* [git.ipfire.org] IPFire 3.x development tree branch, master, updated. bf86a0e10d65377dea53319d98f75e06b368a093
@ 2023-03-21 18:16 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2023-03-21 18:16 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 13984 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 3.x development tree".
The branch, master has been updated
via bf86a0e10d65377dea53319d98f75e06b368a093 (commit)
via 2784768aec536b195bd63b6b23491908b368afb2 (commit)
via 01ee5a63b600818dd1a20be8261a8df0165322af (commit)
via 9a7312a166815b9d961af7f5b85a251afe4426f8 (commit)
via fc484c6f639f75ff7af9dfb349455c133a51473a (commit)
via 7942b2679a2c3859b8c7b67e5a34a584a133bbeb (commit)
from 93e1e52703d68c05eb8175076e9038a2abdf96a8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit bf86a0e10d65377dea53319d98f75e06b368a093
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 21 18:13:50 2023 +0000
glibc: Make this package confirm to FHS/Hardening
This patch changes many things about glibc in one go. Sorry.
We move glibc out of /lib so that we no longer install any files where
they should not be according to our FHS.
We also enable SSP-all and ensure that everything is properly hardened.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2784768aec536b195bd63b6b23491908b368afb2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 21 18:11:30 2023 +0000
glibc: Disable building NSCD
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 01ee5a63b600818dd1a20be8261a8df0165322af
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 13 16:25:55 2023 +0000
libvirt: Fix compiling virt-shell-login with GCC 12
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 9a7312a166815b9d961af7f5b85a251afe4426f8
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Mar 13 16:41:23 2023 +0100
graphviz: Proper harden some binaries
Use some additional compiler flags, to proper
harden them.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit fc484c6f639f75ff7af9dfb349455c133a51473a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 13 15:35:33 2023 +0000
jsoncpp: Disable building object failes
We do not need those and they fail the hardening check.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7942b2679a2c3859b8c7b67e5a34a584a133bbeb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 13 15:16:27 2023 +0000
libunwind: Update to 1.6.2
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
glibc/glibc.nm | 152 +++++++++++------------------
graphviz/graphviz.nm | 28 +++++-
jsoncpp/jsoncpp.nm | 7 +-
libunwind/libunwind.nm | 13 +--
libvirt/libvirt.nm | 2 +-
libvirt/patches/virt-shell-login-fix.patch | 11 +++
6 files changed, 108 insertions(+), 105 deletions(-)
create mode 100644 libvirt/patches/virt-shell-login-fix.patch
Difference in files:
diff --git a/glibc/glibc.nm b/glibc/glibc.nm
index 70c5ae415..a58a826c8 100644
--- a/glibc/glibc.nm
+++ b/glibc/glibc.nm
@@ -5,7 +5,7 @@
name = glibc
version = 2.37
-release = 2
+release = 4
maintainer = Michael Tremer <michael.tremer(a)ipfire.org>
groups = System/Base
@@ -27,6 +27,9 @@ source_dl = https://ftp.gnu.org/gnu/glibc/
sources = %{thisapp}.tar.xz
build
+ # Build in a separate directory
+ DIR_BUILD = %{DIR_SRC}/glibc-build
+
# Optimize glibc for kernel
OPTIMIZED_KERNEL = 5.10
@@ -45,113 +48,86 @@ build
texinfo
end
- # Build glibc with custom cflags
- GLIBC_FLAGS = -O2 -g -DNDEBUG -pipe
-
- if "%{DISTRO_ARCH}" == "x86_64"
- GLIBC_FLAGS += -mtune=generic
- end
-
- export CFLAGS = %{GLIBC_FLAGS}
- export CXXFLAGS = %{GLIBC_FLAGS}
-
- prepare_cmds
- # In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is
- # unknown whether this is a bash bug or a Glibc problem. Disable
- # installation of this locale in order to avoid the problem.
- sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED
-
- # The ldd shell script contains Bash-specific syntax. Change its default
- # program interpreter to /bin/bash in case another /bin/sh is installed.
- sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in
-
- # We don't install pt_chown(1) on the final system
- sed -e "/^install.*pt_chown/d" -i login/Makefile
-
- # Build nscd with -fstack-protector-all, instead of -fstack-protector:
- sed -e "s/fstack-protector/&-strong/" -i nscd/Makefile
-
- # Use gnu hash style
- sed -i Makeconfig \
- -e "s/-Wl,--hash-style=both/-Wl,--hash-style=gnu -Wl,-O1/"
-
- # http://sourceware.org/ml/libc-ports/2011-09/msg00018.html
- sed -e "s/PIC/SHARED/g" -i sysdeps/arm/{set,__long}jmp.S
- end
+ # Disable LTO
+ LTO_CFLAGS =
configure_options = \
--build=%{DISTRO_BUILDTARGET} \
--prefix=/usr \
+ --libdir=%{libdir} \
--libexecdir=%{libdir}/glibc \
- --disable-profile \
- --enable-add-ons \
+ --sbindir=%{sbindir} \
+ --enable-multi-arch \
--enable-kernel=%{OPTIMIZED_KERNEL} \
+ --enable-add-ons \
--disable-werror \
+ --disable-profile \
--disable-crypt \
- --enable-stack-protector=strong \
+ --enable-stack-protector=all \
--enable-bind-now \
- --enable-obsolete-rpc \
--with-bugurl=https://bugtracker.ipfire.org \
- --enable-lock-elision \
- --enable-cet
+ --disable-build-nscd \
+ --disable-nscd
- build
- mkdir -p %{DIR_SRC}/glibc-build
- cd %{DIR_SRC}/glibc-build
-
- CFLAGS="${CFLAGS} -fno-asynchronous-unwind-tables" \
- ../%{thisapp}/configure \
- %{configure_options}
+ if "%{DISTRO_ARCH}" == "aarch64"
+ configure_options += \
+ --enable-memory-tagging
+ end
- make PARALLELMFLAGS=%{PARALLELISMFLAGS} \
- CFLAGS="%{CFLAGS}" CXXFLAGS="%{CXXFLAGS}"
+ if "%{DISTRO_ARCH}" == "x86_64"
+ configure_options += \
+ --enable-cet
end
install
- cd %{DIR_SRC}/glibc-build
- make install install_root=%{BUILDROOT}
+ # Install everything
+ make install install_root=%{BUILDROOT} \
+ rtlddir=%{libdir} rootsbindir=%{sbindir} slibdir=%{libdir}
+
+ if [ "%{DISTRO_ARCH}" = "aarch64" ]; then
+ # On aarch64, we did link various binaries against
+ # an incorrect linker in /lib. In order to migrate
+ # away from this, we are creating a symlink which
+ # can hopefully go after we drop the bootstrap repositories.
+ mkdir -pv %{BUILDROOT}%{prefix}/lib
+ ln -svf --relative \
+ %{BUILDROOT}%{libdir}/ld-linux-aarch64.so.1 \
+ %{BUILDROOT}%{prefix}/lib/ld-linux-aarch64.so.1
+ fi
# Locales
mkdir -pv %{BUILDROOT}/usr/lib/locale
# This would install all locales that are supported
make localedata/install-locales install_root=%{BUILDROOT}
- # Configuration
- cp -vf %{DIR_SOURCE}/{ld.so.conf,nsswitch.conf} %{BUILDROOT}/etc
- mkdir -pv %{BUILDROOT}/etc/{default,ld.so.conf.d}
-
- # Remove unused binaries
- rm -vf %{BUILDROOT}/sbin/sln \
- %{BUILDROOT}/usr/bin/rpcinfo
+ # Install runtime linker configuration
+ install -v -m 644 %{DIR_SOURCE}/ld.so.conf %{BUILDROOT}%{sysconfdir}
+ mkdir -pv %{BUILDROOT}%{sysconfdir}/ld.so.conf.d
# Don't distribute linker cache
- rm -vf %{BUILDROOT}/etc/ld.so.cache
+ rm -vf %{BUILDROOT}%{sysconfdir}/ld.so.cache
+
+ # Install nsswitch.conf
+ install -v -m 644 %{DIR_SOURCE}/nsswitch.conf %{BUILDROOT}%{sysconfdir}
+
+ # Remove unused statically linked binaries
+ rm -vf %{BUILDROOT}%{sbindir}/sln
# Include /usr/lib/gconv/gconv-modules.cache
> %{BUILDROOT}%{libdir}/gconv/gconv-modules.cache
chmod 644 %{BUILDROOT}%{libdir}/gconv/gconv-modules.cache
- strip -g %{BUILDROOT}%{libdir}/*.o
-
- # Move some libs to correct place
- mv -v %{BUILDROOT}/%{lib}/lib{memusage,pcprofile}.so %{BUILDROOT}%{libdir}
-
- # Fix library permissions.
- chmod 755 %{BUILDROOT}%{libdir}/lib*.so*
-
- # rquota.x and rquota.h are now provided by quota
- rm -vf %{BUILDROOT}%{includedir}/rpcsvc/rquota.[hx]
- end
-
- keep_libraries
- %{libdir}/libc_nonshared.a
- %{libdir}/libmvec_nonshared.a
- %{libdir}/libpthread_nonshared.a
+ # Strip any object files
+ strip --strip-debug %{BUILDROOT}%{libdir}/*.o
end
end
packages
package glibc
+ if "%{DISTRO_ARCH}" == "aarch64"
+ provides += /lib/ld-linux-aarch64.so.1
+ end
+
requires
tzdata
end
@@ -185,34 +161,20 @@ packages
files += %{libdir}/*.[ao]
end
- package nscd
- summary = A Name Service Caching Daemon (nscd).
- description
- Nscd caches name service lookups and can dramatically improve
- performance with NIS+, and may help with DNS as well.
- end
- group = System/Daemons
-
- files
- /usr/sbin/nscd
- end
- end
-
package %{name}-utils
- summary = Development utilities from GNU C library.
+ summary = Development utilities from GNU C library
description
The glibc-utils package contains memusage, a memory usage profiler,
mtrace, a memory leak tracer and xtrace, a function call tracer
which can be helpful during program debugging.
end
- group = Development/Tools
files
- /usr/bin/memusage
- /usr/bin/memusagestat
- /usr/bin/mtrace
- /usr/bin/pcprofiledump
- /usr/bin/xtrace
+ %{bindir}/memusage
+ %{bindir}/memusagestat
+ %{bindir}/mtrace
+ %{bindir}/pcprofiledump
+ %{bindir}/xtrace
%{libdir}/libmemusage.so
%{libdir}/libpcprofile.so
end
diff --git a/graphviz/graphviz.nm b/graphviz/graphviz.nm
index 625c554b2..c5147c5f5 100644
--- a/graphviz/graphviz.nm
+++ b/graphviz/graphviz.nm
@@ -5,7 +5,7 @@
name = graphviz
version = 7.0.4
-release = 1
+release = 2
groups = Development/Tools
url = https://gitlab.com/graphviz/graphviz
@@ -42,6 +42,32 @@ build
./autogen.sh
end
+ configure_options += \
+ --enable-debug
+
+ configure_cmds
+ # Add some additional C compiler flags to proper harden liblab_gamut.
+ sed -i '/^CFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \
+ lib/edgepaint/Makefile
+
+ # Add some additional C and C++ compiler flags to proper harden
+ # the "dot" binaries.
+ sed -i '/^CFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \
+ cmd/dot/Makefile
+ sed -i '/^CXXFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \
+ cmd/dot/Makefile
+
+ # Add some additional C compiler flags to proper harden the
+ # "gvpr" binaries.
+ sed -i '/^CFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \
+ cmd/gvpr/Makefile
+
+ # Add some additional C compiler flags to proper harden the
+ # tools.
+ sed -i '/^CFLAGS =/ s/$/ -fno-builtin-exit -D__noreturn__=/' \
+ cmd/tools/Makefile
+ end
+
test
make check
end
diff --git a/jsoncpp/jsoncpp.nm b/jsoncpp/jsoncpp.nm
index 5ff2f5c28..a983c3cca 100644
--- a/jsoncpp/jsoncpp.nm
+++ b/jsoncpp/jsoncpp.nm
@@ -5,7 +5,7 @@
name = jsoncpp
version = 1.9.5
-release = 1
+release = 2
groups = System/Libraries
url = https://github.com/open-source-parsers/jsoncpp
@@ -30,7 +30,10 @@ build
end
build
- %{cmake} ..
+ %{cmake} .. \
+ -DBUILD_OBJECT_LIBS:BOOL=OFF \
+ -DBUILD_STATIC_LIBS:BOOL=OFF
+
make %{PARALLELISMFLAGS}
end
end
diff --git a/libunwind/libunwind.nm b/libunwind/libunwind.nm
index 707feb22a..73ca35390 100644
--- a/libunwind/libunwind.nm
+++ b/libunwind/libunwind.nm
@@ -4,8 +4,8 @@
###############################################################################
name = libunwind
-version = 1.4.0
-release = 2
+version = 1.6.2
+release = 1
groups = Development/Debuggers
url = https://savannah.nongnu.org/projects/libunwind
@@ -16,14 +16,15 @@ description
Libunwind provides a C ABI to determine the call-chain of a program.
end
-source_dl = https://download.savannah.gnu.org/releases/libunwind/
+source_dl = https://github.com/libunwind/libunwind/releases/download/v%{version}/
build
- CFLAGS += -fcommon
-
+ # We are building this without setjmp since the library fails
+ # the hardening check.
configure_options += \
--disable-static \
- --enable-shared
+ --enable-shared \
+ --disable-setjmp
test
make check LD_LIBRARY_PATH=%{DIR_APP}/src/.libs || :
diff --git a/libvirt/libvirt.nm b/libvirt/libvirt.nm
index 2fca99bf4..0014ab38f 100644
--- a/libvirt/libvirt.nm
+++ b/libvirt/libvirt.nm
@@ -5,7 +5,7 @@
name = libvirt
version = 8.10.0
-release = 3
+release = 4
maintainer = Jonatan Schlag <jonatan.schlag(a)ipfire.org>
groups = Applications/Virtualization
diff --git a/libvirt/patches/virt-shell-login-fix.patch b/libvirt/patches/virt-shell-login-fix.patch
new file mode 100644
index 000000000..906b36e4a
--- /dev/null
+++ b/libvirt/patches/virt-shell-login-fix.patch
@@ -0,0 +1,11 @@
+--- libvirt-8.10.0/tools/meson.build.bak 2023-03-13 15:59:02.530260456 +0000
++++ libvirt-8.10.0/tools/meson.build 2023-03-13 15:59:59.730481605 +0000
+@@ -98,6 +98,8 @@
+ ],
+ install: true,
+ install_dir: bindir,
++ # Fix for GCC 12 to not omit __stack_chk_fail
++ c_args: ['-fno-builtin-exit', '-D__noreturn__='],
+ )
+
+ executable(
hooks/post-receive
--
IPFire 3.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-03-21 18:16 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-21 18:16 [git.ipfire.org] IPFire 3.x development tree branch, master, updated. bf86a0e10d65377dea53319d98f75e06b368a093 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox