krb5/krb5-1.9.1-buildconf.patch

Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them.  Prune out
the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.

diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
--- krb5-1.9/src/config/shlib.conf	2008-12-08 17:33:07.000000000 -0500
+++ krb5-1.9/src/config/shlib.conf	2009-06-04 14:01:28.000000000 -0400
@@ -419,7 +419,7 @@ mips-*-netbsd*)
 	SHLIBEXT=.so
 	# Linux ld doesn't default to stuffing the SONAME field...
 	# Use objdump -x to examine the fields of the library
-	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
+	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
 	# 
 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
 	SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -430,7 +430,8 @@
 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
 	PROFFLAGS=-pg
 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
-	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+	INSTALL_SHLIB='${INSTALL} -m755'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
--- krb5-1.9/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
+++ krb5-1.9/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
@@ -187,8 +187,15 @@ if test -n "$do_libs"; then
 	    -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
 	    -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-	    -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
+	    -e 's#\$(CFLAGS)##'`
 
+    if test `dirname $libdir` = /usr ; then
+        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+    fi
+    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
+
     if test $library = 'kdb'; then
 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
 	library=krb5
diff -up krb5-1.9/src/config/pre.in krb5-1.9/src/config/pre.in
--- krb5-1.9/src/config/pre.in	2011-04-01 15:45:06.640705226 -0400
+++ krb5-1.9/src/config/pre.in	2011-04-01 15:45:11.179705234 -0400
@@ -188,7 +188,7 @@
 INSTALL_SCRIPT=@INSTALL_PROGRAM@
 INSTALL_DATA=@INSTALL_DATA@
 INSTALL_SHLIB=@INSTALL_SHLIB@
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
 ## This is needed because autoconf will sometimes define @exec_prefix@ to be
 ## ${prefix}.
 prefix=@prefix@
- build shared libraries with partial RELRO support (#723995) - filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS 2011-07-22 20:29:06 +00:00			`Build binaries in this package as RELRO PIEs, libraries as partial RELRO,`
			`and install shared libraries with the execute bit set on them. Prune out`
			`the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect`
			`apps which just want to link with the libraries. FIXME: needs to check and`
			`not just assume that the compiler supports using these flags.`
- link binaries to produce position-independent executables, and strip the flags used to do so, and library path flags, from the output of krb5-config - install shared libraries with the execute bit set - we used to override RPATH here, but configure takes --disable-rpath now 2009-06-04 19:09:04 +00:00
- fix link flags and permissions on shared libraries (ausil) 2010-12-20 20:20:01 +00:00			`diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf`
			`--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500`
			`+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400`
- build shared libraries with partial RELRO support (#723995) - filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS 2011-07-22 20:29:06 +00:00			`@@ -419,7 +419,7 @@ mips--netbsd)`
			`SHLIBEXT=.so`
			`# Linux ld doesn't default to stuffing the SONAME field...`
			`# Use objdump -x to examine the fields of the library`
			`- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'`
			`+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'`
			`#`
			`LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'`
			`SHLIB_EXPORT_FILE_DEP=binutils.versions`
- fix link flags and permissions on shared libraries (ausil) 2010-12-20 20:20:01 +00:00			`@@ -430,7 +430,8 @@`
			`SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'`
			`PROFFLAGS=-pg`
- link binaries to produce position-independent executables, and strip the flags used to do so, and library path flags, from the output of krb5-config - install shared libraries with the execute bit set - we used to override RPATH here, but configure takes --disable-rpath now 2009-06-04 19:09:04 +00:00			`PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'`
- fix link flags and permissions on shared libraries (ausil) 2010-12-20 20:20:01 +00:00			`- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'`
- build shared libraries with partial RELRO support (#723995) - filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS 2011-07-22 20:29:06 +00:00			`+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'`
- link binaries to produce position-independent executables, and strip the flags used to do so, and library path flags, from the output of krb5-config - install shared libraries with the execute bit set - we used to override RPATH here, but configure takes --disable-rpath now 2009-06-04 19:09:04 +00:00			`+ INSTALL_SHLIB='${INSTALL} -m755'`
			`CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'`
			`CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'`
			`CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'`
- fix link flags and permissions on shared libraries (ausil) 2010-12-20 20:20:01 +00:00			`diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in`
			`--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400`
			`+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400`
- build shared libraries with partial RELRO support (#723995) - filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS 2011-07-22 20:29:06 +00:00			`@@ -187,8 +187,15 @@ if test -n "$do_libs"; then`
- make krb5-config suppress CFLAGS output when called with --libs (#544391) 2009-12-04 22:16:38 +00:00			`-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \`
			`-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \`
- link binaries to produce position-independent executables, and strip the flags used to do so, and library path flags, from the output of krb5-config - install shared libraries with the execute bit set - we used to override RPATH here, but configure takes --disable-rpath now 2009-06-04 19:09:04 +00:00			`-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \`
- make krb5-config suppress CFLAGS output when called with --libs (#544391) 2009-12-04 22:16:38 +00:00			- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
			+ -e 's#\$(CFLAGS)##'`
- link binaries to produce position-independent executables, and strip the flags used to do so, and library path flags, from the output of krb5-config - install shared libraries with the execute bit set - we used to override RPATH here, but configure takes --disable-rpath now 2009-06-04 19:09:04 +00:00
			+ if test `dirname $libdir` = /usr ; then
			+ lib_flags=`echo $lib_flags \| sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
			`+ fi`
- build shared libraries with partial RELRO support (#723995) - filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS 2011-07-22 20:29:06 +00:00			+ lib_flags=`echo $lib_flags \| sed -e "s#-fPIE##g" -e "s#-pie##g"`
			+ lib_flags=`echo $lib_flags \| sed -e "s#-Wl,-z,relro##g"`
			+ lib_flags=`echo $lib_flags \| sed -e "s#-Wl,-z,now##g"`
- link binaries to produce position-independent executables, and strip the flags used to do so, and library path flags, from the output of krb5-config - install shared libraries with the execute bit set - we used to override RPATH here, but configure takes --disable-rpath now 2009-06-04 19:09:04 +00:00			`+`
			`if test $library = 'kdb'; then`
			`lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"`
			`library=krb5`
- override INSTALL_SETUID at build-time so that ksu is installed into the buildroot with the right permissions (part of #225974) 2011-04-01 19:52:29 +00:00			`diff -up krb5-1.9/src/config/pre.in krb5-1.9/src/config/pre.in`
			`--- krb5-1.9/src/config/pre.in 2011-04-01 15:45:06.640705226 -0400`
			`+++ krb5-1.9/src/config/pre.in 2011-04-01 15:45:11.179705234 -0400`
			`@@ -188,7 +188,7 @@`
			`INSTALL_SCRIPT=@INSTALL_PROGRAM@`
			`INSTALL_DATA=@INSTALL_DATA@`
			`INSTALL_SHLIB=@INSTALL_SHLIB@`
			`-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root`
			`+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755`
			`## This is needed because autoconf will sometimes define @exec_prefix@ to be`
			`## ${prefix}.`
			`prefix=@prefix@`