- build shared libraries with partial RELRO support (#723995)
- filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS
This commit is contained in:
Nalin Dahyabhai
parent
94ead682ba
commit
2202e378de
@ -1,18 +1,27 @@
|
|||||||
Build binaries in this package as RELRO PIEs and install shared libraries with
|
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
|
||||||
the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS
|
and install shared libraries with the execute bit set on them. Prune out
|
||||||
where they might leak out and affect apps which just want to link with the
|
the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect
|
||||||
libraries. FIXME: needs to check and not just assume that the compiler supports
|
apps which just want to link with the libraries. FIXME: needs to check and
|
||||||
using these flags.
|
not just assume that the compiler supports using these flags.
|
||||||
|
|
||||||
diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
|
diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
|
||||||
--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500
|
--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500
|
||||||
+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400
|
+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400
|
||||||
|
@@ -419,7 +419,7 @@ mips-*-netbsd*)
|
||||||
|
SHLIBEXT=.so
|
||||||
|
# Linux ld doesn't default to stuffing the SONAME field...
|
||||||
|
# Use objdump -x to examine the fields of the library
|
||||||
|
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
|
||||||
|
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
|
||||||
|
#
|
||||||
|
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
|
||||||
|
SHLIB_EXPORT_FILE_DEP=binutils.versions
|
||||||
@@ -430,7 +430,8 @@
|
@@ -430,7 +430,8 @@
|
||||||
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
||||||
PROFFLAGS=-pg
|
PROFFLAGS=-pg
|
||||||
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
||||||
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
||||||
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
|
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
|
||||||
+ INSTALL_SHLIB='${INSTALL} -m755'
|
+ INSTALL_SHLIB='${INSTALL} -m755'
|
||||||
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
||||||
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
||||||
@ -20,7 +29,7 @@ diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
|
|||||||
diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
|
diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
|
||||||
--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
|
--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
|
||||||
+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
|
+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
|
||||||
@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
|
@@ -187,8 +187,15 @@ if test -n "$do_libs"; then
|
||||||
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
|
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
|
||||||
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
|
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
|
||||||
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
||||||
@ -30,8 +39,9 @@ diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
|
|||||||
+ if test `dirname $libdir` = /usr ; then
|
+ if test `dirname $libdir` = /usr ; then
|
||||||
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
||||||
+ fi
|
+ fi
|
||||||
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
|
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
|
||||||
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
|
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
|
||||||
|
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
|
||||||
+
|
+
|
||||||
if test $library = 'kdb'; then
|
if test $library = 'kdb'; then
|
||||||
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
||||||
@ -6,7 +6,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.9.1
|
Version: 1.9.1
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
|
||||||
Source0: krb5-%{version}.tar.gz
|
Source0: krb5-%{version}.tar.gz
|
||||||
@ -35,7 +35,7 @@ Source35: kdb_check_weak.c
|
|||||||
Patch5: krb5-1.8-ksu-access.patch
|
Patch5: krb5-1.8-ksu-access.patch
|
||||||
Patch6: krb5-1.9-ksu-path.patch
|
Patch6: krb5-1.9-ksu-path.patch
|
||||||
Patch12: krb5-1.7-ktany.patch
|
Patch12: krb5-1.7-ktany.patch
|
||||||
Patch16: krb5-1.9-buildconf.patch
|
Patch16: krb5-1.9.1-buildconf.patch
|
||||||
Patch23: krb5-1.3.1-dns.patch
|
Patch23: krb5-1.3.1-dns.patch
|
||||||
Patch29: krb5-1.9-kprop-mktemp.patch
|
Patch29: krb5-1.9-kprop-mktemp.patch
|
||||||
Patch30: krb5-1.3.4-send-pr-tempfile.patch
|
Patch30: krb5-1.3.4-send-pr-tempfile.patch
|
||||||
@ -666,6 +666,11 @@ exit 0
|
|||||||
%{_sbindir}/uuserver
|
%{_sbindir}/uuserver
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 22 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-8
|
||||||
|
- build shared libraries with partial RELRO support (#723995)
|
||||||
|
- filter out potentially multiple instances of -Wl,-z,relro from krb5-config
|
||||||
|
output, now that it's in the buildroot's default LDFLAGS
|
||||||
|
|
||||||
* Wed Jul 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-7
|
* Wed Jul 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-7
|
||||||
- kadmind.init: drop the attempt to detect no-database-present errors (#723723)
|
- kadmind.init: drop the attempt to detect no-database-present errors (#723723)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user