From: Khem Raj <raj.khem@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 00/19] Rework GCC PIE and security flags (take 3)
Date: Sat, 1 Jul 2017 07:23:04 -0700 [thread overview]
Message-ID: <cover.1498893436.git.raj.khem@gmail.com> (raw)
* This patchset add a switch to configure gcc driver with PIE defaults
* Add support for generating static PIE in gcc
* Gets rid of lot of bandaids from distro security flags file
* Adjust recipes for new way of specifying pie
v1->v2:
* apply linking spec changes libssp_nonshared.a to musl alone
* icu/iptable/gstreamer1.0-plugins-bad fixes are done on top not really depend on pie rework
v2->v3:
* Add glibc 2.25.90 upgrade patches to this pull request as it has few depending gcc patches with hardening
* Fixes for recipes to build against glibc 2.26
* Add fixes to sysklogd
* Dont compile sysklogd with PIE
The following changes since commit de7914954571ea8e717f56b6d6df13157b0973bc:
scripts/contrib/patchreview: add new script (2017-06-29 13:01:32 +0100)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib kraj/hardening-fixes
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=kraj/hardening-fixes
Khem Raj (19):
glibc: Upgrade to 2.25.90
glibc: Drop obsoleted bits/string.h from multilibbing
glibc: Enable obsoleted nsl
gcc: Introduce a knob to configure gcc to default to PIE
security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS
distutils,setuptools: Delete use of SECURITY_NO_PIE_CFLAGS
gcc7: Enable static PIE
gcc: Link libssp_nonshared.a only on musl targets
sysklogd: Improve build and fix runtime crash
libunwind: We set -fPIE in security flags now if gcc is not configured
for default PIE
valgrind: Remove -no-pie from cflags
icu: Fix build with glibc 2.26
gstreamer1.0-plugins-bad: Fix missing library with bcm egl
gcc-sanitizer: Fix build with glibc 2.26
gcc: Use ucontext_t instead of ucontext
valgrind: Fix build with glibc 2.26
strace: upgrade to 4.17
qemu: Replace use of struct ucontext with ucontext_t
epiphany: Fix build errors when compiling with security flags
meta/classes/distutils-common-base.bbclass | 2 -
meta/classes/setuptools.bbclass | 2 -
meta/conf/distro/include/security_flags.inc | 85 ++-----
meta/conf/distro/include/tcmode-default.inc | 2 +-
...e_2.25.bb => cross-localedef-native_2.25.90.bb} | 27 ++-
...bc-initial_2.25.bb => glibc-initial_2.25.90.bb} | 0
...libc-locale_2.25.bb => glibc-locale_2.25.90.bb} | 0
...libc-mtrace_2.25.bb => glibc-mtrace_2.25.90.bb} | 0
meta/recipes-core/glibc/glibc-package.inc | 2 +-
...bc-scripts_2.25.bb => glibc-scripts_2.25.90.bb} | 0
...libc-Look-for-host-system-ld.so.cache-as-.patch | 6 +-
...libc-Fix-buffer-overrun-with-a-relocated-.patch | 6 +-
...libc-Raise-the-size-of-arrays-containing-.patch | 34 +--
...ivesdk-glibc-Allow-64-bit-atomics-for-x86.patch | 11 +-
...500-e5500-e6500-603e-fsqrt-implementation.patch | 42 ++--
...-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch | 6 +-
...-Fix-undefined-reference-to-__sqrt_finite.patch | 28 +--
...qrt-f-are-now-inline-functions-and-call-o.patch | 28 +--
...bug-1443-which-explains-what-the-patch-do.patch | 8 +-
...n-libm-err-tab.pl-with-specific-dirs-in-S.patch | 6 +-
...qrt-f-are-now-inline-functions-and-call-o.patch | 8 +-
...ersion-output-matching-grok-gold-s-output.patch | 44 ----
...configure.ac-handle-correctly-libc_cv_ro.patch} | 10 +-
...ibute.patch => 0013-Add-unused-attribute.patch} | 8 +-
...hin-the-path-sets-wrong-config-variables.patch} | 30 +--
...timezone-re-written-tzselect-as-posix-sh.patch} | 12 +-
...ove-bash-dependency-for-nscd-init-script.patch} | 11 +-
...-Cross-building-and-testing-instructions.patch} | 10 +-
...18-eglibc-Help-bootstrap-cross-toolchain.patch} | 10 +-
... 0019-eglibc-Clear-cache-lines-on-ppc8xx.patch} | 10 +-
...020-eglibc-Resolve-__fpscr_values-on-SH4.patch} | 10 +-
...atch => 0021-eglibc-Install-PIC-archives.patch} | 20 +-
...ard-port-cross-locale-generation-support.patch} | 36 +--
...023-Define-DUMMY_LOCALE_T-if-not-defined.patch} | 8 +-
...m.patch => 0024-local-dynamic-resolvconf.patch} | 57 +++--
...c-Make-_dl_build_local_scope-breadth-fir.patch} | 8 +-
...locale-fix-hard-coded-reference-to-gcc-E.patch} | 10 +-
.../glibc/{glibc_2.25.bb => glibc_2.25.90.bb} | 37 +--
meta/recipes-devtools/gcc/gcc-7.1.inc | 5 +-
...shared-to-link-commandline-for-musl-targe.patch | 42 ++++
.../gcc/gcc-7.1/0040-ssp_nonshared.patch | 28 ---
.../gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch | 37 +++
...r-Use-stack_t-instead-of-struct-sigaltsta.patch | 160 +++++++++++++
...0-replace-struct-ucontext-with-ucontext_t.patch | 149 ++++++++++++
meta/recipes-devtools/gcc/gcc-configure-common.inc | 3 +
...lace-struct-ucontext-with-ucontext_t-type.patch | 265 +++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.8.1.1.bb | 46 ++--
...8-replace-struct-ucontext-with-ucontext_t.patch | 31 +++
.../strace/strace/Makefile-ptest.patch | 19 +-
.../strace/{strace_4.16.bb => strace_4.17.bb} | 5 +-
...sts-Use-ucontext_t-instead-of-struct-ucon.patch | 30 +++
meta/recipes-devtools/valgrind/valgrind_3.12.0.bb | 3 +-
...s-that-causes-a-segmentation-fault-under-.patch | 28 +++
...way-for-respecting-flags-from-environment.patch | 35 +++
meta/recipes-extended/sysklogd/sysklogd.inc | 6 +-
meta/recipes-gnome/epiphany/epiphany_3.24.2.bb | 6 +-
...bookmarks-Check-for-return-value-of-fread.patch | 32 +++
.../link-with-libvchostif.patch | 35 +++
.../gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb | 1 +
.../icu/icu/0001-i18n-Drop-include-xlocale.h.patch | 31 +++
meta/recipes-support/icu/icu_58.2.bb | 3 +-
meta/recipes-support/libunwind/libunwind_1.2.bb | 4 -
62 files changed, 1209 insertions(+), 429 deletions(-)
rename meta/recipes-core/glibc/{cross-localedef-native_2.25.bb => cross-localedef-native_2.25.90.bb} (61%)
rename meta/recipes-core/glibc/{glibc-initial_2.25.bb => glibc-initial_2.25.90.bb} (100%)
rename meta/recipes-core/glibc/{glibc-locale_2.25.bb => glibc-locale_2.25.90.bb} (100%)
rename meta/recipes-core/glibc/{glibc-mtrace_2.25.bb => glibc-mtrace_2.25.90.bb} (100%)
rename meta/recipes-core/glibc/{glibc-scripts_2.25.bb => glibc-scripts_2.25.90.bb} (100%)
delete mode 100644 meta/recipes-core/glibc/glibc/0012-Make-ld-version-output-matching-grok-gold-s-output.patch
rename meta/recipes-core/glibc/glibc/{0013-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch => 0012-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch} (82%)
rename meta/recipes-core/glibc/glibc/{0014-Add-unused-attribute.patch => 0013-Add-unused-attribute.patch} (82%)
rename meta/recipes-core/glibc/glibc/{0015-yes-within-the-path-sets-wrong-config-variables.patch => 0014-yes-within-the-path-sets-wrong-config-variables.patch} (94%)
rename meta/recipes-core/glibc/glibc/{0016-timezone-re-written-tzselect-as-posix-sh.patch => 0015-timezone-re-written-tzselect-as-posix-sh.patch} (81%)
rename meta/recipes-core/glibc/glibc/{0017-Remove-bash-dependency-for-nscd-init-script.patch => 0016-Remove-bash-dependency-for-nscd-init-script.patch} (89%)
rename meta/recipes-core/glibc/glibc/{0018-eglibc-Cross-building-and-testing-instructions.patch => 0017-eglibc-Cross-building-and-testing-instructions.patch} (99%)
rename meta/recipes-core/glibc/glibc/{0019-eglibc-Help-bootstrap-cross-toolchain.patch => 0018-eglibc-Help-bootstrap-cross-toolchain.patch} (94%)
rename meta/recipes-core/glibc/glibc/{0021-eglibc-Clear-cache-lines-on-ppc8xx.patch => 0019-eglibc-Clear-cache-lines-on-ppc8xx.patch} (94%)
rename meta/recipes-core/glibc/glibc/{0022-eglibc-Resolve-__fpscr_values-on-SH4.patch => 0020-eglibc-Resolve-__fpscr_values-on-SH4.patch} (88%)
rename meta/recipes-core/glibc/glibc/{0023-eglibc-Install-PIC-archives.patch => 0021-eglibc-Install-PIC-archives.patch} (90%)
rename meta/recipes-core/glibc/glibc/{0024-eglibc-Forward-port-cross-locale-generation-support.patch => 0022-eglibc-Forward-port-cross-locale-generation-support.patch} (96%)
rename meta/recipes-core/glibc/glibc/{0025-Define-DUMMY_LOCALE_T-if-not-defined.patch => 0023-Define-DUMMY_LOCALE_T-if-not-defined.patch} (80%)
rename meta/recipes-core/glibc/glibc/{0020-eglibc-cherry-picked-from.patch => 0024-local-dynamic-resolvconf.patch} (49%)
rename meta/recipes-core/glibc/glibc/{0026-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch => 0025-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch} (89%)
rename meta/recipes-core/glibc/glibc/{0027-locale-fix-hard-coded-reference-to-gcc-E.patch => 0026-locale-fix-hard-coded-reference-to-gcc-E.patch} (82%)
rename meta/recipes-core/glibc/{glibc_2.25.bb => glibc_2.25.90.bb} (80%)
create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
delete mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0049-libsanitizer-Use-stack_t-instead-of-struct-sigaltsta.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0050-replace-struct-ucontext-with-ucontext_t.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-replace-struct-ucontext-with-ucontext_t-type.patch
create mode 100644 meta/recipes-devtools/strace/strace/0008-replace-struct-ucontext-with-ucontext_t.patch
rename meta/recipes-devtools/strace/{strace_4.16.bb => strace_4.17.bb} (87%)
create mode 100644 meta/recipes-devtools/valgrind/valgrind/0001-memcheck-tests-Use-ucontext_t-instead-of-struct-ucon.patch
create mode 100644 meta/recipes-extended/sysklogd/files/0001-fix-problems-that-causes-a-segmentation-fault-under-.patch
create mode 100644 meta/recipes-extended/sysklogd/files/0002-Make-way-for-respecting-flags-from-environment.patch
create mode 100644 meta/recipes-gnome/epiphany/files/0001-bookmarks-Check-for-return-value-of-fread.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch
create mode 100644 meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch
--
2.13.2
next reply other threads:[~2017-07-01 14:23 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-01 14:23 Khem Raj [this message]
2017-07-01 14:23 ` [PATCH 01/19] glibc: Upgrade to 2.25.90 Khem Raj
2017-07-01 14:23 ` [PATCH 02/19] glibc: Drop obsoleted bits/string.h from multilibbing Khem Raj
2017-07-01 14:23 ` [PATCH 03/19] glibc: Enable obsoleted nsl Khem Raj
2017-07-01 14:23 ` [PATCH 04/19] gcc: Introduce a knob to configure gcc to default to PIE Khem Raj
2017-07-01 14:23 ` [PATCH 05/19] security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS Khem Raj
2017-07-01 14:23 ` [PATCH 06/19] distutils, setuptools: Delete use of SECURITY_NO_PIE_CFLAGS Khem Raj
2017-07-01 14:23 ` [PATCH 07/19] gcc7: Enable static PIE Khem Raj
2017-07-01 14:23 ` [PATCH 08/19] gcc: Link libssp_nonshared.a only on musl targets Khem Raj
2017-07-01 14:23 ` [PATCH 09/19] sysklogd: Improve build and fix runtime crash Khem Raj
2017-07-01 14:23 ` [PATCH 10/19] libunwind: We set -fPIE in security flags now if gcc is not configured for default PIE Khem Raj
2017-07-01 14:23 ` [PATCH 11/19] valgrind: Remove -no-pie from cflags Khem Raj
2017-07-01 14:23 ` [PATCH 12/19] icu: Fix build with glibc 2.26 Khem Raj
2017-07-01 14:23 ` [PATCH 13/19] gstreamer1.0-plugins-bad: Fix missing library with bcm egl Khem Raj
2017-07-01 14:23 ` [PATCH 14/19] gcc-sanitizer: Fix build with glibc 2.26 Khem Raj
2017-07-01 14:23 ` [PATCH 15/19] gcc: Use ucontext_t instead of ucontext Khem Raj
2017-07-01 14:23 ` [PATCH 16/19] valgrind: Fix build with glibc 2.26 Khem Raj
2017-07-01 14:23 ` [PATCH 17/19] strace: upgrade to 4.17 Khem Raj
2017-07-01 14:23 ` [PATCH 18/19] qemu: Replace use of struct ucontext with ucontext_t Khem Raj
2017-07-01 14:23 ` [PATCH 19/19] epiphany: Fix build errors when compiling with security flags Khem Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1498893436.git.raj.khem@gmail.com \
--to=raj.khem@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.