From: "Peter A. Bigot" <pab@pabigot.com>
To: Khem Raj <raj.khem@gmail.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: blocking pie in recipes that build shared object files
Date: Tue, 05 Aug 2014 04:31:08 -0500 [thread overview]
Message-ID: <53E0A45C.4070507@pabigot.com> (raw)
In-Reply-To: <20140804223948.GC11951@haswell>
On 08/04/2014 05:39 PM, Khem Raj wrote:
> On 14-08-04 09:56:37, Peter A. Bigot wrote:
>> I've now hit two recipes in meta-openembedded that fail on armv7-a because
>> SECURITY_CFLAGS has -pie as an option that leaks into a link command
>> building a shared object file. This produces:
>>
>> |
>> /prj/oe/omap/build-beaglebone-master/tmp/sysroots/beaglebone/usr/lib/Scrt1.o:
>> In function `_start':
>> | /prj/oe/omap/build-beaglebone-master/tmp/work/cortexa8hf-vfp-neon-poky-linux-gnueabi/eglibc/2.19-r0/eglibc-2.19/libc/csu/../ports/sysdeps/arm/start.S:128:
>> undefined reference to `main'
>> | collect2: error: ld returned 1 exit status
>> | error: command 'arm-poky-linux-gnueabi-gcc' failed with exit status 1
>>
>> In openembedded-core meta/conf/distro/include/security_flags.inc provides a
>> bunch of package-specific overrides to use SECURITY_NO_PIE_CFLAGS for this
>> sort of package.
>>
>> It's not clear to me how that should be accomplished for recipes that are
>> not part of openembedded-core. For
>> http://patches.openembedded.org/patch/77165/ for python-smbus in meta-python
>> I chose to override it in the bb file.
>>
>> What is the best-practices solution to this problem?
> may be add SECURITY_CFLAGS_pn-blah = "${SECURITY_NO_PIE_CFLAGS}"
> to layer.conf of given layer where recipe resides
Could do that. Is there precedent?
Looking into this more, the reason I'm hitting this is I'm using
DISTRO=poky-lsb, which gives me oe-core's
conf/distro/include/security_flags.inc automatically.
Now that I know more I'm uncomfortable about putting a distro-specific
workaround in each recipe patch I submit, and more uncomfortable about
creating new precedent by putting distro-specific workarounds in
layer.conf files. Updates to python-smbus in meta-python and rrdtool in
meta-oe are affected by this, plus the 42 package exceptions already
listed in security_flags.inc.
I'm going to stop using poky-lsb for now to hide the problem, but for
the future we need guidance on how to make recipes/layers compatible
with distros that want to enable security_flags.inc.
Peter
next prev parent reply other threads:[~2014-08-05 9:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-04 14:56 blocking pie in recipes that build shared object files Peter A. Bigot
2014-08-04 22:39 ` Khem Raj
2014-08-05 9:31 ` Peter A. Bigot [this message]
2014-08-05 14:47 ` Khem Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53E0A45C.4070507@pabigot.com \
--to=pab@pabigot.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=raj.khem@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.