPORTED?=  yes
+CHECK_PIE_SKIP?=       # none
+
+# All binaries but not libraries
+_CHECK_PIE_ERE=                (bin/|sbin/|libexec/)
+
+_CHECK_PIE_FILELIST_CMD?=                                      \
+       ${SED} -e '/^@/d' ${PLIST} |                            \
+       while read file; do                                     \
+               ${TEST} -h "$$file" || ${ECHO} "$$file";        \
+       done
+
+_CHECK_PIE_CMD=                # empty
+.if ${OBJECT_FMT} == "ELF"
+USE_TOOLS+=            awk readelf
+_CHECK_PIE_CMD=                ${AWK} -f ${PKGSRCDIR}/mk/check/check-pie-elf.awk
+_CHECK_PIE_ENV+=       READELF=${TOOLS_PATH.readelf:Q}
+.endif
+
+.if    ${CHECK_PIE:tl} == "yes" && \
+       ${CHECK_PIE_SUPPORTED:tl} == "yes" && \
+       !empty(_CHECK_PIE_CMD)
+privileged-install-hook: _check-pie
+_check-pie: error-check .PHONY
+       @${STEP_MSG} "Checking for PIE in ${PKGNAME}"
+       ${RUN} rm -f ${ERROR_DIR}/${.TARGET}
+       ${RUN}                                                          \
+               cd ${DESTDIR:Q}${PREFIX:Q};                             \
+               ${_CHECK_PIE_FILELIST_CMD} |                            \
+               ${EGREP} -h ${_CHECK_PIE_ERE:Q} |                       \
+               while read file; do                                     \
+                       case "$$file" in                                \
+                               ${CHECK_PIE_SKIP:@p@${p}) continue;;@}  \
+                               *) ${ECHO} "$$file";                    \
+                       esac;                                           \
+               done |                                                  \
+               ${PKGSRC_SETENV} ${_CHECK_PIE_ENV} ${_CHECK_PIE_CMD}    \
+                       > ${ERROR_DIR}/${.TARGET}
+.endif



Home | Main Index | Thread Index | Old Index