- build shared libraries with partial RELRO support (#723995)

- filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS
2011-07-22 16:29:06 -04:00 · 2011-07-22 16:29:06 -04:00 · 2202e378de
commit 2202e378de
parent 94ead682ba
2 changed files with 26 additions and 11 deletions
--- a/krb5-1.9.1-buildconf.patch
+++ b/krb5-1.9.1-buildconf.patch
@ -1,18 +1,27 @@
-Build binaries in this package as RELRO PIEs and install shared libraries with
-the execute bit set on them.  Prune out the -L/usr/lib*, PIE flags, and CFLAGS
-where they might leak out and affect apps which just want to link with the
-libraries. FIXME: needs to check and not just assume that the compiler supports
-using these flags.
+Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
+and install shared libraries with the execute bit set on them.  Prune out
+the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect
+apps which just want to link with the libraries. FIXME: needs to check and
+not just assume that the compiler supports using these flags.

 diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
 --- krb5-1.9/src/config/shlib.conf	2008-12-08 17:33:07.000000000 -0500
 +++ krb5-1.9/src/config/shlib.conf	2009-06-04 14:01:28.000000000 -0400
+@@ -419,7 +419,7 @@ mips-*-netbsd*)
+ 	SHLIBEXT=.so
+ 	# Linux ld doesn't default to stuffing the SONAME field...
+ 	# Use objdump -x to examine the fields of the library
+-	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
+	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
+ 	# 
+ 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
+ 	SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -430,7 +430,8 @@
 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
 	PROFFLAGS=-pg
 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
 -	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
-+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
 +	INSTALL_SHLIB='${INSTALL} -m755'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
@ -20,7 +29,7 @@ diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
 diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
 --- krb5-1.9/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
 +++ krb5-1.9/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
-@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
+@@ -187,8 +187,15 @@ if test -n "$do_libs"; then
 	    -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
 	    -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
@ -30,8 +39,9 @@ diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
 +    if test `dirname $libdir` = /usr ; then
 +        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
 +    fi
-+    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
-+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
+    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
 +
     if test $library = 'kdb'; then
 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
--- a/krb5.spec
+++ b/krb5.spec
@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -35,7 +35,7 @@ Source35: kdb_check_weak.c
 Patch5: krb5-1.8-ksu-access.patch
 Patch6: krb5-1.9-ksu-path.patch
 Patch12: krb5-1.7-ktany.patch
-Patch16: krb5-1.9-buildconf.patch
+Patch16: krb5-1.9.1-buildconf.patch
 Patch23: krb5-1.3.1-dns.patch
 Patch29: krb5-1.9-kprop-mktemp.patch
 Patch30: krb5-1.3.4-send-pr-tempfile.patch
@ -666,6 +666,11 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Fri Jul 22 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-8
+- build shared libraries with partial RELRO support (#723995)
+- filter out potentially multiple instances of -Wl,-z,relro from krb5-config
+  output, now that it's in the buildroot's default LDFLAGS
+
 * Wed Jul 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-7
 - kadmind.init: drop the attempt to detect no-database-present errors (#723723)