pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang/ghc90 Enable PaX MPROTECT and ASLR for everything...
details: https://anonhg.NetBSD.org/pkgsrc/rev/9b01c6ba0638
branches: trunk
changeset: 450844:9b01c6ba0638
user: pho <pho%pkgsrc.org@localhost>
date: Thu Apr 22 18:15:00 2021 +0000
description:
Enable PaX MPROTECT and ASLR for everything but ghc-iserv and ghc-iserv-prof
Now that allocateExec() in rts/sm/Storage.c uses libffi to map executable
pages, we no longer have to disable these protections unless the RTS linker
is to be used.
diffstat:
lang/ghc90/Makefile | 52 ++++++++++++++++--------------------
lang/ghc90/bootstrap.mk | 18 +++---------
lang/ghc90/distinfo | 4 +-
lang/ghc90/patches/patch-aclocal.m4 | 24 ++--------------
4 files changed, 33 insertions(+), 65 deletions(-)
diffs (198 lines):
diff -r 6463b02deaff -r 9b01c6ba0638 lang/ghc90/Makefile
--- a/lang/ghc90/Makefile Thu Apr 22 17:33:04 2021 +0000
+++ b/lang/ghc90/Makefile Thu Apr 22 18:15:00 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.3 2021/04/22 14:20:23 pho Exp $
+# $NetBSD: Makefile,v 1.4 2021/04/22 18:15:00 pho Exp $
# -----------------------------------------------------------------------------
# Package metadata
#
@@ -24,11 +24,11 @@
# you want to build them yourself, follow instructions in
# BOOTSTRAP.txt and ./bootstrap.mk
#BROKEN_EXCEPT_ON_PLATFORM+= Darwin-*-powerpc # Not available yet
-BROKEN_EXCEPT_ON_PLATFORM+= Darwin-*-x86_64
-BROKEN_EXCEPT_ON_PLATFORM+= FreeBSD-*-i386
-BROKEN_EXCEPT_ON_PLATFORM+= FreeBSD-*-x86_64
+#BROKEN_EXCEPT_ON_PLATFORM+= Darwin-*-x86_64 # Not available yet
+#BROKEN_EXCEPT_ON_PLATFORM+= FreeBSD-*-i386 # Not available yet
+#BROKEN_EXCEPT_ON_PLATFORM+= FreeBSD-*-x86_64 # Not available yet
BROKEN_EXCEPT_ON_PLATFORM+= NetBSD-*-x86_64
-BROKEN_EXCEPT_ON_PLATFORM+= SunOS-*-x86_64
+#BROKEN_EXCEPT_ON_PLATFORM+= SunOS-*-x86_64 # Not available yet
# -----------------------------------------------------------------------------
@@ -104,30 +104,25 @@
# -----------------------------------------------------------------------------
# Security
#
-# The runtime system of GHC (rts) tends to conflict with PaX MPROTECT
-# because it needs to generate various kinds of code at run time. The
-# RTS linker, whose job is to load *static* objects at run time,
-# doesn't play nice with ASLR either because it relies on
-# mmap(MAP_FIXED). This means most executables produced by GHC need
-# them to be disabled. Perhaps we should patch rts/sm/Storage.c so
-# that it uses ffi_closure_alloc(3) on every platform, not just Linux,
-# and also drop support for static library loading and switch to
-# dynamic libraries entirely. (Partially done:
-# https://gitlab.haskell.org/ghc/ghc/merge_requests/2498)
-.for f in ghc ghc-iserv ghc-iserv-dyn ghc-iserv-prof ghc-pkg haddock hpc hsc2hs runghc
+# The runtime system of GHC (rts) has a functionality called "RTS
+# linker" whose job is to load and execute *static* objects (.a and .o
+# files) at run time. It cannot survive PaX MPROTECT because
+# preloadObjectFile() in rts/linker.c tries to mmap pages with w+x. It
+# doesn't play nice with ASLR either because mmapForLinker() in
+# rts/linker.c wants to mmap pages in the lower 32-bit area on 64-bit
+# platforms.
+#
+# Luckily for us, the RTS linker is only used when the GHC executable
+# (or any user programs which uses GHC API as an interpreter, not a
+# compiler) is statically linked, which is no longer the case except
+# for ghc-iserv and ghc-iesrv-prof. They are launched when ghci is
+# started with -fexternal-interpreter without -dynamic, and their
+# purpose is to run non-PIC code from a dynamically linked ghci using
+# the evil RTS linker.
+.for f in ghc-iserv ghc-iserv-prof
NOT_PAX_MPROTECT_SAFE+= lib/${PKGNAME_NOREV}/bin/${f}
NOT_PAX_ASLR_SAFE+= lib/${PKGNAME_NOREV}/bin/${f}
.endfor
-# Additional note: Now that DYNAMIC_GHC_PROGRAMS is enabled by
-# default, we no longer need to disable PaX ASLR because the RTS
-# linker is not used... except for ghc-iserv. The program is launched
-# when ghci is started with -fexternal-interpreter without
-# -dynamic. Its purpose is to run non-PIC code from a dynamically
-# linked ghci, and therefore still uses RTS linker. Also note that RTS
-# linker requires PaX mprotect to be disabled too. This means that
-# once the merge request mentioned above is merged to the upstream, we
-# can at least enable PaX mprotect and PaX ASLR for all the
-# executables except ghc-iserv and ghc-iserv-prof.
# -----------------------------------------------------------------------------
@@ -199,9 +194,6 @@
# Sanity checks
#
-# There is an unused script which don't pass the portability test.
-CHECK_PORTABILITY_SKIP+= distrib/prep-bin-dist-mingw
-
# Dynamically linked Haskell executables and libraries have rpaths to
# dependent Haskell libraries, but the problem is that they are
# specified with $ORIGIN, which isn't currently supported by
@@ -217,9 +209,11 @@
.endfor
# ghc57207_0.s: failed to add inputs for merge: Resource temporarily unavailable
+# XXX: On which platform? Is it still an issue?
CTF_FILES_SKIP+= */libHS*-ghc${PKGVERSION_NOREV}.*
# ld: fatal: relocation error ... relocation requires reference symbol
+# XXX: On which platform? Is it still an issue?
STRIP_FILES_SKIP+= lib/${PKGNAME_NOREV}/libHSrts.a
diff -r 6463b02deaff -r 9b01c6ba0638 lang/ghc90/bootstrap.mk
--- a/lang/ghc90/bootstrap.mk Thu Apr 22 17:33:04 2021 +0000
+++ b/lang/ghc90/bootstrap.mk Thu Apr 22 18:15:00 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bootstrap.mk,v 1.2 2021/04/22 14:20:23 pho Exp $
+# $NetBSD: bootstrap.mk,v 1.3 2021/04/22 18:15:00 pho Exp $
# -----------------------------------------------------------------------------
# Select a bindist of bootstrapping compiler on a per-platform basis.
#
@@ -14,19 +14,11 @@
# Notes on version dependencies:
# * GHC 9.0.1 requires 8.8 or later to bootstrap.
-# * GHC 8.8.1 requires 8.4 or later to bootstrap.
+# * GHC 8.8.4 requires 8.4 or later to bootstrap.
# * GHC 8.4.4 requires 8.0 or later to bootstrap.
# * GHC 8.0.2 requires 7.8 or later to bootstrap.
# * GHC 7.10.3 requires 7.6 or later to bootstrap.
-########################################################################
-# Please note that GHC 8.8.1 fails to build itself due to this bug: #
-# https://gitlab.haskell.org/ghc/ghc/issues/17146 #
-# #
-# It is expected to be fixed in 8.8.2 but until that we must bootstrap #
-# it with 8.4.4. WE MUST NOT REMOVE lang/ghc84 UNTIL THAT. #
-########################################################################
-
.if !empty(MACHINE_PLATFORM:MDarwin-*-powerpc) || make(distinfo) || make (makesum) || make(mdi)
#BOOT_VERSION:= 8.4.4
#BOOT_ARCHIVE:= ghc-${BOOT_VERSION}-boot-powerpc-apple-darwin.tar.xz
@@ -114,8 +106,8 @@
${FAIL_MSG} "Put your trusted bootstrap archive as ${DISTDIR}/${DIST_SUBDIR}/${BOOT_ARCHIVE}"
@${PHASE_MSG} "Extracting bootstrapping compiler for ${PKGNAME}"
- ${RUN}${MKDIR} ${WRKDIR}/build-extract
- ${RUN}cd ${WRKDIR}/build-extract && \
+ ${RUN}${MKDIR} ${WRKDIR}/bootkit-dist
+ ${RUN}cd ${WRKDIR}/bootkit-dist && \
${XZCAT} ${DISTDIR}/${DIST_SUBDIR}/${BOOT_ARCHIVE} | \
${GTAR} -xf -
@@ -123,7 +115,7 @@
# configured, otherwise it will produce executables with no rpath and
# fail at the configure phase.
@${PHASE_MSG} "Preparing bootstrapping compiler for ${PKGNAME}"
- ${RUN}cd ${WRKDIR}/build-extract/ghc-${BOOT_VERSION}-boot && \
+ ${RUN}cd ${WRKDIR}/bootkit-dist/ghc-${BOOT_VERSION}-boot && \
${PKGSRC_SETENV} ${CONFIGURE_ENV} ${SH} ./configure \
--prefix=${TOOLS_DIR:Q} && \
${PKGSRC_SETENV} ${MAKE_ENV} ${MAKE_PROGRAM} install
diff -r 6463b02deaff -r 9b01c6ba0638 lang/ghc90/distinfo
--- a/lang/ghc90/distinfo Thu Apr 22 17:33:04 2021 +0000
+++ b/lang/ghc90/distinfo Thu Apr 22 18:15:00 2021 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2021/04/22 14:20:23 pho Exp $
+$NetBSD: distinfo,v 1.3 2021/04/22 18:15:00 pho Exp $
SHA1 (ghc-8.10.4-boot-x86_64-unknown-netbsd.tar.xz) = 3ff01d768393b3866e7a7543f9f55646aaffce7a
RMD160 (ghc-8.10.4-boot-x86_64-unknown-netbsd.tar.xz) = 39bf10b13054a6316c8477609fb98abe4277fa6c
@@ -12,7 +12,7 @@
RMD160 (netbsd-9.0-amd64-libterminfo.tar.gz) = 5a246633c90ee85f71efcc02d8280bd0c50ab5a7
SHA512 (netbsd-9.0-amd64-libterminfo.tar.gz) = 79288d44b84df8848afc2cdfee628cc4fd1ec0334159403ef8ba994d617bc56a7114af3031198afb5f3b8f45c0463a848099431e32bc6725042908576b6f95b8
Size (netbsd-9.0-amd64-libterminfo.tar.gz) = 27744 bytes
-SHA1 (patch-aclocal.m4) = d178edd5d193ac8f772955bbe451686c5f6cccdc
+SHA1 (patch-aclocal.m4) = 66d27cc50de048beeebee31302107501d5802388
SHA1 (patch-configure.ac) = 0905a0e5358d8c3f3f8366b597a59dd824f294d8
SHA1 (patch-libraries_Cabal_Cabal_Distribution_Simple_GHC.hs) = a4c82b1282c0580a7945be8c3b9d38bc760db99f
SHA1 (patch-libraries_base_GHC_Event_KQueue.hsc) = 8ee5da667a241a05fde3c580d3dc9bdc05aa5f00
diff -r 6463b02deaff -r 9b01c6ba0638 lang/ghc90/patches/patch-aclocal.m4
--- a/lang/ghc90/patches/patch-aclocal.m4 Thu Apr 22 17:33:04 2021 +0000
+++ b/lang/ghc90/patches/patch-aclocal.m4 Thu Apr 22 18:15:00 2021 +0000
@@ -1,15 +1,7 @@
-$NetBSD: patch-aclocal.m4,v 1.1 2021/02/09 13:18:36 ryoon Exp $
-
-Hunk #1:
- Remove _AC_PROG_CC_C99 macro that is removed in autoconf-2.71
- to fix build failure.
+$NetBSD: patch-aclocal.m4,v 1.2 2021/04/22 18:15:01 pho Exp $
-Hunk #2:
- Support SunOS/x86_64.
-
-Hunk #3:
- Canonicalize OS name netbsd* to "netbsd":
- https://gitlab.haskell.org/ghc/ghc/merge_requests/2496
+Remove _AC_PROG_CC_C99 macro that is removed in autoconf-2.71 to fix
+build failure.
--- aclocal.m4.orig 2021-01-26 14:49:54.000000000 +0000
+++ aclocal.m4
@@ -31,13 +23,3 @@
dnl restore saved state
FP_COPY_SHELLVAR([fp_save_CC],[CC])
FP_COPY_SHELLVAR([fp_save_CFLAGS],[CFLAGS])
-@@ -2141,6 +2130,9 @@ AC_DEFUN([GHC_CONVERT_OS],[
- openbsd*)
- $3="openbsd"
- ;;
-+ netbsd*)
-+ $3="netbsd"
-+ ;;
- # As far as I'm aware, none of these have relevant variants
- freebsd|dragonfly|hpux|linuxaout|kfreebsdgnu|freebsd2|mingw32|darwin|nextstep2|nextstep3|sunos4|ultrix|haiku)
- $3="$1"
Home |
Main Index |
Thread Index |
Old Index